|Problem Description:||SAML is a time sensitive protocol. The time-based validity of a SAML assertion is determined by the SAML identity provider. If the SAML identity provider and SAML service provider clocks are askew, the assertion can be determined invalid, and authentication fails.|
|Environment:||In the scenario described here, the system is deployed as a SAML service provider in a SAML 2.0 deployment.|
In this scenario, the following error is returned to the user after the user has submitted credentials to the SAML identity provider:
"SAML Transferred failed. Please contact your system administrator.
Detail: Failure: No valid assertion found in SAML response."
|Cause:||To investigate the error:|
The console displays the Save As dialog box.
Pulse Customer Support will use the file to diagnose the issue. In the debug log, the following log lines indicate issues with the time-based validity of the assertion:
verifySubjectConfirmationData: assertion has expired
processConditions: assertion has expired [NotOnOrAfter condition failed]
processConditions: assertion is not yet Valid [NotBefore condition failed]
These log lines indicate a clock sync issue only if failure of the time-based validity check is unexpected. The same log lines might appear in the debug log to indicate an assertion has expired as expected.
|Solution||We recommend you use NTP to ensure the clocks are synchronized and that you set an Allowed Clock Skew value that accommodates any expected or permissible skew. Properly synchronized clocks avoid unexpected failure.|
To configure NTP:
To set the Allowed Clock Skew value: