Product: StreamSets Control Hub (SCH)
Issue:
Login to Control Hub with SAML enabled is failing with the following exception found in the logs:
Caused by: WebSsoException: WEB_SSO_006 - Message lifetime verification failed: {}
at com.streamsets.samuel.profile.websso.common.LifetimeVerifier.verify(LifetimeVerifier.java:75)
at com.streamsets.samuel.profile.websso.common.AbstractWebSsoEndpoint.verifyMessage(AbstractWebSsoEndpoint.java:610)
... 55 more
Caused by: org.opensaml.messaging.handler.MessageHandlerException: Message was rejected because it was issued in the future
at org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler.doInvoke(MessageLifetimeSecurityHandler.java:147)
at org.opensaml.messaging.handler.AbstractMessageHandler.invoke(AbstractMessageHandler.java:95)
at com.streamsets.samuel.profile.websso.common.LifetimeVerifier.verify(LifetimeVerifier.java:73)
... 56 more
The exception can be found in the logs. In the Control Hub UI -> Administration -> Login Audit, you will probably see only the following exception:
WEB_SSO_012 - Could not obtain peer configuration
Solution:
This issue can happen if the time on the SCH machine does not match with the time on the machine with Okta installed. The message must be issued within +1/-1 minutes, otherwise, the authentication fails.
Check with your team if the time is correct on the machines.
If the time on the SCH machine is not correct, you can notice a mismatch in the time of the last login in Login Audit in the Control Hub UI -> Administration. For example, you log in at 8:16 am, but the log shows the last attempt to log in was from 8:13 am.