Attempts to log in on Chrome through SSO result in error

Error: {“error”: “SAML Response is not valid before: …}

On Internet Explorer 11, an HTTP400 error appears.

Causes and solutions

Cause 1

The timestamp in the SAML response is different between ADFS and Zivver. Even a difference of milliseconds can cause this error.

Solution 1

Synchronize the clocks across the domain controllers. Then, the timestamp in the SAML response agrees with UTC again.

Cause 2

The clock on ADFS server is not synced.

Solution 2

Synchronize the clock manually. For more information, refer to:

• Checking and Synchronizing Domain Controllers’ Time Settings
• How the Windows Time Service Works on microsoft.com.

Cause 3

The server configuration causes a delay. There might be a system time mismatch between the ADFS server and the domain controller. Possible causes are: - The ADFS server is a virtual machine. - There is a multi-tenant configuration.

If the virtual machine connects to the host or the master for the correct time, a small delay between the ADFS and DC systems might occur.

Solution 3

Synchronize the virtual machine or the slave with time.windows.com directly. This time do not use the host or master clock.

For more information, refer to:

• Checking and Synchronizing Domain Controllers’ Time Settings
  
• How the Windows Time Service Works on microsoft.com.

More solutions

If the error ({"error": "SAML Response is not valid before: ...}) still appears, try these solutions.

Synchronize with a different NTP (Network Time Protocol) servers

Examples: - ntppool.org - Amazon.

Increase the value of -NotBeforeSkew

Use the Set-AdfsRelyingPartyTrust command in PowerShell. This increases the validity period of the SAML response. This command would increase the skew to 5 minutes. The relying party name is generally “Zivver”, or “app.zivver.com”.

Set-ADFSRelyingPartyTrust -TargetRelyingParty "<Relying Party name>" -NotBeforeSkew 5

For more information, refer to Set-AdfsRelyingPartyTrust.