Jump to content

Error message when try to login.


Blowerl

Recommended Posts

Lee,

The error message is indicating the following.  When your ADFS server issues an assertion message, our front-end passes that on to our back-end server. We look at the message (after verifying its digital signatures) and check its issue time. We check this time by looking at our local time and checking the use time is within +/-n minutes (one by default) of our local time.  The above message would indicate that the time issued by your ADFS server is ahead of our servers.  We sync our servers regularly to known good time servers and we have checked that our servers are running accurately and are in sync.   So the time on your servers need to be accurate/synced to a known good internet time source. 

Alternatively, you can disable this check (which we do not recommend for security reasons). Go into your SSO profile on your Hornbill instance and switch of the "Validate Time" option, this will at least let you log on with SSO, but please be aware the correct fix is to ensure your servers are correctly time synced. 

[edit]

You can also tune the time skew value, you can go into your instance Settings -> Advanced Settings and look for security.saml.timeSkewCompensation, the default value for this is 60, and the description of the setting you will see says the following: -

The number of seconds latitude given to the time window check when validating a SAML assertion during a logon authentication. It is possible for the idP and the instance clocks to be running slightly out of sync with regards to absolute time. It is therefore prudent to provide some degree of latitude when checking the notBefore and notOnOrAfter conditions of the SAML assertion. If you set this value to ZERO then no latitude is given so the idP and the Hornbill instance must both be synchronized to a global standard time clock in order to correctly validate. Any other value expands the time window allowable but the number of seconds specified. The default value is 60 seconds (one minute)

Gerry

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...