Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using SAML for authentication, why do we get time skew error "Did not meet 'NotBefore' condition. Assertion is invalid..."?

matthijsk
Explorer
‎01-27-2016 02:26 AM

Hi,

I am trying to get Splunk to use SAML for authentication and authorization with AUth0. It works for 95%, but we regularly get errors regarding time skew:

Did not meet 'NotBefore' condition. Assertion is invalid.2016-01-27T10:20:40.047Z Verify the time in the response from IDP is in UTC time format.

I have already made sure to use a correct NTP server on the Splunk server, but this does not solve the issue. Is there a way to control the allowed time difference?

Best regards

Matthijs

0 Karma
Reply

jeff
Contributor
‎05-23-2016 09:14 AM

I was also running into this using Microsoft ADFS v3 as the IdP and Splunk 6.4.0. Both IdP and IsP are sync'd to NTP using the same source, but it was 50/50 if we'd see this error... Adding a time skew of 60 seconds on the IdP's relying party configuration resolved this issue for us:

  Add-PSSnapin Microsoft.Adfs.PowerShell
  Get-ADFSRelyingPartyTrust –identifier "splunkstage-dev"
  Set-ADFSRelyingPartyTrust –TargetIdentifier "splunkstage-dev"  –NotBeforeSkew 1

We don't seem to have this issue with other integrations in our ADFS environment... Just sayin'.

Reply

matthijsk
Explorer
‎01-29-2016 07:16 AM

I have been able to solve the timing issue most of the time, the problem is that the Splunk server runs in Azure and sometimes picks up a time that is slightly off when it boots. It still would be practical if we could define an allowed time skew (something you see with other SAML solutions). 5 seconds would probably be more then enough.
The only thing that does not work yet is the logout functionality, but working on that with Auth0.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎03-12-2016 03:13 PM

If the time skew option is available it will be set on your identity provider and not in splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...