You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

SAML tokens and too much accuracy on clients

Having multiple clients not being able to log in we discovered that our ADFS tokens NotBefore date is maybe too accurate for some very picky clients. Let's add some tolerance.

Daniel Nachtrub
Daniel Nachtrub

Today we had an issue that affected some of our SAML clients. The SAML clients have been for example some services running on one of our Kubernetes clusters while the IdP has been ADFS.

The error message shown in the rails applications has been:

(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Current time is earlier than NotBefore condition (2023-12-15 07:08:15 UTC < 2023-12-15 07:08:15 UTC - 1s)
error message

If you check the logs very precicely we're hitting an offset of 1 second. The background is:

  • Client is redirected to the IdP
  • SAML token is issued with NotBefore = now()
  • Client validates the token (with a small tolerance)

So now it seems that we're having a slight offset on the time sync (offset > 1 second) so that we're hitting the issue.

We've two ways to solve this:

Fix timesync

Obviously we should not have a skew in time when NTP is in use (which is the case).

Configure some tolerance (ADFS)

My preferred approach in this case is to allow some minor tolerance by adding a skew on the NotBefore date on ADFS. Practically I would accept ~30 seconds because everything above should not happen in practice.

To configure the tolerance on ADFS, you can use the command:

Set-ADFSRelyingPartyTrust -TargetIdentifier "<replying party identifier>" -NotBeforeSkew 1
configure skew

Or to configure it just for all trusts:

(Get-ADFSRelyingPartyTrust).Identifier |% { Set-ADFSRelyingPartyTrust -TargetIdentifier $_ -NotBeforeSkew 1 }
configure a skew for all trusts

This will apply an allowed skew of one minute to all issued tokens (by reducing the NotBefore date attribute with the NotBeforeSkew value [in minutes]).

So, nothing big - just some small fix ;-)


Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.