Troubleshooting
Problem
Users who configure SAML as their authentication method are not able to log in to QRadar. They see the following error due to QRadar and SAML do not have a synchronized time.:
This account is not authorized to access QRadar.
Logout from your SAML identity provider and use an authorized account to login.
Cause
Diagnosing The Problem
- SSH to the QRadar console as the root user.
- Run the following command to grep for logs about Message was not yet valid:
grep "Message was not yet valid" /var/log/qradar.log
- Confirm if you see any Message was not yet.
Log example:WARN Message Handler: Message was not yet valid: message time was 2020-03-31T12:42:34.906Z, latest valid is: 2020-03-31T12:41:58.371Z
If you compare the times on the message "2020-03-31T12:42:34.906Z" and "2020-03-31T12:41:58.371Z" they don't match.
Result
Administrator can confirm that their environment is being affected by time mismatch between QRadar and SAML.
Resolving The Problem
Restarting the chronyd process fixes the issue. Use the following steps to restart the chronyd process.
Notes:
- The following steps are intended for QRadar environments that are using chronyd.
- The following steps are intended for QRadar environments where chronyd process is running.
- SSH to the QRadar console as the root user.
- Confirm the chronyd process is running, run the following command:
systemctl status chronyd
- Run the following command to restart the chronyd process:
systemctl restart chronyd
- Run the following command to check the status of the chronyd process:
systemctl status chronyd
Output example when the chronyd service is running:
Result
The chronyd process synchronizes the time in the QRadar console, which makes the time to match the SAML time, after this process the user is able to log in again to QRadar. If the error persists, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS012968907","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 June 2023
UID
ibm17002023