Symptom
After successful authentication against our SAML-Server, we receive the following error message in the Collaboration Hub:
Reason: An error occurred (saml2.exception - SAML: Response time conditions not fulfilled (too soon).)
Resolution
The problem is that there is a minimal time difference between our Collaboration Hub server and your SAML Response Server. Therefore the validation of the “NotBefore” time is failing and our server denies the access.
In the ADFS the time for each relying party can be changed a little bit. Therefore, could you please execute the following statement on the PowerShell of your ADFS.
--------------
Set-ADFSRelyingPartyTrust -TargetIdentifier "<relying party identifier>" -NotBeforeSkew 1
--------------
Please replace <relying party identifier> with the correct entityID*. Please find further information as well under http://rmichaelmead.com/adfs-not-before-time-skew/
In case your using an alternative system than ADFS please check your manual for a similar statement.
*: Please choose the appropriate infrastructure for the entityID:
- EMEA-system: editor.signavio.com
- US-system: app-us.signavio.com
- APAC-system: app-au.signavio.com
German version: https://confluence.signavio.com/pages/viewpage.action?pageId=9405677
Keywords
KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To