Created on 08-30-2022 01:14 PM Edited on 05-06-2024 06:45 AM By Jean-Philippe_P
Description
This article describes how to troubleshoot authentication failures due to 'clock skew' SAML errors.
Scope
FortiOS 7.0.4 and later.
Solution
If the clock on FortiGate and SAML IDP is not in sync, then this constraint will not be satisfied which causes the authentication to fail with the below errors in SAML debugs:
__samld_sp_login_resp [859]: Clock skew tolerance: 0
__samld_sp_login_resp [864]: Clock skew issue.
To fix this issue, make sure the time is in sync between FortiGate and the IDP.
In some cases, where the time sync between the FortiGate and IDP can not be controlled, 'clock-tolerance' can be configured to control how many seconds can be the difference between SP (FortiGate) and IDP as below:
config user saml
edit <>
set clock-tolerance <in seconds> <-- (0-300, 15 by default).
next
end
Verify the connection to the NTP server as well. Restart the NTP process and ensure FortiGate is in sync with the NTP server.
To restart the NTP process:
diagnose sys process pidof ntpd
or:
diag sys top-all | grep ntpd
diag sys kill 11 <pid> <-- Pid of the process.
To check if FortiGate is getting a response from NTP:
diag sniffer packet any "port 123" 4 0 l
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.