Skip to main content
Delphix

SSO User Login Fails With "Authentication statement is too old to be used with value" and Indicates a Date in the Past (KBA8861)

 

KBA

KBA# 8861

 

Issue

In SSO configurations, a user attempting to login to a Delphix Engine may encounter errors similar to the following:

Error: Validation Errors: 1. Authentication statement is too old to be used with value: '2021-11-30T14:41:33.250Z' current time: '2022-01-28T14:04:43.569Z'

Where the value indicated is significantly behind the current time

Attempts to login again may result in the same error, with the same value returned.

 

Prerequisites

This issue only occurs when SSO is enabled.

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

Resolution

Ultimately, the behavior encountered is a byproduct of the configured Identity Provider (IdP) and not under Delphix control.

An Authentication statement includes an AuthnInstant timestamp which specifies the time at which the authentication took place.

SSO Engine logins require an (AuthnInstant) received from the configured IdP that falls within the configured maximum age of IdP authentication (default one day). 

When an older Authentication statement / AuthnInstant is received by the Engine and that timestamp does not change through several attempts, it can indicate that the IdP does not have an implicit logout (based on time, etc), or that the user has not been explicitly logged out in some time. 

Although other internal applications may accept this, the Delphix Engine is configured to reject these logins (consider the instance that a given user authentication from November, such as the example above is no longer valid as that employee role has changed and should no longer have access).

In the instance that this error is encountered, the user should explicitly log out of their IdP, then attempt login again. This will cause the AuthnInstant date to be updated to the current date/time of login, and Engine access will then be granted.

If desired, in the System Setup application it is possible to adjust the maximum age of IdP Authentication.  The default is 86,400 seconds (one day).  This value is found under the Advanced drop-down under the Authentication panel interface.

Auth1.png

Auth2.png

As the configuration of this value is ultimately a security concern, Delphix recommends that system administrators discuss this parameter with their Security teams to ensure consistent application behavior and compliance with expected security policies.

 

 


Related Articles

The following articles may provide more information or related information to this article: