Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5
Fixed In:
11.6.0, 11.5.1 HF6, 11.5.0 HF1, 11.4.1 HF4, 11.4.0 HF6, 11.3.0 HF9
Opened: Oct 08, 2013 Severity: 3-Major Related Article:
K16056
Other SAML Service Provider (SP) implementations might reject a SAML assertion generated by the BIG-IP system if the clock on the other system is running behind the clock on the BIG-IP system.
SAML SSO might fail.
BIG-IP is configured as SAML IdP. SAML SP is implemented by another vendor. Other vendor's implementation does not have clock skew tolerance. SP's clock is behind IdP's clock.
Adjust the clock on SP system to the time that is set on the BIG-IP system that acts as the SAML Identity Provider (IdP).
BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.