Authentication statement is too old to be used – Jive with ADFS for SAML SSO

We have been battling random error messages with the SSO subsystem in Jive and this one became more and more frequent – “Authentication statement is too old to be used”.  Our system is using AD FS 2.0 in a farm providing SAML 2.0 authentication support for Jive software.

Initially support told us that the problem was related to the lifetime of the RP specific entry.  Based on that advice we adjusted the authentication lifetime on our Jive relying party configuration.  But it did not resolve the issues.

After a few weeks of suffering we discovered that the issue is not related to the RP specific TTL.  The “Authentication Statement” is actually related to the master setting on ADFS.  This error references how long it has been since the IdP (AD FS 2.0 in my case) first authenticated the user.  Jive sets this to 2 hours.  ADFS defaults to 8 hours.  As soon as we updated the length of time that Jive will accept as the IdP max timeout the issue went away!

This entry was posted in ADFS, Jive Software, SSO and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.