Security

Working on OKTA integration, failing validation due to UTC time formatting

jlooper
New Member

I keep getting the following message when trying to login VIA OKTA,

"The conditions saml response failed validation Verify the time in the response from IDP is in UTC time format. "

but cannot find any documentation on why this would be the case. Any help would be appreciated.

Thanks!

0 Karma

pgreer_splunk
Splunk Employee
Splunk Employee

The basis issue is that there is enough skew between your Splunk instance time and the time of the system clock at Okta.

In the SAML assertion, there is a set of time parameters:

If the response occurs outside that time slice, the Splunk will shut things down. Some times with a more descriptive message, but definitely with the 'The conditions saml response failed validation Verify the time in the response from IDP is in UTC time format.' message as part of the resulting error.

You can try a couple of things:
- Set up an NTP date service in your Splunk Instance (search heads, indexers, cluster managers, the whole ball of wax! - all of them!).
- Capture the SAML conversation with a SAML tracer plugin within your browser (chrome, firefox, etc. all have a SAML tracer plugin - this makes it easier to see all of the XML passed between Okta and Splunk to determine what the time values are in the NotBefore and NotOnOrAfter conditions as well as the time stamps in the responses

I've not found a way to add additional time buffer for Okta. In other IdPs (such as ADFS for instance), you can 'tune' the amount of time between the before/after conditions to make it a bit more tolerant of delays between Okta (IdP) and Splunk.