Univention Bugzilla – Bug 55719
python-pysaml2: wrong timeformat
Last modified: 2024-05-22 18:09:26 CEST
A customer with external keycloak as identity provider saw tracebacks like this when trying to login: " File "/usr/lib/python3/dist-packages/saml2/validate.py", line 110, in validate_before "<= notbefore=%s" % (now_str, slack, not_before)) saml2.validate.ToEarly: Can't use response yet: (now=2023-40-10T11:40:01Z + slack=0) <= notbefore=2023-02-10T11:40:02.147Z" Rootcause was a typo in the python-pysaml2: https://github.com/IdentityPython/pysaml2/commit/4f0a45c361bbd46b1f56f468d4712c0ef9797c1b As no user was able to login the pain was (very) high.
Version: 5.0-7 errata1024 Error: Traceback (most recent call last): File "%PY3%/tornado/web.py", line 1595, in _execute result = yield result File "%PY3%/tornado/gen.py", line 1133, in run value = future.result() File "%PY3%/univention/management/console/saml.py", line 229, in get await acs(binding, message, relay_state) File "%PY3%/univention/management/console/saml.py", line 234, in attribute_consuming_service response = self.parse_authn_response(message, binding) File "%PY3%/univention/management/console/saml.py", line 321, in parse_authn_response response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "%PY3%/saml2/client_base.py", line 702, in parse_authn_request_response binding, **kwargs) File "%PY3%/saml2/entity.py", line 1170, in _parse_response response = response.verify(keys) File "%PY3%/saml2/response.py", line 1018, in verify if self.parse_assertion(keys): File "%PY3%/saml2/response.py", line 930, in parse_assertion if not self._assertion(assertion, False): File "%PY3%/saml2/response.py", line 803, in _assertion if not self.condition_ok(): File "%PY3%/saml2/response.py", line 593, in condition_ok validate_before(conditions.not_before, self.timeslack) File "%PY3%/saml2/validate.py", line 110, in validate_before "<= notbefore=%s" % (now_str, slack, not_before)) saml2.validate.ToEarly: Can't use response yet: (now=2024-40-19T18:40:23Z + slack=0) <= notbefore=2024-04-19T18:40:37Z Role: domaincontroller_slave