Last Modified: Nov 07, 2022
See more info
Known Affected Versions:
11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5
11.6.0, 11.5.1 HF6, 11.5.0 HF1, 11.4.1 HF4, 11.4.0 HF6, 11.3.0 HF9
Opened: Oct 08, 2013
Related Article: K16056
Other SAML Service Provider (SP) implementations might reject a SAML assertion generated by the BIG-IP system if the clock on the other system is running behind the clock on the BIG-IP system.
SAML SSO might fail.
BIG-IP is configured as SAML IdP. SAML SP is implemented by another vendor. Other vendor's implementation does not have clock skew tolerance. SP's clock is behind IdP's clock.
Adjust the clock on SP system to the time that is set on the BIG-IP system that acts as the SAML Identity Provider (IdP).
BIG-IP IdP subtracts three minutes from the NotBefore timestamp in an assertion to accommodate Service Providers whose clocks might be behind.