Resolving SAML time mismatch issues aka assertion has expired

Summary

This article covers how to troubleshoot and resolve error "assertion has expired."

Timing mismatch

When there is a timing mismatch between the Identity Provider (IdP) and Service Provider (SP), if the timing difference is enough to fall outside the allowed time parameter, users will not be able to authenticate and log in. They will typically receive the more generic error:

“Hmm… We’re having trouble logging you in.” The page URL will should like this:

Solution

Steps to troubleshoot

1. The end user(or test user) will need to generate a HAR file by following these instructions: Generate HAR files and analyze web requests for Atlassian support | Atlassian Support | Atlassian Documentation, whilst logging in via SAML.

2. In the HAR file, look for the error_description to confirm that the expected error message is retrieved. This error description indicates that there is a time mismatch between the IdP and SP:

   1. access_denied&error_description=assertion+has+expired

3. Next, look for the following two conditions in the SAML response:

   1. NotBefore="DATE AND TIME VALUE HERE", for example:

      1. NotBefore=\"2022-04-04T13:58:19.253Z\"

   2. NotOnOrAfter="DATE AND TIME VALUE HERE" for example:

      1. NotOnOrAfter=\"2022-04-04T14:58:19.253Z\"

   3. Check the IssueInstant value with the two from Step 3. If IssueInstant falls outside of that range, there is a time mismatch issue.

Recommended next steps

There are two recommended steps:

1. If viable, add a clock drift/clock skew/clock delay to the values sent in the SAML assertion.

2. Verify that the IdP system clock is synced or needs to be resynced.