How to resolve SAML login error with “Error occurred while trying to login using SAML: Response has expired.”

How to resolve SAML login error with “Error occurred while trying to login using SAML: Response has expired.”

AuthorFullName__c
Ino Choi
articleNumber
000005879
ft:sourceType
Salesforce
FirstPublishedDate
2023-09-28T08:26:20Z
lastModifiedDate
2023-10-03T11:52:50Z
VersionNumber
5

Subject: How to resolve an issue when SAML login fails with “Error occurred while trying to login using SAML: Response has expired.” error.

Affected Versions: Artifactory 7.x

Description

When authenticating with Artifactory using SAML (e.g., Okta), you may encounter the following error in your web browser.



User-added image

In the Artifactory logs, you might come across the following error message:
2023-09-27T22:28:24.810Z [jfrt ] [ERROR] [53673276c748916d] [GetSamlLoginResponseService:65] [27.0.0.1-8081-exec-6] - Error occurred while trying to login using SAML: Response has expired.
2023-09-27T22:28:24.820Z|53673276c748916d|52.9.243.19|anonymous|POST|/api/saml/loginResponsePlatform|400|9509|0|196|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36

However, it doesn't provide precise details about the issue. You've reviewed the SAML configuration, and everything appears to be valid.

For a more in-depth investigation, you can add the following debug logger to the $JFROG_HOME/artifactory/var/etc/artifactory/logback.xml file
<appender name="saml" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <File>${log.dir}/artifactory-saml.log</File>
  <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
    <FileNamePattern>${log.dir.archived}/artifactory-saml.%i.log.gz</FileNamePattern>
    <maxIndex>10</maxIndex>
  </rollingPolicy>
  <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
    <MaxFileSize>25MB</MaxFileSize>
  </triggeringPolicy>
  <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout">
      <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern>
    </layout>
  </encoder>
</appender>

<logger name="org.artifactory.addon.sso.saml">
  <level value="debug"/>
  <appender-ref ref="saml"/>
</logger>

No restart is necessary. It will generate a file named 'artifactory-saml.log' in the $JFROG_HOME/artifactory/var/log/ directory.

Within the 'artifactory-saml.log' file, you can find the following information:
2023-09-27T22:28:21.602Z [jfrt ] [DEBUG] [4449388ecedfa330] [o.a.a.s.s.SamlHandlerImpl:515 ] [27.0.0.1-8081-exec-3] - XML login request '<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://art.local/artifactory/webapp/saml/loginResponse"... IssueInstant="2023-09-27T22:28:21.555Z"...

2023-09-27T22:28:24.669Z [jfrt ] [DEBUG] [53673276c748916d] [o.a.a.s.s.SamlHandlerImpl:525 ] [27.0.0.1-8081-exec-6] - Decoded login response: <?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://art.local/ui/api/v1/auth/saml/loginResponse"... IssueInstant="2023-09-27T21:28:27.086Z"...

Note that the 'IssueInstant' timestamp in the 'login response' line is approximately 1 hour behind the current log time.

Resolution


Verify the current time on the Artifactory server and ensure that it is synchronized with the accurate time. You can do this by comparing the server's time to an NTP (Network Time Protocol) server to maintain precise time synchronization. In the above example, the Artifactory server time was 1 hour ahead of the actual time, which caused the response from the SAML server to expire.

Once the server time has been synchronized, the issue will be resolved
2023-09-27T23:25:40.508Z [jfrt ] [DEBUG] [70242b69303510a9] [o.a.a.s.s.SamlHandlerImpl:515 ] [7.0.0.1-8081-exec-10] - XML login request '<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://art.local/artifactory/webapp/saml/loginResponse" … IssueInstant="2023-09-27T23:25:40.484Z"...

2023-09-27T23:25:51.168Z [jfrt ] [DEBUG] [62be9c079ed24167] [o.a.a.s.s.SamlHandlerImpl:525 ] [27.0.0.1-8081-exec-5] - Decoded login response: <?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://art.local/ui/api/v1/auth/saml/loginResponse"... IssueInstant="2023-09-27T23:25:50.203Z"...

2023-09-27T23:25:51.267Z|62be9c079ed24167|52.9.243.19|anonymous|POST|/api/saml/loginResponsePlatform|302|9509|0|114|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
2023-09-27T23:25:51.290Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/api/auth/current|200|-1|0|8|JFrog-Frontend/1.68.6
2023-09-27T23:25:51.307Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/ui/auth/issaml|200|-1|0|8|JFrog-Frontend/1.68.6
2023-09-27T23:25:51.325Z|62be9c079ed24167|52.9.243.19|inhoc@jfrog.com|GET|/api/auth/current|200|-1|0|13|JFrog-Frontend/1.68.6
2023-09-27T23:25:51.381Z|62be9c079ed24167|52.9.243.19|jffe@01hbcevrgtj0mk08ft889009wa|POST|/api/auth/loginRelatedData|200|46|0|30|JFrog-Frontend/1.68.6