Subject: How to resolve an issue when SAML login fails with “Error occurred while trying to login using SAML: Response has expired.” error.
Affected Versions: Artifactory 7.x
Description
When authenticating with Artifactory using SAML (e.g., Okta), you may encounter the following error in your web browser.
In the Artifactory logs, you might come across the following error message:
2023-09-27T22:28:24.810Z [jfrt ] [ERROR] [53673276c748916d] [GetSamlLoginResponseService:65] [27.0.0.1-8081-exec-6] - Error occurred while trying to login using SAML: Response has expired. 2023-09-27T22:28:24.820Z|53673276c748916d|52.9.243.19|anonymous|POST|/api/saml/loginResponsePlatform|400|9509|0|196|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
However, it doesn't provide precise details about the issue. You've reviewed the SAML configuration, and everything appears to be valid.
For a more in-depth investigation, you can add the following debug logger to the $JFROG_HOME/artifactory/var/etc/artifactory/logback.xml file
<appender name="saml" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${log.dir}/artifactory-saml.log</File> <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy"> <FileNamePattern>${log.dir.archived}/artifactory-saml.%i.log.gz</FileNamePattern> <maxIndex>10</maxIndex> </rollingPolicy> <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> <MaxFileSize>25MB</MaxFileSize> </triggeringPolicy> <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder"> <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout"> <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern> </layout> </encoder> </appender> <logger name="org.artifactory.addon.sso.saml"> <level value="debug"/> <appender-ref ref="saml"/> </logger>
No restart is necessary. It will generate a file named 'artifactory-saml.log' in the $JFROG_HOME/artifactory/var/log/ directory.
Within the 'artifactory-saml.log' file, you can find the following information:
2023-09-27T22:28:21.602Z [jfrt ] [DEBUG] [4449388ecedfa330] [o.a.a.s.s.SamlHandlerImpl:515 ] [27.0.0.1-8081-exec-3] - XML login request '<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://art.local/artifactory/webapp/saml/loginResponse"... IssueInstant="2023-09-27T22:28:21.555Z"... 2023-09-27T22:28:24.669Z [jfrt ] [DEBUG] [53673276c748916d] [o.a.a.s.s.SamlHandlerImpl:525 ] [27.0.0.1-8081-exec-6] - Decoded login response: <?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://art.local/ui/api/v1/auth/saml/loginResponse"... IssueInstant="2023-09-27T21:28:27.086Z"...
Note that the 'IssueInstant' timestamp in the 'login response' line is approximately 1 hour behind the current log time.
Resolution
Verify the current time on the Artifactory server and ensure that it is synchronized with the accurate time. You can do this by comparing the server's time to an NTP (Network Time Protocol) server to maintain precise time synchronization. In the above example, the Artifactory server time was 1 hour ahead of the actual time, which caused the response from the SAML server to expire.
2023-09-27T23:25:40.508Z [jfrt ] [DEBUG] [70242b69303510a9] [o.a.a.s.s.SamlHandlerImpl:515 ] [7.0.0.1-8081-exec-10] - XML login request '<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://art.local/artifactory/webapp/saml/loginResponse" … IssueInstant="2023-09-27T23:25:40.484Z"... 2023-09-27T23:25:51.168Z [jfrt ] [DEBUG] [62be9c079ed24167] [o.a.a.s.s.SamlHandlerImpl:525 ] [27.0.0.1-8081-exec-5] - Decoded login response: <?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://art.local/ui/api/v1/auth/saml/loginResponse"... IssueInstant="2023-09-27T23:25:50.203Z"... 2023-09-27T23:25:51.267Z|62be9c079ed24167|52.9.243.19|anonymous|POST|/api/saml/loginResponsePlatform|302|9509|0|114|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 2023-09-27T23:25:51.290Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/api/auth/current|200|-1|0|8|JFrog-Frontend/1.68.6 2023-09-27T23:25:51.307Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/ui/auth/issaml|200|-1|0|8|JFrog-Frontend/1.68.6 2023-09-27T23:25:51.325Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/api/auth/current|200|-1|0|13|JFrog-Frontend/1.68.6 2023-09-27T23:25:51.381Z|62be9c079ed24167|52.9.243.19|jffe@01hbcevrgtj0mk08ft889009wa|POST|/api/auth/loginRelatedData|200|46|0|30|JFrog-Frontend/1.68.6