Knowledge Base

Support Policies

SAML assertions fail due to clock discrepancies

SecureAuth Idp Version affected:  All

 

Description:  

SAML assertions can fail due to clock discrepancies between the IdP and SAML Service Providers.

This can manifest intermittently or consistently fail.  How end users perceive the failure varies with the Service Provider but usually appears like an authentication failure has occurred.

 

Cause:  

Clock synchronization is an important aspect of SAML.  If an assertion is made for too far in the past or too far in the future then it will fail.  Typical values range from 5 to 30 seconds but can both more stringent or more relaxed.

 

Resolution: 

Ensure that the clock is accurately set on the IdP, using NTP is desirable to achieve this goal.

Where the Service provider is out of sync with atomic time or has particularly stringent timing requirements, set a non zero value for the following item on the Post Authentication tab of the realm making the assertion:

SAML Offset Minutes

 

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.