Problem:
SAML Login Fails with ToEarly Exception on UCS SSO Portal
Description
A customer with keycloak as identity provider get the following traceback, when login to the portal site via SSO:
saml2.validate.ToEarly: Can't use response yet: (now=2025-11-23T09:11:57Z + slack=0) <= notbefore=2025-07-23T09:11:58.660Z
Traceback
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/tornado/web.py", line 1595, in _execute
result = yield result
...
File "/usr/lib/python3/dist-packages/saml2/validate.py", line 110, in validate_before
" <= notbefore=%s" % (now_str, slack, not_before))
saml2.validate.ToEarly: Can't use response yet: (now=2025-11-23T09:11:57Z + slack=0) <= notbefore=2025-07-23T09:11:58.660Z
Root Cause:
The issue is caused by an incorrect date setting or date format specifier in the validate_before function of the pysaml2 library, which leads to a failed comparison of time values.
The bug has been documented here:
Bug #55719
Wrong date settings on the server could be the cause for this issue. So, the session created by Keycloak was in the future, but the server’s date settings were behind.
root@ucs5primary:~# date
Di 7. Okt 06:29:42 CEST 2025
OR
Faulty Line in Source Code
File: /usr/lib/python3/dist-packages/saml2/validate.py
now_str = time.strftime('%Y-%M-%dT%H:%M:%SZ', time.gmtime(now))
The use of %M incorrectly formats the month using the minutes format specifier, leading to invalid timestamps.
Corrected Line
now_str = time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime(now))
Reference commit in upstream repository:
IdentityPython fix commit
Solutions:
1st. Solution:
To set the correct date settings, you could use the following command and time server from your own.
rdate -n <timeserver>
Example:
root@ucs5primary:~# rdate -n 10.200.30.1
Tue Oct 7 10:08:08 CEST 2025
2nd. Solution:
A patch has been provided that fix this issue.
- Download Patch File:
Patch Attachment 11331 (also available directly in the Bug Report)
How to Apply the Patch
Follow these steps to apply the patch:
-
Download the patch:
wget https://forge.univention.org/bugzilla/attachment.cgi?id=11331 -O saml2-validate.patch -
Backup the original script:
cp /usr/lib/python3/dist-packages/saml2/validate.py /usr/lib/python3/dist-packages/saml2/validate.py.bak -
Make the patch file executable:
chmod +x saml2-validate.patch -
Install the
patchutility if it’s not already available:apt install patch -
Apply the patch:
patch /usr/lib/python3/dist-packages/saml2/validate.py < saml2-validate.patch
Output:
patch /usr/lib/python3/dist-packages/saml2/validate.py < saml2-validate.patch
Conclusion
This issue is a result of a formatting typo in the pysaml2 SAML response validation logic. Until a fixed version is officially available through UCS updates, the above manual patch can be applied to resolve the login failure.
If the system is managed centrally or by an administrator, please coordinate changes to ensure consistent deployment across affected nodes.
Investigation:
Verify System Time and Date
Before applying any patch, it is crucial to ensure that the system time on your UCS server is accurate. Incorrect time synchronization can also cause SAML authentication failures due to strict timestamp validation.
Step 1: Check the Current Time
Run the following command to verify the current date and time:
date -u
This returns the system time in UTC. Example output:
Wed Jul 30 09:15:02 UTC 2025
Step 2: Verify NTP Synchronization
Ensure that your system is synchronized with an NTP (Network Time Protocol) server:
timedatectl status
Check the output for:
NTP service: should be active
System clock synchronized: should be "yes"
RTC in local TZ: should typically be "no" (UTC recommended)
Example:
System clock synchronized: yes
NTP service: active
Step 3: Restart Time Sync if Necessary
If the system time is incorrect or unsynchronized, you can manually restart the time sync service:
timedatectl set-ntp true
Note: Time discrepancies larger than a few seconds may cause ToEarly or ResponseLifetimeExceed errors in SAML workflows.