locked
SAML response - NotBefore condition RRS feed

  • Question

  • Hi,

    I'm trying to setup SSO with a cloud application that supports SAML, by using Windows Azure federation:
    http://msdn.microsoft.com/en-us/library/windowsazure/dn195592.aspx

    I've configured the parameters on application side (Service provider) and successfully connected with Azure identity provider side.

    Most of the times though, during the logon process, after being redirected to Ms Azure and then back to the application, I get the application error "Login was unsuccessful! - Validation Failed : Current time is earlier than NotBefore condition".

    Now, I understand this could be a time skew issue. However, the app provider claims they use UTC time and furthermore what's puzzling is that sometimes (maybe about 30% of the times) the logon operation actually completes successfully.

    Questions:

    1. Is there a way to relax the time settings on Azure SAML i.e. use a different skew for NotBefore condition?

    2. What other troubleshooting strategy could I use in order to solve this problem?

    Tuesday, March 4, 2014 6:12 PM

Answers