This page provides information about configuring AIP Console to access the extension server.
For more information on the AIP Console, refer to:
Sometimes when AIP console is configured as per : SAML authentication we may get some issues where the authentication session may time out with below error in the webi logs: "Authentication statement is too old" error prevents users from logging into MicroStrategy using SAML after the session times out" Users are able to log in correctly using SAML into MicroStrategy Web / Library / Mobile. However, after a period of inactivity causing the web server session to time out, when user attempts to log into MicroStrategy again, SAML authentication fails with the following error on the interface: "Error in login"Please contact your administrator The interface error is generic. When reviewing the SAML log, the following error is logged during the processing of the SAML response assertion: Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value "timestamp" |
|
|
This issue is happening because the Identity Provider (IDP) is re-using information that the user has authenticated earlier (indicated by the "Authentication Instant" in the SAML response) and, by default, Spring SAML is configured to prevent users from login if the authentication instant is older than 7200 seconds. More precisely, the web server session has expired, and therefore, the Service Provider (SP), here MicroStrategy Web / Library / Mobile, issues a new SAML authentication request and redirects the user to the IDP in order to retrieve a new SAML assertion. The IDP assertion is still valid, and therefore the IDP returns a new SAML response though with the original authentication instant - which is too old for the default configuration of Spring SAML. As a work around Increase the In application-security-saml.xml, in the webSSOProfileConsumer bean, we have added maxAuthentication age to a very large value since we are not aware of the session timeout set by your IDP.
Try to use some value that is greater than the time your Authentication session keeps idle or continues on. |
Ticket # 36182 |
|
Comments