Authentication Statement is Too Old to be Used Error Occurs During SSO Login When Engine Configured in Data Control Tower (formerly Central Management) (KBA6966)

Issue

Engines configured in Data Control Tower (DCT), formerly Central Management, are defaulted to SSO authentication, which is handled using Delphix IDP as an intermediary (SP broker).  In the process of accessing an Engine configured in DCT, the following error may be encountered (date and times indicated will vary based on when the issue is observed):

Error 
Status 
400 BAD_REQUEST 
Error 
Bad Request 
Message 
Validation Errors: 1. Authentication statement is too old to be used with value: '2021-01-21T14:05:50.227Z' current time: '2021-01-21T18:10:11.006Z'

In this condition, the user will not be able to directly access the Engines, though the dataservices.delphix.com interface will continue to function as expected.

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies

Major Release	All Sub Releases
6.0	6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0
5.3	5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

Resolution

The behavior discussed here ultimately occurs as a result of the frequency of user activity.  In the Delphix IdP, a session timeout of 4 hours is configured, which is expected to accommodate the majority of use cases.  When this session timeout expires, the user is required to login to dataservices.delphix.com again which creates a new authentication statement and session time.

If a given user is continually active in DCT and the 4-hour session timeout never lapses, the current clock time vs. session start time will exceed four hours, and the error will be encountered.  

If encountered, this issue can be resolved by explicitly logging out of Data Control Tower by clicking the username in upper right-hand corner, then selecting Sign Out.

Example: