FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Description

 

This article describes how to troubleshoot authentication failures due to 'clock skew' SAML errors.

 

Scope

 

FortiOS 7.0.4 and later

 

Solution

 

1) The SAML Assertion from SAML IDP is only valid for a specific duration which is declared in the 'Assertion'.

If the clock on  FortiGate  and SAML IDP is not in sync,  then this constraint will not be satisfied which causes the authentication to fail with below errors in SAML debugs

 

__samld_sp_login_resp [859]: Clock skew tolerance: 0
__samld_sp_login_resp [864]: Clock skew issue.

 

2) To fix this issue, make sure that time is in sync between FortiGate and the IDP.

 

3) In some cases, where the time sync between the FortiGate and IDP can not be controlled, 'clock-tolerance' can be configured to control how many seconds can be the difference between SP (FortiGate) and IDP as below:

 

# config user saml 

      edit <>

         set clock-tolerance <in seconds>           ( 0-300, 15 by default) 

      next

    end

Contributors