Troubleshooting Tip: How to fix SAML errors where the AuthnRequest IssueInstant is too old or too new

Time drift or incorrect time/timezone settings on any of the parties, IDP or SP, will cause an authentication failure with the errors below being logged/displayed.

'Too old' means that the IDP's time is ahead of the SP's time:

Event log:

Log Details
Log Record Detail
ID 696
Timestamp Thu Apr 17 13:06:27 2025
Level information
Action Assertion
Status Failed
Source IP fgt
Message SAML request from SP 'fgt' failed: SAML assertion request validation error: AuthnRequest IssueInstant too old: 2025-04-17T10:06:07Z
...

GUI debug:

2025-04-17T13:06:27.466977+02:00 FortiAuthenticator gui[1710] error fac.home.www-data.FastAPI.apps.saml.views.samlidp __init__ 140290830141184 SP fgt assertion request SamlValidationError: AuthnRequest IssueInstant too old: 2025-04-17T10:06:07Z

'Too new' means IDP's time is behind SP's time:

Log Details
Log Record Detail
ID 712
Timestamp Thu Apr 17 13:25:21 2025
Level information
Action Assertion
Status Failed
Source IP fgt
Message SAML request from SP 'fgt' failed: SAML assertion request validation error: AuthnRequest IssueInstant too new: 2025-04-17T14:26:08Z
...

GUI debug:

2025-04-17T13:25:21.795648+02:00 FortiAuthenticator gui[1709] error fac.home.www-data.FastAPI.apps.saml.views.samlidp __init__ 140290830141184 SP fgt assertion request SamlValidationError: AuthnRequest IssueInstant too new: 2025-04-17T14:26:08Z

To fix this issue, both parties must have correct time/timezone settings and use NTP.