{"id":10663,"date":"2017-12-02T08:00:29","date_gmt":"2017-12-02T07:00:29","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/"},"modified":"2017-12-02T08:00:29","modified_gmt":"2017-12-02T07:00:29","slug":"weblogic-ssoatnatz-403-forbidden-a-first-issue","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/","title":{"rendered":"WebLogic – SSO\/Atn\/Atz – 403 Forbidden, a first issue"},"content":{"rendered":"

In a previous blog<\/a>, I explained how it was possible to enable the SSO\/Atn\/Atz (SSO\/Authentication\/Authorization) debug logs in order to troubleshoot an issue. In this blog, I will show the logs generated by an issue that I had to deal with last month at one of our customers. This issue will probably not occur very often but it is a pretty funny one so I wanted to share it!<\/p>\n

So the issue I will talk about in this blog happened on an environment that is configured with a SAML2 SSO. With a fully working SAML2 SSO, the WebLogic hosting the application is supposed to redirect the end-user to the IdP Partner (with a SAML2 request) which process it and then redirect the end-user again to the WebLogic (with the SAML2 response) which process the response and finally grant access to the Application. On this issue, both redirections were apparently happening properly but then for an unknown reason the WebLogic Server was blocking the access to the application with a “403 – Forbidden” message.<\/p>\n

Obviously the first thing I did is to enable the debug logs and then I replicated the issue. These are the logs that I could see on the Managed Server log file:<\/p>\n

<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <SAML2Servlet: Processing request on URI '\/saml2\/sp\/acs\/post'>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <getServiceTypeFromURI(): request URI is '\/saml2\/sp\/acs\/post'>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <getServiceTypeFromURI(): service URI is '\/sp\/acs\/post'>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <getServiceTypeFromURI(): returning service type 'ACS'>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <Assertion consumer service: processing>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <get SAMLResponse from http request:PBvbnNSJ1cXMlFtZzaXM6bmHhtbG5zm46NhwOlJlOnNhbWxHbWxIb2Fc3wP6dGM6\nU0FiB4bWxuczp4NTAwPSJ1cm46b2FzNTDoyLjA6YXNzZXJ0aW9uIaXM6bmFtZXM6\nU0FdG9jb2wiIHhtbG5zOmRzaWc9Imh0dHA6Ly93NTDoyLjA6cHJvd3cudzMub3Jn\naHR0cDoa5vcmcvMjAwMS9W5zdGFuY2vL3d3dy53MyYTUxTY2hlbWEtUiIERlc3Rp\nMWNxM2FjNzI1ZDjYmIVhNDM1Zlzc3VlSW5zdGFudD0ijhlNjc3OTkiIEMjAxNy0x\nLzINpZyMiIHhtwMDAvMDkveG1sZHbG5DovL3d3dy53My5vczOmVuYz0iaHR0cmcv\nMMS8wNC94bWxjAwlbmWxuczpzYW1sPMjIiB4bSJ1aXM6bmFtZXM6dcm46b2FzGM6\ndGdXRlOM6U0FNZXM6YXR0cmliTDoyLjAAiIHhtbG5zOnhzaT6cHJvZmlslg1MD0i\nbmF0aW9JodHRwczovL5ldS5uPSub3Zhc3BoY2hicy1DIyMinRpcyzdDIyM5uZXQ6\nODA4NSMvcG9zdCI9zYW1sMi9zcC3SUhwRHRuN3I1WH9hY3gSUQ9ImlkLUhhTTFha\nZ3hBiIEmVzcWW5URXhybHJlG9uc2VUbz0RVFGbWt1VkRaNC0iXzB4ZluUGM1Mjk2\nMS0xNw6SXNzdWjo0OTFZlcnNpVyIEZvo1MloiIlQxMb249IjIuMCI+PHNhbWcm1h\n...\nLTExIgTDEyPSIyMDE3LFjQ525PcLTE2VETExLTOk2VDOjUyWimdGVym90TEyOjU0\nOjUyWiI+PHNh8c2FtbDpBdWRpZW5bWw6QXVkabj4jWVuY2VSZXN0cmljdGlvZT5T\nc3NGVkVHJhb3b3JkUHJvdG1sOkF1dGhuQ29udGV4VjdnNwb3J0PC9zYWdENsYXNz\nQXV0aG5gQXV0TdGF0LTExLTE2VDEaG5JZW1lbnQSIyMDE3bnN0YW50PyOjQ5OjUy\naEV25PcVucnhPSIyMDE3LTExEZmZ2IiBkFmdGVyLTEJWTTZXNzaW9uTm90T2VDEz\nWivUWuZGV4PSJpZC13UlVMWGRYOXd6xWzc2lvbklRThFZDJwRDdIgU2VR210OUc0\ndWJXYSUQ8L3NhRE1PQ19XlfREVWTQU1MMl9FbnbWw6QXVkaWVuY2U+RpdHlfPC9z\nYWRpb24+P1sOkF1ZGllbHJpY3mPHNhNlUmVzdC9zYW1sOkNvbmRpdGlvbnM+bWw6\nYXNzUzpjbYW1YXNpczpuIuMlmVmPnVybjpvDphYxzp0YzpTQU1MOjGFzc2VzOlBh\nOjAXh0Pj0OjUyWiI+PHNsOkF1dGhuQhxzYW129udGV4bWw6QXV0aG5Db250ZdENs\nUmVnRlepBdXRobkNvbzYWmPjwvc2FtbDF1dGhuU1sOkHQ+PC93RhdGVtZW50Pjwv\nc2F9zY25zZtbDpBcW1scDpSZXNwb3NlcnRpb24+PCT4=\n>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <BASE64 decoded saml message:<samlp:Response xmlns_samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns_dsig=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\" xmlns_enc=\"http:\/\/www.w3.org\/2001\/04\/xmlenc#\" xmlns_saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns_x500=\"urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500\" xmlns_xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" Destination=\"https:\/\/weblogic_server_01\/saml2\/sp\/acs\/post\" ID=\"id-HpDtn7r5XxxAQFYnwSLXZmkuVgIHTExrlreEDZ4-\" InResponseTo=\"_0x7258edc52961ccbd5a435fb13ac67799\" IssueInstant=\"2017-11-12T12:23:42Z\" Version=\"2.0\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https:\/\/idp_partner_01\/fed\/idp<\/saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/><dsig:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"\/><dsig:Reference URI=\"#id-HpDtn7r5XxxAQFYnwSLXZmkuVgIHTExrlreEDZ4-\"><dsig:Transforms><dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/><dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/><\/dsig:Transforms><dsig:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/><dsig:DigestValue>YGtUZvsfo3z51AsBo7UDhbd6Ts=<\/dsig:DigestValue><\/dsig:Reference><\/dsig:SignedInfo><dsig:SignatureValue>al8sJwbqzjh1qgM3Sj0QrX1aZjwyI...JB6l4jmj91BdQrYQ7VxFzvNLczZ2brJSdLLig==<\/dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIwDQUg+nhYqGZ7pCgBQAwTTELMAkGA1UEBhMCQk1ZhQ...aATPRCd113tVqsvCkUwpfQ5zyUHaKw4FkXmiT2nzxxHA==<\/dsig:X509Certificate><\/dsig:X509Data><\/dsig:KeyInfo><\/dsig:Signature><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"\/><\/samlp:Status><saml:Assertion ID=\"id-0WrMNbOz6wsuZdFPhfjnw7WIXXQ6k89-1AgHZ9Oi\" IssueInstant=\"2017-11-12T12:23:42Z\" Version=\"2.0\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https:\/\/idp_partner_01\/fed\/idp<\/saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/><dsig:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"\/><dsig:Reference URI=\"#id-0WrMNbOz6wsuZdFPhfjnw7WIXXQ6k89-1AgHZ9Oi\"><dsig:Transforms><dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/><dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/><\/dsig:Transforms><dsig:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/><dsig:DigestValue>7+jZtq8SpY3BKVaFjIFeEJm51cA=<\/dsig:DigestValue><\/dsig:Reference><\/dsig:SignedInfo><dsig:SignatureValue>GIlXt4B4rVFoDJRxidpZO73gXB68Dd+mcpoV9DKrjBBjLRz...zGTDcEYY2MG8FgtarZhVQGc4zxkkSg8GRT6Wng3NEuTUuA==<\/dsig:SignatureValue><dsig:KeyInfo><dsig:X509Data><dsig:X509Certificate>MIwDQUg+nhYqGZ7pCgBQAwTTELMAkGA1UEBhMCQk1ZhQ...aATPRCd113tVqsvCkUwpfQ5zyUHaKw4FkXmiT2nzxxHA==<\/dsig:X509Certificate><\/dsig:X509Data><\/dsig:KeyInfo><\/dsig:Signature><saml:Subject><saml:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">PATOU_MORGAN<\/saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><saml:SubjectConfirmationData InResponseTo=\"_0x7258edc52961ccbd5a435fb13ac67799\" NotOnOrAfter=\"2017-11-12T12:28:42Z\" Recipient=\"https:\/\/weblogic_server_01\/saml2\/sp\/acs\/post\"\/><\/saml:SubjectConfirmation><\/saml:Subject><saml:Conditions NotBefore=\"2017-11-12T12:23:42Z\" NotOnOrAfter=\"2017-11-12T12:28:42Z\"><saml:AudienceRestriction><saml:Audience>SAML2_Entity_ID_01<\/saml:Audience><\/saml:AudienceRestriction><\/saml:Conditions><saml:AuthnStatement AuthnInstant=\"2017-11-12T12:23:42Z\" SessionIndex=\"id-oX9wXdpGmt9GQlVffvY4hEIRULEd25nrxDzE8D7w\" SessionNotOnOrAfter=\"2017-11-12T12:38:42Z\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextClassRef><\/saml:AuthnContext><\/saml:AuthnStatement><\/saml:Assertion><\/samlp:Response>>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <<samlp:Response> is signed.>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecurityAtn> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(SAML2.Assertion.DOM)>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecurityAtn> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(SAML2.Assertion.DOM)>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2IdentityAsserterProvider: start assert SAML2 token>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2IdentityAsserterProvider: SAML2IdentityAsserter: tokenType is 'SAML2.Assertion.DOM'>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: Start verify assertion signature>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: The assertion is signed.>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: End verify assertion signature>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: Start verify assertion attributes>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: End verify assertion attributes>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: Start verify assertion issuer>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: End verify assertion issuer>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Atn> <SAML2Assert: Start verify assertion conditions>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecurityAtn> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <[Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).>\n<Nov 12, 2017 12:23:41 PM UTC> <Debug> <SecuritySAML2Service> <exception info\njavax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:096537]Assertion is not yet valid (NotBefore condition).\n        at com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(IdentityAssertionServiceImpl.java:89)\n        at sun.reflect.GeneratedMethodAccessor1410.invoke(Unknown Source)\n        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n        at java.lang.reflect.Method.invoke(Method.java:498)\n        at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)\n\t\t...\n><\/pre>\n
 <\/p>\n
I cut some of the strings above (like all signatures, the SSL Certificates, aso…) because it was really too big and it is not really important. What is important above is the java exception. Indeed, the Identity Assertion failed because of the following: ‘Assertion is not yet valid (NotBefore condition)’. This message might seems a little bit mystical but it actually points you right to the issue: the ‘NotBefore’ condition is causing the validation to fail.<\/p>\n
So why is that? Well when you have a SAML2 SSO like I said above, you first have a request and then a response. For security reasons, there are some conditions that apply on them and that need to be fulfilled for the SSO to be working. To understand that a little bit better, I took the decoded SAML2 response from the logs above (line 32) and I reformatted it into an XML format so it is more readable:<\/p>\n
<samlp:Response xmlns_samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns_dsig=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\" xmlns_enc=\"http:\/\/www.w3.org\/2001\/04\/xmlenc#\" xmlns_saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns_x500=\"urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500\" xmlns_xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" Destination=\"https:\/\/weblogic_server_01\/saml2\/sp\/acs\/post\" ID=\"id-HpDtn7r5XxxAQFYnwSLXZmkuVgIHTExrlreEDZ4-\" InResponseTo=\"_0x7258edc52961ccbd5a435fb13ac67799\" IssueInstant=\"2017-11-12T12:23:42Z\" Version=\"2.0\">\n\t<saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https:\/\/idp_partner_01\/fed\/idp<\/saml:Issuer>\n\t<dsig:Signature>\n\t\t<dsig:SignedInfo>\n\t\t\t<dsig:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/>\n\t\t\t<dsig:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"\/>\n\t\t\t<dsig:Reference URI=\"#id-HpDtn7r5XxxAQFYnwSLXZmkuVgIHTExrlreEDZ4-\">\n\t\t\t\t<dsig:Transforms>\n\t\t\t\t\t<dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/>\n\t\t\t\t\t<dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/>\n\t\t\t\t<\/dsig:Transforms>\n\t\t\t\t<dsig:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/>\n\t\t\t\t<dsig:DigestValue>YGtUZvsfo3z51AsBo7UDhbd6Ts=<\/dsig:DigestValue>\n\t\t\t<\/dsig:Reference>\n\t\t<\/dsig:SignedInfo>\n\t\t<dsig:SignatureValue>al8sJwbqzjh1qgM3Sj0QrX1aZjwyI...JB6l4jmj91BdQrYQ7VxFzvNLczZ2brJSdLLig==<\/dsig:SignatureValue>\n\t\t<dsig:KeyInfo>\n\t\t\t<dsig:X509Data>\n\t\t\t\t<dsig:X509Certificate>MIwDQUg+nhYqGZ7pCgBQAwTTELMAkGA1UEBhMCQk1ZhQ...aATPRCd113tVqsvCkUwpfQ5zyUHaKw4FkXmiT2nzxxHA==<\/dsig:X509Certificate>\n\t\t\t<\/dsig:X509Data>\n\t\t<\/dsig:KeyInfo>\n\t<\/dsig:Signature>\n\t<samlp:Status>\n\t\t<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"\/>\n\t<\/samlp:Status>\n\t<saml:Assertion ID=\"id-0WrMNbOz6wsuZdFPhfjnw7WIXXQ6k89-1AgHZ9Oi\" IssueInstant=\"2017-11-12T12:23:42Z\" Version=\"2.0\">\n\t\t<saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https:\/\/idp_partner_01\/fed\/idp<\/saml:Issuer>\n\t\t<dsig:Signature>\n\t\t\t<dsig:SignedInfo>\n\t\t\t\t<dsig:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/>\n\t\t\t\t<dsig:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"\/>\n\t\t\t\t<dsig:Reference URI=\"#id-0WrMNbOz6wsuZdFPhfjnw7WIXXQ6k89-1AgHZ9Oi\">\n\t\t\t\t\t<dsig:Transforms>\n\t\t\t\t\t\t<dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"\/>\n\t\t\t\t\t\t<dsig:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"\/>\n\t\t\t\t\t<\/dsig:Transforms>\n\t\t\t\t\t<dsig:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"\/>\n\t\t\t\t\t<dsig:DigestValue>7+jZtq8SpY3BKVaFjIFeEJm51cA=<\/dsig:DigestValue>\n\t\t\t\t<\/dsig:Reference>\n\t\t\t<\/dsig:SignedInfo>\n\t\t\t<dsig:SignatureValue>GIlXt4B4rVFoDJRxidpZO73gXB68Dd+mcpoV9DKrjBBjLRz...zGTDcEYY2MG8FgtarZhVQGc4zxkkSg8GRT6Wng3NEuTUuA==<\/dsig:SignatureValue>\n\t\t\t<dsig:KeyInfo>\n\t\t\t\t<dsig:X509Data>\n\t\t\t\t\t<dsig:X509Certificate>MIwDQUg+nhYqGZ7pCgBQAwTTELMAkGA1UEBhMCQk1ZhQ...aATPRCd113tVqsvCkUwpfQ5zyUHaKw4FkXmiT2nzxxHA==<\/dsig:X509Certificate>\n\t\t\t\t<\/dsig:X509Data>\n\t\t\t<\/dsig:KeyInfo>\n\t\t<\/dsig:Signature>\n\t\t<saml:Subject>\n\t\t\t<saml:NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\">PATOU_MORGAN<\/saml:NameID>\n\t\t\t<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n\t\t\t\t<saml:SubjectConfirmationData InResponseTo=\"_0x7258edc52961ccbd5a435fb13ac67799\" NotOnOrAfter=\"2017-11-12T12:28:42Z\" Recipient=\"https:\/\/weblogic_server_01\/saml2\/sp\/acs\/post\"\/>\n\t\t\t<\/saml:SubjectConfirmation>\n\t\t<\/saml:Subject>\n\t\t<saml:Conditions NotBefore=\"2017-11-12T12:23:42Z\" NotOnOrAfter=\"2017-11-12T12:28:42Z\">\n\t\t\t<saml:AudienceRestriction>\n\t\t\t\t<saml:Audience>SAML2_Entity_ID_01<\/saml:Audience>\n\t\t\t<\/saml:AudienceRestriction>\n\t\t<\/saml:Conditions>\n\t\t<saml:AuthnStatement AuthnInstant=\"2017-11-12T12:23:42Z\" SessionIndex=\"id-oX9wXdpGmt9GQlVffvY4hEIRULEd25nrxDzE8D7w\" SessionNotOnOrAfter=\"2017-11-12T12:38:42Z\">\n\t\t\t<saml:AuthnContext>\n\t\t\t\t<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextClassRef>\n\t\t\t<\/saml:AuthnContext>\n\t\t<\/saml:AuthnStatement>\n\t<\/saml:Assertion>\n<\/samlp:Response><\/pre>\n
 <\/p>\n
As you can see on the XML, there are two conditions that apply on the SAML2 response:<\/p>\n
    \n
  • The usage of the response needs to take place ‘NotBefore’ the current time<\/li>\n
  • The usage of the response needs to take place ‘NotOnOrAfter’ the current time + 5 minutes<\/li>\n<\/ul>\n
    In this case, the NotBefore is set to ‘2017-11-12T12:23:42Z’ which is the current time of the IdP Partner Server. However you can see in the logs that the WebLogic Server hosting the application is actually one second before this time (Nov 12, 2017 12:23:41 PM UTC) and therefore the NotBefore restriction applies and the WebLogic Server hosting the application has no other choice than to return a ‘403 – Forbidden’ message because the SAML2 response is NOT valid.<\/p>\n
    In this case, the NTP daemon (Network Time Protocol) on the IdP Partner Linux server has been restarted and the time on this server has been resynched which solved the issue. Having a server in the future can cause some interesting behaviors :).<\/p>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    In a previous blog, I explained how it was possible to enable the SSO\/Atn\/Atz (SSO\/Authentication\/Authorization) debug logs in order to troubleshoot an issue. In this blog, I will show the logs generated by an issue that I had to deal with last month at one of our customers. This issue will probably not occur very […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,525],"tags":[1226,1227,995,1228,1229,445,647],"type_dbi":[],"class_list":["post-10663","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware","category-enterprise-content-management","tag-atn","tag-atz","tag-authentication","tag-authorization","tag-saml2","tag-sso","tag-weblogic"],"acf":[],"yoast_head":"\nWebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue\" \/>\n<meta property=\"og:description\" content=\"In a previous blog, I explained how it was possible to enable the SSO\/Atn\/Atz (SSO\/Authentication\/Authorization) debug logs in order to troubleshoot an issue. In this blog, I will show the logs generated by an issue that I had to deal with last month at one of our customers. This issue will probably not occur very […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-12-02T07:00:29+00:00\" \/>\n<meta name=\"author\" content=\"Morgan Patou\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MorganPatou\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Morgan Patou\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\"},\"author\":{\"name\":\"Morgan Patou\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"headline\":\"WebLogic – SSO\/Atn\/Atz – 403 Forbidden, a first issue\",\"datePublished\":\"2017-12-02T07:00:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\"},\"wordCount\":538,\"commentCount\":0,\"keywords\":[\"Atn\",\"Atz\",\"Authentication\",\"Authorization\",\"SAML2\",\"SSO\",\"WebLogic\"],\"articleSection\":[\"Application integration & Middleware\",\"Enterprise content management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\",\"name\":\"WebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2017-12-02T07:00:29+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WebLogic – SSO\/Atn\/Atz – 403 Forbidden, a first issue\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8\",\"name\":\"Morgan Patou\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g\",\"caption\":\"Morgan Patou\"},\"description\":\"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.\",\"sameAs\":[\"https:\/\/blog.dbi-services.com\/author\/morgan-patou\/\",\"https:\/\/x.com\/MorganPatou\"],\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"WebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/","og_locale":"en_US","og_type":"article","og_title":"WebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue","og_description":"In a previous blog, I explained how it was possible to enable the SSO\/Atn\/Atz (SSO\/Authentication\/Authorization) debug logs in order to troubleshoot an issue. In this blog, I will show the logs generated by an issue that I had to deal with last month at one of our customers. This issue will probably not occur very […]","og_url":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/","og_site_name":"dbi Blog","article_published_time":"2017-12-02T07:00:29+00:00","author":"Morgan Patou","twitter_card":"summary_large_image","twitter_creator":"@MorganPatou","twitter_misc":{"Written by":"Morgan Patou","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/"},"author":{"name":"Morgan Patou","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"headline":"WebLogic – SSO\/Atn\/Atz – 403 Forbidden, a first issue","datePublished":"2017-12-02T07:00:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/"},"wordCount":538,"commentCount":0,"keywords":["Atn","Atz","Authentication","Authorization","SAML2","SSO","WebLogic"],"articleSection":["Application integration & Middleware","Enterprise content management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/","url":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/","name":"WebLogic - SSO\/Atn\/Atz - 403 Forbidden, a first issue - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2017-12-02T07:00:29+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/weblogic-ssoatnatz-403-forbidden-a-first-issue\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"WebLogic – SSO\/Atn\/Atz – 403 Forbidden, a first issue"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/c4d05b25843a9bc2ab20415dae6bd2d8","name":"Morgan Patou","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f5bec8b597db68a09107a6f5309e3870d6296ef94fb10ead4b09454ca67e5?s=96&d=mm&r=g","caption":"Morgan Patou"},"description":"Morgan Patou has over 12 years of experience in Enterprise Content Management (ECM) systems, with a strong focus in recent years on platforms such as Alfresco, Documentum, and M-Files. He specializes in the architecture, setup, customization, and maintenance of ECM infrastructures in complex & critical environments. Morgan is well-versed in both engineering and operations aspects, including high availability design, system integration, and lifecycle management. He also has a solid foundation in open-source and proprietary technologies - ranging from Apache, OpenLDAP or Kerberos to enterprise-grade systems like WebLogic. Morgan Patou holds an Engineering Degree in Computer Science from ENSISA (\u00c9cole Nationale Sup\u00e9rieure d'Ing\u00e9nieurs Sud Alsace) in Mulhouse, France. He is Alfresco Content Services Certified Administrator (ACSCA), Alfresco Content Services Certified Engineer (ACSCE) as well as OpenText Documentum Certified Administrator. His industry experience spans the Public Sector, IT Services, Financial Services\/Banking, and the Pharmaceutical industry.","sameAs":["https:\/\/blog.dbi-services.com\/author\/morgan-patou\/","https:\/\/x.com\/MorganPatou"],"url":"https:\/\/www.dbi-services.com\/blog\/author\/morgan-patou\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=10663"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10663\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=10663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=10663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=10663"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=10663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}