CAST Console - How to configure the AIP Console SAML session authentication time

This page provides information about configuring AIP Console to access the extension server.

For more information on the AIP Console, refer to:

Sometimes when  AIP console is configured as per : SAML authentication we may get some issues where the authentication session may time out with below error in the webi logs:

"Authentication statement is too old" error prevents users from logging into MicroStrategy using SAML after the session times out"

Users are able to log in correctly using SAML into MicroStrategy Web / Library / Mobile.

However, after a period of inactivity causing the web server session to time out, when user attempts to log into MicroStrategy again, SAML authentication fails with the following error on the interface:

"Error in login"Please contact your administrator

The interface error is generic. When reviewing the SAML log, the following error is logged during the processing of the SAML response assertion:

Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value "timestamp"

 

 

Release

Yes/No

1.25.x (tick)
2.x.x (tick)

 

 

 

RDBMS

Yes/No

Oracle Server  N/A
Microsoft SQL Server N/A 
CSS3 N/A
CSS2 N/A 

 

 

This issue is happening because

the Identity Provider (IDP) is re-using information that the user has authenticated earlier (indicated by the "Authentication Instant" in the SAML response) and, by default, Spring SAML is configured to prevent users from login if the authentication instant is older than 7200 seconds.

More precisely, the web server session has expired, and therefore, the Service Provider (SP), here MicroStrategy Web / Library / Mobile, issues a new SAML authentication request and redirects the user to the IDP in order to retrieve a new SAML assertion. The IDP assertion is still valid, and therefore the IDP returns a new SAML response though with the original authentication instant - which is too old for the default configuration of Spring SAML.

As a work around Increase the maxAuthenticationAge to be equal to or larger than the assertion validity time of the IDP.  

In application-security-saml.xml, in the webSSOProfileConsumer bean, we have added maxAuthentication age to a very large value since we are not aware of the session timeout set by your IDP.
 

<bean class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"
id="myWebSSOProfileConsumer">
<property name="maxAuthenticationAge" value="5000"/>
</bean>

 

  1. Open application-security-saml.xml from C:\ProgramData\CAST\AipConsole\AipConsole\application-security-saml.xml
  2. Find the following entry:

    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
    
  3. Add the maxAuthenticationAge as follows and adjust the value (seconds) to the assertion validity time of your Identity Provider:

    <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> 
    <property name="maxAuthenticationAge" value="xxx"/>  
    </bean>
  4. Save the file and restart the Web server.

Try to use some value that is greater than the time your Authentication session keeps idle or continues on.

 

Ticket # 36182

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk