0

I have an ASP.NET website with two IDP servers running ThinkTecture software authenticating the users using WS-FED.

When I login with IDP server #1, I can login fine, the IDP issues the token to my website and I get a session token as expected and I can access the website perfectly fine.

When I login with into the IDP server #2, I can login fine and the IDP redirects me back to my website, presumably with a SAML token which it tries to convert into a Session token. Unfortunately, at this point, from my website I see this error:

Specified argument was out of the range of valid values.
Parameter name: validFrom

and stack trace:

System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String id, String context, Byte[] key, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, UniqueId keyGeneration, Nullable`1 keyEffectiveTime, Nullable`1 keyExpirationTime, SctAuthorizationPolicy sctAuthorizationPolicy, Uri securityContextSecurityTokenWrapperSecureConversationVersion) +1011230
System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key) +317
System.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(ClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo) +306
System.IdentityModel.Services.SessionAuthenticationModule.CreateSessionSecurityToken(ClaimsPrincipal principal, String context, DateTime validFrom, DateTime validTo, Boolean isPersistent) +313
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +1079
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +123940
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

After a period of time (approx 10 mins) I start to see this error:

ID4148: The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '17/07/2014 17:01:07'
Current time: '17/07/2014 17:10:08'

I am using the sliding session code as suggested by the ThinkTecture guys:

protected void Application_Start()
{
    PassiveModuleConfiguration.EnableSlidingSessionExpirations();
}

and as you refresh the page the NotOnOrAfter just remains the same for several hours.

As one IDP server works fine and the other does not, I can only assume that the configuration on the 2nd IDP server is in some way different. The token lifetime on the 2nd IDP is set to 10 hours.

All 3 servers have the same time.

I thought the SAML assertion was set by the IDP, rather than the web server (IIS)?

Any ideas?

peter.swallow
  • 905
  • 14
  • 38
  • IdentityServer does not create the fedauth cookie - your app is reponsible for that. The first thing I'd check is if the clocks are synced between the machines. – leastprivilege Jul 18 '14 at 09:33
  • Yes, they are all synced. I've had that one before. Everytime I refresh the page, the NotOnOrAfter never updates. Even when I clear all of my cookies in IE, I still get the same message. Is the IDP or IIS caching the token/cookie somewhere. I am using saveBootstrapContext=true. – peter.swallow Jul 18 '14 at 11:57
  • Check this commit [link](https://github.com/thinktecture/Thinktecture.IdentityServer.v2/commit/883dc01886b57a25babee9608e2ec247217bc857), may be related. – Remigijus Pankevičius Aug 26 '14 at 20:28

0 Answers0