Assertion Expired immediately on RH-SSO with external IdP with Clock Skew

Issue

We are getting a Login timeout. Please login again. message on browser after a successful redirection from external SAML IdP to RH-SSO server. The RH-SSO server.log shows the following error message:

18:08:44,375 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-1) Assertion expired.
18:08:44,376 WARN  [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=saml-broker-authentication-realm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_saml_response

The log shows "NotBefore" with a time after the log timestamp.

Environment

Red Hat Single Sign-On (RH-SSO)
- 7
SAML identity brokering with external IdP (Identity Provider)
Successful redirection from IdP to RH-SSO server

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Assertion Expired immediately on RH-SSO with external IdP with Clock Skew

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links