You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Lately, we've seen a lot of failures with Azure ACS in various test and PROD environments where WSFed token validation (omniauth callback) has failed because of the Created_At validation (validating the token was not issued in the "future"). There were observed discrepancies of as much as 10 seconds between the Created_At attribute of AuthN tokens and the DateTime.now.utc value on our web servers. This was only observed in scenarios using Azure ACS as a federation provider, but I'm assuming that it has or will happen in other scenarios / environments as well.
To resolve the issue, I'm going to remove the Created_At validation entirely (AuthCallbackValidator) as this was a fairly aggressive validation that doesn't make a lot of sense in environments where server times are not synchronized.
If anyone has any additional feedback on this issue, I would appreciate it.
The text was updated successfully, but these errors were encountered:
ghost
assigned 
Lately, we've seen a lot of failures with Azure ACS in various test and PROD environments where WSFed token validation (omniauth callback) has failed because of the Created_At validation (validating the token was not issued in the "future"). There were observed discrepancies of as much as 10 seconds between the Created_At attribute of AuthN tokens and the DateTime.now.utc value on our web servers. This was only observed in scenarios using Azure ACS as a federation provider, but I'm assuming that it has or will happen in other scenarios / environments as well.
To resolve the issue, I'm going to remove the Created_At validation entirely (AuthCallbackValidator) as this was a fairly aggressive validation that doesn't make a lot of sense in environments where server times are not synchronized.
If anyone has any additional feedback on this issue, I would appreciate it.
The text was updated successfully, but these errors were encountered: