SAML Authentication Error: Access Denied

If you’re using SAML authentication with Arcadia you may see an error like this for a few reasons:

image001

(1) Your user has not been permitted access to the application by the Identity Provider (IDP)

Its always good to check with the administration team or platform team to see whether your user is a part of the correct access group that your IDP is checking against to permit access to the Arcadia application.

(2) There’s a server level issue causing an error while getting the SAML assertions.

This an edge case, but its possible that your server running Arcadia and the IDP/SSO server that you are communicating with are not in sync with respect to the computer clocks. Inside of the response for a SAML assertion, there is a window of time that is acceptable to use the assertions (NotBefore, NotOnOrAfter):

<saml2:Subject><saml2:Conditions NotBefore="2019-03-04T16:04:30.547Z" NotOnOrAfter="2019-03-04T16:09:30.547Z">;

If your computer’s clock is outside that time window, you can cause a ToEarly error, which will force the authentication process to fail.

saml2.validate.ToEarly: Can't use response yet: (now=2019-03-04T16:03:28Z + slack=0) <= notbefore=2019-03-04T16:04:30.547Z

To get around this issue you can set a special setting called accepted_time_diff to add a bit of buffer around this window to accommodate the clock differences between the servers.

Below is an example of how this setting would appear with your SAML configuration template in Arcadia:

SAML_CONFIG = {
# this block states what services we provide
  'service': {
    # we are just a lonely SP
    'sp': {
    ....
    }
    ....
  },
  'accepted_time_diff': 60,  # provide 60 seconds of slack,
}
1 Like