You need to sign in to do that
Don't have an account?
ADFS Help!
Hello.
We're working on an integration with ADFS and followed the document on developerForce to a T. We are getting some strange errors that I'm not sure how to troubleshoot. See below:
10. Checking the Recipient
Organization Id that we expected: 00DU0000000XXXX
Organization Id that we found based on your assertion: 00DU0000000XXXX
The OrgIDs above are exact matches. Not sure why this is displaying as an error.
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2012-02-16T22:00:12.184Z
Time limit in Conditions, adjusted for skew, is: 2012-02-13T22:50:15.127Z
Timestamp of the response is outside of allowed time window
Current time is: 2012-02-16T22:00:12.184Z
Timestamp is: 2012-02-13T22:42:15.125Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2012-02-16T22:00:12.184Z
Timestamp is: 2012-02-13T22:42:15.045Z
Allowed skew in milliseconds is 480000
The time on the machine is exactly the same as the time in Salesforce, at least it is on the ActiveDirectory. Where is it getting the time from here?
Is that all that was said about recipient?
In terms of the time skew, I'd ignore it. Chances are your assertion is just expired.
What error are you getting at runtime?
Wow - the current time and assertion timestamp are several days apart:
2012-02-16T22:00:12.184Z << current time
2012-02-13T22:42:15.125Z << timestamp
Which is the closest to the correct time? I notice that both are at least 10 days ago - presumably this is not a recent error?
Cheers,
Pat
Here was the entire message:
Results
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2012-02-16T22:00:12.184Z
Time limit in Conditions, adjusted for skew, is: 2012-02-13T22:50:15.127Z
Timestamp of the response is outside of allowed time window
Current time is: 2012-02-16T22:00:12.184Z
Timestamp is: 2012-02-13T22:42:15.125Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2012-02-16T22:00:12.184Z
Timestamp is: 2012-02-13T22:42:15.045Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Response's issuer did not match the issuer configured in the Single Sign-On Settings page
Issuer from assertion: http://NYTBGADFSAPPD01.XXXXX.com/adfs/services/trust
Issuer from your settings: tbg-subca1
Assertion's issuer did not match the issuer configured in the Single Sign-On Settings page
Issuer from assertion: http://NYTBGADFSAPPD01.XXXXX.com/adfs/services/trust
Issuer from your settings: tbg-subca1
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches, if provided
Ok
10. Checking the Recipient
Organization Id that we expected: 00DU0000000XXXX
Organization Id that we found based on your assertion: 00DU0000000XXXX
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
The reference in the assertion signature is valid
Signature or certificate problems
The signature in the assertion is not valid
Is the correct certificate supplied in the keyinfo? false
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
Yes, well this is an older message but was the last troubleshooting we did together. I can't get my arms around where it's pulling the time from.
Looks like it's your Issuer that's the problem. Your SSO settings are cofigured differently than the issuer you're sending us.
Ignore the timestamps - you're simply comparing current server time to an old assertion, so it's naturally not good anymore.
Yup - this looks like the problem:
Issuer from assertion: http://NYTBGADFSAPPD01.XXXXX.com/adfs/services/trust
Issuer from your settings: tbg-subca1
These need to be an exact match.
Change the issuer in your org to http://NYTBGADFSAPPD01.XXXXX.com/adfs/services/trust (editing the XXXXX I presume!) and give it another try.
Thanks, Chuck!
Hi Chuck!
We are also facing the same issue, and our assertion validates all other steps, but fails only the recipient check. Here is the result from SAML Validator:
Subject: 1234567890
AssertionId: 766d8f3b-61af-4084-bdde-eb5663d9b143
As you see the org IDs are same, still the check fails? Not sure why.
Can you please give your views?
Mandeep.
I am also facing the below issue and getting the same message for SSO configuration, Any help is highly appreciated.
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid [PLEASE IGNORE THIS AS I RAN THE VALIDATOR MANUALLY]
Current time is after notOnOrAfter in Conditions
Current time is: 2016-02-02T16:21:17.651Z
Time limit in Conditions, adjusted for skew, is: 2016-02-02T16:16:54.000Z
Timestamp of the response is outside of allowed time window
Current time is: 2016-02-02T16:21:17.651Z
Timestamp is: 2016-02-02T16:08:54.000Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2016-02-02T16:21:17.651Z
Timestamp is: 2016-02-02T16:08:54.000Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Ok
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches, if provided
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D290000000QrH
Organization Id that we found based on your assertion: 00D290000000QrH
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? false
Certificate specified in settings: CN=webgateprd.motorolasolutions.com, OU=IAM, O="Motorola Solutions, Inc.", L=Schaumburg, ST=Illinois, C=US Expiration: 13 Apr 2018 23:59:59 GMT
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
Can you please let me know in whether (6) or (11) errors cause intermittent error?
Thanks a lot!
Is this a know issue for salesforce? I am also getting the same timestamp #4 and Miscellaneous format confirmations error #6. I have checked both ADFS and SSO setting and they seems perfect.
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2016-04-28T08:10:53.776Z
Time limit in Conditions, adjusted for skew, is: 2016-04-27T15:51:39.705Z
Timestamp of the response is outside of allowed time window
Current time is: 2016-04-28T08:10:53.776Z
Timestamp is: 2016-04-27T15:43:39.705Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2016-04-28T08:10:53.776Z
Timestamp is: 2016-04-27T15:43:39.705Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D36000000Yrhi
Organization Id that we found based on your assertion: 00D36000000Yrhi
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Thanks in Advance.
-Vikash Kumar
We are also getting same error as you. The same timestamp #4 and Miscellaneous format confirmations error #6. Do you have got any resolution for this.
Last recorded SAML login failure: 2017-11-17T10:29:53.769Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2017-11-17T11:26:37.887Z
Time limit in Conditions, adjusted for skew, is: 2017-11-17T10:36:54.207Z
Timestamp of the response is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D4D0000008j6x
Organization Id that we found based on your assertion: 00D4D0000008j6x
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Thank you,
Ramana.
We are also getting same error as you. The same timestamp #4 and Miscellaneous format confirmations error #6. Do you have got any resolution for this.
Last recorded SAML login failure: 2017-11-17T10:29:53.769Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2017-11-17T11:26:37.887Z
Time limit in Conditions, adjusted for skew, is: 2017-11-17T10:36:54.207Z
Timestamp of the response is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D4D0000008j6x
Organization Id that we found based on your assertion: 00D4D0000008j6x
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Thank you,
Ramana.
The resolution for this is -
Federation ID is case sensitive with Email ID.
i.e. for example if email ID is like Ramana.Reddy@XXXXX.com them the Federation ID on Single Sign-On should be setup as same Ramana.Reddy@XXXXX.com
Thank you.
Ramana.