Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-9493

[libsaml] allow accepted_time_diff configure for pysaml

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.8.0
    • Fix Version/s: 4.9.0
    • Component/s: core.api
    • Labels:
      None
    • Environment:

      SAML enabled Hue server

      Description

      Problem Statement : I have an cluster where my IDP server and Hue server is having an Time difference of Milli seconds and due to which when i try to login via SAML sometimes i happened to have this error : 

       

      [06/Oct/2020 15:00:14 +0000] response     ERROR    Exception on conditions: Can't use it yet 1601989214 <= 1601989220
      [06/Oct/2020 15:00:14 +0000] client_base  ERROR    XML parse error: Can't use it yet 1601989214 <= 1601989220
      [06/Oct/2020 15:00:14 +0000] views        ERROR    Error processing SAML Assertion.
      .
      .
      .
      File "/opt/cloudera/parcels/CDH-5.16.2-1.cdh5.16.2.p0.8/lib/hue/build/env/lib/python2.7/site-packages/pysaml2-4.4.0-py2.7.egg/saml2/validate.py", line 105, in validate_before
       raise ToEarly("Can't use it yet %d <= %d" % (now + slack, nbefore))
      ToEarly: Can't use it yet 1601989214 <= 1601989220

      the issue is as described inhttps://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonorafter-problem-due-to-unsynced-clocks-explained-90455bc8822f .

      Pysaml allows to configure an accepted_time_diff (https://pysaml2.readthedocs.io/en/latest/howto/config.html#accepted-time-diff ) for tackling the same. 

      I want this value to be configured from hue.ini .

       

        Attachments

          Activity

            People

            • Assignee:
              asnaik Akhil S Naik
              Reporter:
              asnaik Akhil S Naik
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: