Okta timeout results in 401 error

A known issue when using Okta with Spinnaker results in the following 401 error when Spinnaker times out and the user attempts to login again:

{
  error: "Unauthorized",
  message: "Authentication Failed: Error validating SAML message",
  status: 401,
  timestamp: 1553109495710
}



Okta can be configured to timeout after a certain time, but by default, Spring doesn’t accept SAML tokens signed by a user who authenticated more than 2 hours ago. We’ve added a configuration in Armory Spinnaker that enables you to set the SAML authentication age to match the age you specify in Okta.

Make sure you’re running Armory Spinnaker version 2.3.0 or later and set this in your profile/gate-local.yml at the root level:

saml:
  maxAuthenticationAge: <time in seconds for Okta timeout>
×

Subscribe

The latest tutorials sent straight to your inbox.