Bug ID 433243: SAML SSO might fail due to clock skew

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5

Fixed In:
11.6.0, 11.5.1 HF6, 11.5.0 HF1, 11.4.1 HF4, 11.4.0 HF6, 11.3.0 HF9

Opened: Oct 08, 2013
Severity: 3-Major
Related Article:
K16056

Symptoms

Other SAML Service Provider (SP) implementations might reject a SAML assertion generated by the BIG-IP system if the clock on the other system is running behind the clock on the BIG-IP system.

Impact

SAML SSO might fail.

Conditions

BIG-IP is configured as SAML IdP. SAML SP is implemented by another vendor. Other vendor's implementation does not have clock skew tolerance. SP's clock is behind IdP's clock.

Workaround

Adjust the clock on SP system to the time that is set on the BIG-IP system that acts as the SAML Identity Provider (IdP).

Fix Information

BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.

Behavior Change