Skip to content
English
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: Current time use earlier than NotBefore Condition

Learn how to troubleshoot this error.

Error Message

During single sign-on, after a user authenticates successfully to their IDP, they are returned to Foundry and see this error message in Foundry:

Current time is earlier than NotBefore condition

 

Explanation

As a security safeguard, a SAML message typically has a short window during which the SSO is valid. This error can happen with identity providers where there is a slight time offset between systems.

 

Resolution

If you experience this with ADFS, you can add a “clock drift.” To remedy this, in your AD FS Windows Server, in a command shell (not a DOS command line) run this command where “TrustName” is the actual name of the relying party trust for EVERFI, without double quotes:

PS C:\> Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -targetname TrustName

For example, you might have named the Relying Party Trust “EVERFI”, so the command would be:

PS C:\> Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -targetname EVERFI

See NotBefore causing troubles when server times slightly out of sync for background. The command above is for ADFS2. If running ADFS1 there is a different command.

Foundry’s system time is synched with AWS.

Foundry applies 2 seconds clock drift or leeway, so be sure that if your identity provider is adding NotBefore or NotOnOrAfter conditions to the SAML Response that they are not so limited as to trigger this error.