Sudden Error | SAML Assertion expired (solved by restart)

1

Tech Stack

  • Docker image jboss/keycloak:9.0.0
  • Deployed in Kubernetes Cluster (AKS)
  • Connected to Windows AD FS

TL;DR: Everything was working fine till it stopped, after reboot of keycloak pod everything is working just fine again

Error Log

timestamp ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-15) Assertion expired.
timestamp WARN  [org.keycloak.events] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xa_realm, clientId=null,
 userId=null, ipAddress=x.y.z.x, error=invalid_saml_response

the same error log is repeated multiple times

Workaround that I did to get it back up:

  • Kubectl delete pod X
  • After this everything is back normal

Any idea what could be wrong?

2

That looks like a problem with the time sync on some side. It can be a Keycloak time, but it can be also Windows AD FS time.

1 Like
3

thank you, I will check that out.

As an update:

  • I do not need to reboot anything (just refreshing the browser seems to work out)
4

timestamp seems to be all fine. check both keycloak and AD FS

5

Yes that was the problem.

Keycloak IDP setting has a “Allowed clock skew”. setting that helped me solve this