SSO login shows "SAML response is not valid before" or HTTP400

title: SSO login shows “SAML response is not valid before” or HTTP 400

Attempts to log in on Chrome through SSO result in an error:

Error: {“error”: “SAML Response is not valid before: …}

In Internet Explorer 11, an HTTP 400 error appears.

Causes and solutions

Cause 1

The timestamp in the SAML response differs between ADFS and Zivver. Even a difference of a few milliseconds can cause this error.

Solution 1

Synchronize the clocks across the domain controllers. This ensures that the timestamp in the SAML response aligns with UTC again.

Note
Be aware of possible delays in synchronization. For example, if there is a delay of 6 seconds, this difference will be corrected within the next hour.

Cause 2

The clock on the ADFS server is not synchronized.

Solution 2

Synchronize the clock manually. For more information, refer to:

Cause 3

The server configuration causes a delay. There might be a system time mismatch between the ADFS server and the domain controller. Possible causes include:

  • The ADFS server is a virtual machine.
  • There is a multi-tenant configuration.

If the virtual machine connects to the host or master for the correct time, a small delay between the ADFS and DC systems might occur.

Solution 3

Synchronize the virtual machine or the slave directly with time.windows.com. This time, do not use the host or master clock.

For more information, refer to:

More solutions

If the error ({"error": "SAML Response is not valid before: ...}) still appears, try these solutions:

Synchronize with different NTP (Network Time Protocol) servers

Examples:

Increase the value of -NotBeforeSkew

Use the Set-AdfsRelyingPartyTrust command in PowerShell. This increases the validity period of the SAML response. The following command increases the skew to 5 minutes. The relying party name is typically “Zivver” or “app.zivver.com”.

Set-ADFSRelyingPartyTrust -TargetRelyingParty "<Relying Party name>" -NotBeforeSkew 5

For more information, refer to Set-AdfsRelyingPartyTrust.