3696736 - SAML Authentication failure due to Clock skew between ABAP system and IdP

Symptom

SAML login to ABAP system fails. Meanwhile, SAML trace with the Security Diagnostic Tool indicates a clock skew between the ABAP system and the SAML Identity provider (IdP), for example:

Time: 16:27:52:532 (ABAP server’s local time)
Message:
----
SAML20 SP (client xxx ): Incoming Response
SAML20 InResponseTo="xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
SAML20 IssueInstant="2025-12-17T16:12:35.718Z"
SAML20 <Status>
SAML20 <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
SAML20 <StatusMessage>The message has either expired or is not yet
SAML20 valid.</StatusMessage>
SAML20 </Status>
----

Environment

SAP NetWeaver ABAP
SAP S/4HANA
ABAP PLATFORM - Application Server ABAP

Product

ABAP platform all versions ; SAP NetWeaver all versions ; SAP Web Application Server for SAP S/4HANA all versions

Keywords

saml authentication failure, single sign-on issue, clock skew, abap system, sso login error, saml trace, timestamp discrepancy, , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.