Security

Using SAML for authentication, why do we get time skew error "Did not meet 'NotBefore' condition. Assertion is invalid..."?

matthijsk
Explorer

Hi,

I am trying to get Splunk to use SAML for authentication and authorization with AUth0. It works for 95%, but we regularly get errors regarding time skew:

Did not meet 'NotBefore' condition. Assertion is invalid.2016-01-27T10:20:40.047Z Verify the time in the response from IDP is in UTC time format.

I have already made sure to use a correct NTP server on the Splunk server, but this does not solve the issue. Is there a way to control the allowed time difference?

Best regards

Matthijs

0 Karma

jeff
Contributor

I was also running into this using Microsoft ADFS v3 as the IdP and Splunk 6.4.0. Both IdP and IsP are sync'd to NTP using the same source, but it was 50/50 if we'd see this error... Adding a time skew of 60 seconds on the IdP's relying party configuration resolved this issue for us:

  Add-PSSnapin Microsoft.Adfs.PowerShell
  Get-ADFSRelyingPartyTrust –identifier "splunkstage-dev"
  Set-ADFSRelyingPartyTrust –TargetIdentifier "splunkstage-dev"  –NotBeforeSkew 1

We don't seem to have this issue with other integrations in our ADFS environment... Just sayin'.

matthijsk
Explorer

I have been able to solve the timing issue most of the time, the problem is that the Splunk server runs in Azure and sometimes picks up a time that is slightly off when it boots. It still would be practical if we could define an allowed time skew (something you see with other SAML solutions). 5 seconds would probably be more then enough.
The only thing that does not work yet is the logout functionality, but working on that with Auth0.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If the time skew option is available it will be set on your identity provider and not in splunk.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...