SAP Knowledge Base Article - Public

3160104 - SAML - Response time conditions not fulfilled (too soon) (EN)

Symptom

Problem



After successful authentication against our SAML-Server, we receive the following error message in the Collaboration Hub:


Reason:  An error occurred (saml2.exception - SAML: Response time conditions not fulfilled (too soon).)



Resolution


The problem is that there is a minimal time difference between our Collaboration Hub server and your SAML Response Server. Therefore the validation of the “NotBefore” time is failing and our server denies the access.
In the ADFS the time for each relying party can be changed a little bit. Therefore, could you please execute the following statement on the PowerShell of your ADFS.
--------------
Set-ADFSRelyingPartyTrust -TargetIdentifier "<relying party identifier>" -NotBeforeSkew 1
--------------

Please replace <relying party identifier> with the correct entityID*. Please find further information as well under http://rmichaelmead.com/adfs-not-before-time-skew/
In case your using an alternative system than ADFS please check your manual for a similar statement.


*: Please choose the appropriate infrastructure for the entityID:

  • EMEA-system: editor.signavio.com
  • US-system: app-us.signavio.com
  • APAC-system: app-au.signavio.com


INLINECustomer Support


redred#ffe6e6INTERNAL TROUBLESHOOTING

German version: https://confluence.signavio.com/pages/viewpage.action?pageId=9405677


Keywords

KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To

Product

SAP Signavio Process Manager all versions ; Signavio Process Manager all versions