SAML assertions fail due to clock discrepancies

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth Idp Version affected:  All



    SAML assertions can fail due to clock discrepancies between the IdP and SAML Service Providers.

    This can manifest intermittently or consistently fail.  How end users perceive the failure varies with the Service Provider but usually appears like an authentication failure has occurred.



    Clock synchronization is an important aspect of SAML.  If an assertion is made for too far in the past or too far in the future then it will fail.  Typical values range from 5 to 30 seconds but can both more stringent or more relaxed.



    Ensure that the clock is accurately set on the IdP, using NTP is desirable to achieve this goal.

    Where the Service provider is out of sync with atomic time or has particularly stringent timing requirements, set a non zero value for the following item on the Post Authentication tab of the realm making the assertion:

    SAML Offset Minutes




    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.