SAML assertion exceptions within EJB

Hi,

I understand that this post was old.

I am getting the same error (calling from a POJO client) and everytime I need to restart the client server that accesses the Livecycle.

Were you able to resolve this?

Caused by: | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion
    at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:246)
    at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:192)
    at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertionCheck(AuthenticationManagerImpl.java:587)
    at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.validateAssertion(AuthenticationManagerImpl.java:552)
    at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.authenticate(AbstractMessageReceiver.java:132)
    ... 46 more

I am facing the same issue as well. We are using EJB API to render forms. And from time to time we got "errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion"

Did anyone found a solution?

Thanks!

lcfun

I am facing the same issue as well. We are using EJB API to render forms. And from time to time we got "errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion| [IDPLoggedException] errorCode:12804 errorCodeHEX:0x3204 message:Could not validate SAML Token --- Assertion is not valid. Current time is greater than NOTonOrAfter time specified in the Assertion"

Did anyone found a solution?

Thanks!

lcfun

You have probably found the answer already, but for future reference here is a description of the problem and proposed solution:

http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html

PROBLEM

Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to

exception related to assertion expiry

Solution

To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework

Detailed explanation

LiveCycle provides a client sdk for java based client to invoke its services remotely.

An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly

Use the client to make the actual request.

For more details refer to Invoking

LiveCycle ES Using the Java API .

A ServiceClientFactory instance once created is valid for a ceratin

period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that

the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]

errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML

Token --- Assertion has expired and hence not valid for user

[administrator@DefaultDom]. Its valid till time [Thu Oct 22

17:07:53 IST

2009] was found to be before the current time [Thu Oct

22 17:58:18 IST 2009]

This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long

running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.

Session Expiry

Before fxing the issue some info on what is session expiry.

• When you use a ServiceClientFactory instance to invoke the service following fow happens
• You set the credentials in the properties and invoke theservice
• LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
• Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
• This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.

For more information on Context refer to

User Identity in LiveCycle .

Solution

To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework

STEP1 -  Create a Throwhandler

__________________________________________________________________________________________ __________________________

/**

* This ThrowHandler caches the user credentials and uses them

to refresh the Context in the

* ServiceClientFactory upon expiry.

*/

private static class SimpleTimeoutThrowHandler implements

ThrowHandler {

private String username;

private String password;

public SimpleTimeoutThrowHandler(String username, String

password) {

this.username = username;

this.password = password;

}

public boolean handleThrowable(Throwable t, ServiceClient

sc,

ServiceClientFactory scf, MessageDispatcher md,

InvocationRequest ir, int numTries) throws

DSCException {

if(timeoutError(t)){

//The call to AuthenticationManager do not require

authentication so the default properties

//are suffcient

AuthenticationManager am =

new

AuthenticationManagerServiceClient(ServiceClientFactory.createInstance(getDefaultPropertie s()));

AuthResult ar = null;

try {

ar =

am.authenticate(username,password.getBytes());

} catch (UMException e) {

throw new IllegalStateException(e);

}

Context ctx = new Context();

ctx.initPrincipal(ar);

//Refresh the ServiceClientFactory instance with

the new context

scf.setContext(ctx);

logger.info("Refreshed the context associated with

ServiceCLientFactory");

//Now tell SCF to try the invocation again

return true;

}

//Check so that we do not wrap the exception again

if(t instanceof DSCException)

throw (DSCException)t;

if(t instanceof RuntimeException)

throw (RuntimeException)t;

// how is it possible to get this far?

throw new IllegalStateException(t);

}

private boolean timeoutError(Throwable t) {

if(!(t.getCause() instanceof UMException)){

return false;

}

UMException ue = (UMException) t.getCause();

//Check that UMException is due to the

assertion/context expiry

if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==

ue.getErrCode()){

return true;

}

return false;

}

}

__________________________________________________________________________________________ ______________________

This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.

STEP - 2 Register the handler

__________________________________________________________________________________________ ______________________

ServiceClientFactory.installThrowHandler(new

SimpleTimeoutThrowHandler(username, password));

__________________________________________________________________________________________ ______________________

Note: The handler should be registered only once in the application

STEP 3 - Perform your invocation

Following sample would try to apply policies on all the fles present in a directory

__________________________________________________________________________________________ ______________________

Properties p = getDefaultProperties();

p.setProperty(DSC_CREDENTIAL_USERNAME, username);

p.setProperty(DSC_CREDENTIAL_PASSWORD, password);

ServiceClientFactory scf =

ServiceClientFactory.createInstance(p);

//Now do some long running operation

String inputDirName ="path-to-input-dir";

String outDirName = "path-to-out-dir";

String policyName = "the-policy-name";

File inDir = new File(inputDirName);

File outDir = new File(outDirName);

RightsManagementClient rmClient = new

RightsManagementClient(scf);

DocumentManager docManager = rmClient.getDocumentManager();

//Iterate over all the pdf in the inDir and apply the

policies. If this takes a

for(File pdfFile : inDir.listFiles()){

Document inDoc = new Document(pdfFile, false);

Document securedDoc = docManager.applyPolicy(inDoc,

pdfFile.getName(), null, policyName, null, null);

securedDoc.copyToFile(new

File(outDir,pdfFile.getName()));

}

__________________________________________________________________________________________ ______________________

Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.

here's a sample:

TimeOutSample.zip