IBM Support

QRadar: Unable to log in due to "Logout from your SAML identity provider and use an authorized account to login" error

Troubleshooting


Problem

Users who configure SAML as their authentication method are not able to log in to QRadar. They see the following error due to QRadar and SAML do not have a synchronized time.:

This account is not authorized to access QRadar.
Logout from your SAML identity provider and use an authorized account to login.

Cause

Diagnosing The Problem

  1. SSH to the QRadar console as the root user.
  2. Run the following command to grep for logs about Message was not yet valid:
    grep "Message was not yet valid" /var/log/qradar.log
  3. Confirm if you see any Message was not yet.
    Log example: 
    WARN Message Handler: Message was not yet valid: message time was 2020-03-31T12:42:34.906Z, latest valid is: 2020-03-31T12:41:58.371Z
    If you compare the times on the message "2020-03-31T12:42:34.906Z" and "2020-03-31T12:41:58.371Z" they don't match.

    Result
    Administrator can confirm that their environment is being affected by time mismatch between QRadar and SAML.

Resolving The Problem

Restarting the chronyd process fixes the issue. Use the following steps to restart the chronyd process.
Notes:
  • The following steps are intended for QRadar environments that are using chronyd.
  • The following steps are intended for QRadar environments where chronyd process is running.
  1. SSH to the QRadar console as the root user.
  2. Confirm the chronyd process is running, run the following command:
    systemctl status chronyd
  3. Run the following command to restart the chronyd process:
    systemctl restart chronyd
  4. Run the following command to check the status of the chronyd process:
    systemctl status chronyd
    Output example when the chronyd service is running:
    image-20230610215532-1

    Result
    The chronyd process synchronizes the time in the QRadar console, which makes the time to match the SAML time, after this process the user is able to log in again to QRadar. If the error persists, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS012968907","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 June 2023

UID

ibm17002023