Signature validation errors when using SAML Authentication with Azure SSO

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Users are unable to login in Confluence when using SAML configuration against Azure SSO

Please, review carefully our KB How to integrate Confluence Data Center with Azure for SAML 2.0 SSO to ensure the configuration is correct before moving further with this document

Environment

Confluence 7.19.X or Confluence 8.X

Diagnosis

When enabled DEBUG level for the classes below: 

  • com.onelogin.saml2
  • com.atlassian.plugins.authentication

The following signature validation errors can be found in the atlassian-confluence.log  files: 

2023-11-21 16:00:54,050 ERROR [http-nio-8090-exec-4 url: /plugins/servlet/saml/auth] [microsoft.saml.operations.SAMLResponseProcessor] processSAMLResponse MS_DEBUG LOG : samlResponse in Xml String format :<samlp:Response ID=\"_b40ee515-dafb-4f98-b9d1-0c3cd7669dc3\" Version=\"2.0\" IssueInstant=\"2023-11-21T13:00:53.880Z\" Destination=\"https://CONFLUENCE_URL/plugins/servlet/saml/auth\" InResponseTo=\"MSSSO_fd1ee8e3-a3c0-4bbc-a0a5-49f282c93382\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://sts.windows.net/1a578556-a789-4135-ac78-506d6b3abe05/</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion ID=\"_11e6e716-acf1-46f1-8e65-40b5eab8ff00\" IssueInstant=\"2023-11-21T13:00:53.877Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"><Issuer>https://sts.windows.net/1a578556-a789-4135-ac78-506d6b3abe05/</Issuer>...
...
...
..

2023-11-21 16:00:54,051 ERROR [http-nio-8090-exec-4 url: /plugins/servlet/saml/auth] [microsoft.saml.operations.SAMLResponseProcessor] validateResponseExpiry MS_ERROR : nbAttribute: NotBefore=\"2023-11-21T13:00:53.880Z\"
 -- url: /plugins/servlet/saml/auth | userName: anonymous | referer: https://login.microsoftonline.com/ | traceId: cef0346862151876

2023-11-21 16:00:54,064 ERROR [http-nio-8090-exec-4 url: /plugins/servlet/saml/auth] [microsoft.saml.util.SignatureValidator] validate MS_INFO : SignatureValidator started to validate signature tags
 -- url: /plugins/servlet/saml/auth | userName: anonymous | referer: https://login.microsoftonline.com/ | traceId: cef0346862151876

2023-11-21 16:00:54,066 ERROR [http-nio-8090-exec-4 url: /plugins/servlet/saml/auth] [microsoft.saml.util.SignatureValidator] validate MS_INFO : SignatureValidator Completed  validation of signature tags

If you captured the SAML response with the SAML Chrome Panel, you can observe that indeed the NotBefore and NotOnOrAfter attributes are in an interval 3 hours behind the actual request in the Confluence side: 


...
<Conditions NotBefore="2023-11-21T13:00:53.880Z" NotOnOrAfter="2023-11-21T14:05:53.880Z">
   <AudienceRestriction>
    <Audience>https://CONFLUENCE_URL/</Audience>
   </AudienceRestriction>
</Conditions>
...

Cause

When the IdP (Azure SSO) creates a request with a specific timestamp and the SP servers (Confluence) clock is slower or faster than the IdP clock, the response will contain a NotBefore or NotOnOrAfter time stamp that will fit into the SP clock. Hence, when the assertion occurs in the SP with the SAML response, it will check if it did not expired and it is valid. 


From Microsoft documentation "Single sign-on SAML protocol", it seems this is set as follows: 

The NotBefore and NotOnOrAfter attributes specify the interval during which the assertion is valid.

  • The value of the NotBefore attribute is equal to or slightly (less than a second) later than the value of IssueInstant attribute of the Assertion element. Microsoft Entra ID does not account for any time difference between itself and the cloud service (service provider), and does not add any buffer to this time.
  • The value of the NotOnOrAfter attribute is 70 minutes later than the value of the NotBefore attribute.

Solution

If Microsoft does not allow to tune these attributes (NotBefore and NotOnOrAfter), please check other alternatives such as: 

  1. Ensure that IdP (Microsoft) is in the same timezone as your Confluence instance.
  2. If yourAzure and Confluence servers are not in sync, when they should, please check your NTP servers and related configuration.
  3. Consider to configure an additional parameter called NotBeforeSkew that allows a little clock skew to account for small clock drifts.


Last modified on Dec 20, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.