This issue is happening because
the Identity Provider (IDP) is re-using information that the user has authenticated earlier (indicated by the "Authentication Instant" in the SAML response) and, by default, Spring SAML is configured to prevent users from login if the authentication instant is older than 7200 seconds.
More precisely, the web server session has expired, and therefore, the Service Provider (SP), here MicroStrategy Web / Library / Mobile, issues a new SAML authentication request and redirects the user to the IDP in order to retrieve a new SAML assertion. The IDP assertion is still valid, and therefore the IDP returns a new SAML response though with the original authentication instant - which is too old for the default configuration of Spring SAML.
As a work around Increase the
maxAuthenticationAge to be equal to or larger than the assertion validity time of the IDP.
In application-security-saml.xml, in the webSSOProfileConsumer bean, we have added maxAuthentication age to a very large value since we are not aware of the session timeout set by your IDP.
<property name="maxAuthenticationAge" value="5000"/>
- Open application-security-saml.xml from C:\ProgramData\CAST\AipConsole\AipConsole\application-security-saml.xml
Find the following entry:
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
maxAuthenticationAge as follows and adjust the value (seconds) to the assertion validity time of your Identity Provider:
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<property name="maxAuthenticationAge" value="xxx"/>
- Save the file and restart the Web server.
Try to use some value that is greater than the time your Authentication session keeps idle or continues on.