1. Home
  2. Support
Article - CS384761

Getting error "opensaml::SecurityPolicyException: Message expired, was issued too long ago" while login to Windchill PDMLink

Modified: 23-Oct-2024   


Applies To

  • FlexPLM 12.0
  • Windchill PDMLink 12.0 to 13.0
  • Shibboleth Service Provider (Shibboleth SP)

Description

  • Getting the following error while login to Windchill
  • opensaml::SecurityPolicyException at (https://xxxxx.xxxx.xxx/Shibboleth.sso/SAML2/POST)

Message expired, was issued too long ago
shibboleth.jpg
  • opensaml::SecurityPolicyException at (https://xxxxx.xxxx.xxx/Shibboleth.sso/SAML2/POST)

Message rejected, was issued in the future
SSOIssue.png
ShibbolethSP log reports the following error: 
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2 [4] [default]: extracting issuer from SAML 2.0 protocol message
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2 [4] [default]: message from (http://xxxxxx.xxxx.xxx/adfs/services/trust)
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2 [4] [default]: searching metadata for message issuer...
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2 [4] [default]: recovered request/response correlation value (_65bdb674957acc13c380be59678e2910)
Date && Time DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [4] [default]: evaluating message flow policy (correlation off, replay checking on, expiration 60)
Date && Time WARN OpenSAML.SecurityPolicyRule.MessageFlow [4] [default]: rejected not-yet-valid message, timestamp (1688537531), newest allowed (1688537524)
Date && Time WARN Shibboleth.SSO.SAML2 [4] [default]: error processing incoming assertion: Message rejected, was issued in the future.
Date && Time DEBUG Shibboleth.Listener [4] [default]: dispatching message (default/SAML2/POST)
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2POST [4] [default]: validating input
Date && Time DEBUG OpenSAML.MessageDecoder.SAML2POST [4] [default]: decoded SAML message:
<samlp:Response ID="_75acc64d-eaf5-4e67-97ac-d454f1f4b7df" Version="2.0" IssueInstant="2023-07-05T06:12:11.747Z" Destination=https://xxxxxx.xxxx.xxx/Shibboleth.sso/SAML2/POST Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_65bdb674957acc13c380be59678e2910" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">......
 
This is a printer-friendly version of Article 384761 and may be out of date. For the latest version click CS384761