我遵循了这个指南:
https://dzone.com/articles/get-started-with-spring-boot-saml-and-okta
一开始一切都很好。但随后应用程序进入无限循环:在浏览器的网址中,它会重定向到Okta的登录页面,反之亦然。当我通过删除cookie清除我在Chrome中的浏览数据时,一切都开始恢复正常。但有时无限循环再次上升。这是例外的一些部分:
2018-05-15 20:16:23.027 INFO 11136 --- [nio-8443-exec-1]
o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;0:0:0:0:0:0:0:1;https://localhost:8443/saml/metadata;http://www.okta.com/exkezd0f1qtnMMYy90h7;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
...
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2018-05-15T11:46:27.900Z
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 64 more
请帮忙!
答案 0 :(得分:0)
看起来您的服务器时钟比UTC早8.5小时,而错误代码中的某处似乎是一种检查,假设您位于UTC中,因此令牌已存在8.5小时且被拒绝,但IDP认为您在已经登录并有一个会话,因此每次每次都以一条新语句返回,而SP则一次又一次地拒绝它。 更正时钟/找出问题所在,如果为另一个时区正确设置了系统会发生这种情况?