One of the more common issues that our teams see with Single Sign on that results in an a panic is the following error found in the Single Sign on Events tab in the Directory setup within the Admin console.
Error "The current time is before the time-range specified in the assertion conditions"
This will be in the events when you look at more details located on the right side of the user login attempts. If you see this simple means that the clocks are different between your IdP usually ADFS and Adobe.
Typically the ADFS system is setup to a default of 0. What needs to happen is this should be set for the integation for Adobe should be set to +/- of 2 minutes which is why you set the skew to 2 minutes. Below is the needed details for IdP teams to correct this. If you see this happening in your Sign Sign On and users are complaining about getting Okta 400 errors check the logs for the above error and provide your IdP team the instructions below on how to fix it.
Here is how to address this below:
Windows-based IdP Server:
1. Ensure the system clock is synchronized with an accurate time server
Check the accuracy system clock against your time server with this command; the "Phase Offset" value should be a small fraction of a second:
w32tm /query /status /verbose
You can cause an immediate resynchronization the system clock with the Time Server with the following command:
w32tm /resync
If the system clock is set correctly and you are still seeing the above error, you may need to adjust the time-skew setting to increase the tolerance of the difference between clocks between the server and client.
2. Increase the allowed difference in system clock between servers
From a Powershell window with administrative rights, set the allowed skew value to 2 minutes. Check whether you are able to log in, and then either increase or decrease the value depending on the result.
Determine the current time-skew setting for the relevant Relying Party Trust with the following command:
Get-ADFSRelyingPartyTrust | Format-List -property Identifier,Name,NotBeforeSkew
The Relying Party Trust is identified by the URL shown in the "Identifier" field of the output of the previous command for that particular configuration. This URL is also shown in the ADFS Management utility in the properties window for the relevant Relying Party Trust on the "Identifiers" tab in the field "Relying Party Trusts", as shown in the screenshot below.
Set the time skew to 2 minutes with the following command, substituting the Identifier address accordingly:
Set-ADFSRelyingPartyTrust –TargetIdentifier 'https://www.okta.com/saml2/service-provider/xxxxxxxxxxxxxxxxxxxx' –NotBeforeSkew 2
Hopefully this will have someone some time and pain.
Thanks!
Kerry Nelson
