Skip to Content (Press Enter)
2023-10-31 17-31-04
Matheus Henrique Souza
2Views
0Comments
[IdP] Intermittent SAML SSO Login Failure – Old AuthnInstant in Successful SAML Response
Question
Forge
idp
Web icon
IdP (O11)
Forge asset by João Barata

Hello,

I am experiencing intermittent SAML SSO login failures using the official OutSystems IdP component.

Context:

  • Google Workspace is configured as the Identity Provider.

  • The SAML response returns Status: Success.

  • The assertion signature is valid.

  • Audience and Recipient match correctly.

  • No decryption errors occur.

Issue: Some users are able to log in successfully, while others fail, even though the SAML response indicates success.

When comparing the XML responses, I noticed a possible pattern:

In failing cases, the AuthnInstant inside the AuthnStatement is significantly older than the IssueInstant of the SAML Response (days or even weeks apart).

Example (failing case):

  • AuthnInstant: 2026-02-02

  • IssueInstant: 2026-02-26

In successful cases:

  • AuthnInstant is very close to the IssueInstant (difference of minutes).

Questions:

  1. Does the official OutSystems IdP component validate the AuthnInstant automatically?

  2. Is there any built-in “Max Authentication Age” validation?

  3. Can the IdP reject assertions with old AuthnInstant values even when Status: Success is returned?

  4. Is there a supported way to enable ForceAuthn="true" in the AuthnRequest when using the official IdP component?

We could not find clear documentation regarding AuthnInstant validation behavior.

Any guidance would be greatly appreciated.

Thank you.


Success Example.txt
Error response example.txt
0
0
26 Feb
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.