A valid SubjectConfirmation was not found on this Response, laravel and saml2

Question

I've been stuck for the last couple of days trying to figure out why the response which Im getting from the IdP is being rejected from the package I'm using. Im using this https://github.com/aacotroneo/laravel-saml2 This is the response that Im getting :

    xml: """
  <?xml version="1.0"?>
  <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="vDJfB_2Fr9fGfh9izuYf6pSoE6q" IssueInstant="2020-11-04T08:55:23.144Z" InResp ▶
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idP</saml:Issuer>
    <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="kle-id.i4AcYYOSNJEX0biJ1lhh" IssueInstant="2020-11-04T08:55:23.302Z" Version="2.0">
      <saml:Issuer>idP</saml:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#kle-id.i4AcYYOSNJEX0biJ1lhh">
  <ds:Transforms>
  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
  </ds:Transforms>
  <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
  <ds:DigestValue>Bm0ARLP+duLFtM0UwVkXYr+W9PRSYYuW4sv0rzQsGlI=</ds:DigestValue>
  </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>
  RlvQm/VDU13e1oFU+y/0wr//bA6blrYBQER+57/hHq+SBRPDJl8hpEXnLaiv5AAEtzVteJrlhgc+
  9YbTg8478l8hmBfVZVzlIa0POypWrNA8lwzhwDRAsQtbxypY3RPwKW0SSs6kq0K0EduxecG4grcl
  1lWEpTRBtdv/NqVg6w8swSQzMXXf0GKjmqeagAqm3HeA6nSNc2T02ChwQ/78OZEbZjDaKj2Rqv2Y
  1zqf/xyM2QZES3IlVfA5yekoJfG81sZYn5s+RiTsqFjAMvKrBsaPbEMZoT3ZcFQLY+/b08cTxCEM
  RirLXRp86rAHhqps0+y1j9eFg0HWdvTO/3Ss0w==
  </ds:SignatureValue>
  <ds:KeyInfo>
  <ds:X509Data>
  <ds:X509Certificate>
  DELETED FOR PRIVACY REASONS
  </ds:X509Certificate>
  </ds:X509Data>
  <ds:KeyValue>
  <ds:RSAKeyValue>
  <ds:Modulus>
  DELETED
  </ds:Modulus>
  <ds:Exponent>AQAB</ds:Exponent>
  </ds:RSAKeyValue>
  </ds:KeyValue>
  </ds:KeyInfo>
  </ds:Signature>
      <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">DELETED FOR PRIVACY REASONS</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
          <saml:SubjectConfirmationData Recipient="DELETED FOR PRIVACY REASONS" NotOnOrAfter="2020-11-04T09:00:23.305Z" InResponseTo="ONELOGIN_6134c96d0e247a491cc1a83286b4226c2d30004a"
        </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2020-11-04T08:50:23.305Z" NotOnOrAfter="2020-11-04T09:00:23.305Z">
        <saml:AudienceRestriction>
          <saml:Audience>DELETED FOR PRIVACY REASONS</saml:Audience>
        </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement SessionIndex="kle-id.i4AcYYOSNJEX0biJ1lhh" AuthnInstant="2020-11-04T08:36:22.912Z">
        <saml:AuthnContext>
          <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
      </saml:AuthnStatement>
    </saml:Assertion>
  </samlp:Response>
  """

Im not sure whats going on, but I kept tracing the validation and It seems to me that It rejects this response after checking for NotBefore attribute on line 359 at OneLogin\Saml2\Response.php

Can someone please help me to figure out what the hell is going on with it? The idp is from PingFederate

Answer 1

From looking at the NotBefore and NotOnOrAfter timestamps in the Response, Ping is set to a 5min clock skew which is normal/default.

Without more specific error messages, it sounds like there is a clock drift issue between the IDP Server (PF) and your SP Application if your SP is complaining about the NotBefore. Ensure both servers have not only the proper time but also the proper timezone in the OS settings. You might need to restart PF to get it to pick-up any changes to the system time if you make any.