Security

Using SAML for authentication, why do we get time skew error "Did not meet 'NotBefore' condition. Assertion is invalid..."?

Explorer

Hi,

I am trying to get Splunk to use SAML for authentication and authorization with AUth0. It works for 95%, but we regularly get errors regarding time skew:

Did not meet 'NotBefore' condition. Assertion is invalid.2016-01-27T10:20:40.047Z Verify the time in the response from IDP is in UTC time format.

I have already made sure to use a correct NTP server on the Splunk server, but this does not solve the issue. Is there a way to control the allowed time difference?

Best regards

Matthijs

0 Karma

Contributor

I was also running into this using Microsoft ADFS v3 as the IdP and Splunk 6.4.0. Both IdP and IsP are sync'd to NTP using the same source, but it was 50/50 if we'd see this error... Adding a time skew of 60 seconds on the IdP's relying party configuration resolved this issue for us:

  Add-PSSnapin Microsoft.Adfs.PowerShell
  Get-ADFSRelyingPartyTrust –identifier "splunkstage-dev"
  Set-ADFSRelyingPartyTrust –TargetIdentifier "splunkstage-dev"  –NotBeforeSkew 1

We don't seem to have this issue with other integrations in our ADFS environment... Just sayin'.

Explorer

I have been able to solve the timing issue most of the time, the problem is that the Splunk server runs in Azure and sometimes picks up a time that is slightly off when it boots. It still would be practical if we could define an allowed time skew (something you see with other SAML solutions). 5 seconds would probably be more then enough.
The only thing that does not work yet is the logout functionality, but working on that with Auth0.

0 Karma

SplunkTrust
SplunkTrust

If the time skew option is available it will be set on your identity provider and not in splunk.

0 Karma