I am a Zivver admin
Configure and manage Zivver
SSO login shows "SAML response is not valid before" or HTTP400
title: SSO login shows “SAML response is not valid before” or HTTP 400
Attempts to log in on Chrome through SSO result in an error:
Error: {“error”: “SAML Response is not valid before: …}
In Internet Explorer 11, an HTTP 400 error appears.
Causes and solutions
Cause 1
The timestamp in the SAML response differs between ADFS and Zivver. Even a difference of a few milliseconds can cause this error.
Solution 1
Synchronize the clocks across the domain controllers. This ensures that the timestamp in the SAML response aligns with UTC again.
Cause 2
The clock on the ADFS server is not synchronized.
Solution 2
Synchronize the clock manually. For more information, refer to:
Cause 3
The server configuration causes a delay. There might be a system time mismatch between the ADFS server and the domain controller. Possible causes include:
- The ADFS server is a virtual machine.
- There is a multi-tenant configuration.
If the virtual machine connects to the host or master for the correct time, a small delay between the ADFS and DC systems might occur.
Solution 3
Synchronize the virtual machine or the slave directly with time.windows.com. This time, do not use the host or master clock.
For more information, refer to:
More solutions
If the error ({"error": "SAML Response is not valid before: ...}
) still appears, try these solutions:
Synchronize with different NTP (Network Time Protocol) servers
Examples:
Increase the value of -NotBeforeSkew
Use the Set-AdfsRelyingPartyTrust
command in PowerShell. This increases the validity period of the SAML response.
The following command increases the skew to 5 minutes. The relying party name is typically “Zivver” or “app.zivver.com”.
Set-ADFSRelyingPartyTrust -TargetRelyingParty "<Relying Party name>" -NotBeforeSkew 5
For more information, refer to Set-AdfsRelyingPartyTrust.