Geek Answers Handbook

"Received confirmation, which will be valid in the future. Checking clock synchronization on IdP and SP"

I am using https://simplesamlphp.org/ in my application. In most cases, this is normal and there is no problem. In other cases, I get the following:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION Backtrace: 0 ssoclient/www/module.php:180 (N/A) Caused by: SimpleSAML_Error_Exception: Received an assertion that is valid in the future. Check clock synchronization on IdP and SP. Backtrace: 3 ssoclient/modules/saml/lib/Message.php:565 (sspmod_saml_Message::processAssertion) 2 ssoclient/modules/saml/lib/Message.php:523 (sspmod_saml_Message::processResponse) 1 ssoclient/modules/saml/www/sp/saml2-acs.php:75 (require) 0 ssoclient/www/module.php:135 (N/A)

Why does this happen and how can I solve it? Do I need to change the system time? (I'm on Debian).

+8
php simplesamlphp
source share
2 answers

The "problem" is known - see here - and boils down to improper clock synchronization between the service provider and the identity provider.

They are probably now within 60 seconds, so from time to time they drop out of the synchronization boundary.

You can fix this:

  • (best) synchronization of both systems with the same known time base via ntpd.
  • submission to one of the two hours of the system to the other.

There are also more creative options, for example:

These two “solutions” are subject to errors and “missed” problems (that is, the clock does not carefully move from WRONG_TIME to CORRECT_TIME, they are directly set to the “correct” value). It may also have other unpleasant effects depending on other conditions / software.

Finally, you can modify the /saml/lib/Message.php modules and increase the time delta, even if it’s “documenting the problem”, assuming that there is some process that can hold both systems for no more than 60 "(there are some schemes for creating time schemes, not ntpd based that could do this).

+6
source share

For me, this seems like a time issue, most likely it is a wrong synchronization.

There is a tool (as well as a daemon) that can keep track of the time for you, ntp , so you can always synchronize. Install it and configure the daemon, I think it can solve your problem.

+2
source share

More articles:


All Articles