edennyvm

I ended up building a new UAG from scratch. The UAG that was having issues magically started working again, on its own, but I didn't trust it. Built a new UAG, needed to upgrade anyways, without importing the settings from the old one. So far everything seems to be working as it should. Chad Herman - Thanks for the info. If this issues creeps up again, I will have to look at those values you mentioned.

Well the issue came back. VMware support is saying that it is a clock skew issue between the UAG and Duo. 07/07 15:52:39,585+0000[nioEventLoopGroup-10-2]ERROR interceptor.ViewPortalProxyRequestInterceptor[doSamlSso: 255][107.77.208.216][][][f87b-***-67fe-***-7920-***-47ea]: UAGE00265: Error on performing SAML validation: SAML Assertion is valid between NotBefore: 2024-07-07T15:53:37Z[UTC] and NotOnOrAfter: 2024-07-07T15:59:07Z[UTC]. Please check following 1. UAG and Identity Provider time is in sync 2. SAML assertion validity set in Identity Provider is enough to account for clock skew. I changed the time zone on the UAG and everything worked for a few days then started acting up again. I have a ticket open with Duo. And now 2 hours later it is randomly working again. What a weird issue.

Got it working. It was a combo of setting the correct time zone on the UAG and I had to re-import the TLS cert and Identity Provider metadata . We did not make any changes on our end so Duo must had did something to mess with our UAG.

A support ticket has been opened. Did find something interesting.... The IP assigned to the UAG and the IP showing in the admin console are different. I can access the console with the assigned IP. When I try and change the IP it says saving and does nothing.

Overnight, and without making changes, TFA for Horizon stopped working. It goes through the authentication process (Duo) but when the browser tries to redirect to https://<oururl>/portal/samlsso it says page cannot be reached. This is happening with the Horizon client, web client as well as with our folks using thin clients. Horizon client logs indicate a SAML error (Your client was not launched with valid SAML2 credentials. Please contact your Administrator). If I disable SAML auth on the UAG everything works. Anyone seen this issue before?