SAML clock skew issue

forsenGa · ‎08-26-2024

Hi I'm trying to implement SSO with the IDP Authentik in a local environment. But the log said that I have this clock issue:

__samld_sp_login_resp [847]: Clock skew tolerance: 0

__samld_sp_login_resp [852]: Clock skew issue.
samld_send_common_reply [91]: Code: 5, id: 1, pid: 3728, len: 53, data_len 37
samld_send_common_reply [99]:     Attr: 22, 12, f
samld_send_common_reply [99]:     Attr: 23, 25, Undefined error.
samld_send_common_reply [119]: Sent resp: 53, pid=3728, job_id=1.

And the datetime is just the almost the same from both sides:

$ date
Tue Aug 27 01:04:39 AM +07 2024

FGVMEVL-CYXEDR9C # get system status
System time: Tue Aug 27 01:03:49 2024

and I don't use NTP server on Fortigate side:

FGVMEVL-CYXEDR9C # get system ntp
ntpsync             : disable
type                : custom
syncinterval        : 60
ntpserver:
source-ip           : 0.0.0.0
source-ip6          : ::
server-mode         : enable
authentication      : disable
interface           : "fortilink"

Can anyone explain and help me to fix this issue? Thank you.

forsenGa · ‎08-26-2024

nvm guys I it worked after I turned the NTP Server on in Fortigate setttings.

Jackie_T · ‎08-26-2024

Hi forsenGa,

There is a KB as well for this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-fails-with-clock-skew-error...

Thanks.

Jackie Tai

SAML clock skew issue

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website