SSO Troubleshooting: Current time use earlier than NotBefore Condition
Learn how to troubleshoot this error.
Error Message
During single sign-on, after a user authenticates successfully to their IDP, they are returned to Foundry and see this error message in Foundry:
Current time is earlier than NotBefore condition
Explanation
As a security safeguard, a SAML message typically has a short window during which the SSO is valid. This error can happen with identity providers where there is a slight time offset between systems.
Resolution
If you experience this with ADFS, you can add a “clock drift.” To remedy this, in your AD FS Windows Server, in a command shell (not a DOS command line) run this command where “TrustName” is the actual name of the relying party trust for EVERFI, without double quotes:
PS C:\> Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -targetname TrustName
For example, you might have named the Relying Party Trust “EVERFI”, so the command would be:
PS C:\> Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -targetname EVERFI
See NotBefore causing troubles when server times slightly out of sync for background. The command above is for ADFS2. If running ADFS1 there is a different command.
Foundry’s system time is synched with AWS.
Foundry applies 2 seconds clock drift or leeway, so be sure that if your identity provider is adding NotBefore
or NotOnOrAfter
conditions to the SAML Response that they are not so limited as to trigger this error.