SAML authentication fails due to high "max_clock_skew" time
6932
Created On 07/11/24 04:01 AM - Last Modified 07/24/24 21:06 PM
Symptom
- SAML authentication fails
- Authd.log (less mp-log authd.log) displays max_clock_skew of 60 seconds or greater
-0600 SAML message from IdP " https://sts.xyzq.net/75d3/" (server profile "Max_Azure_SP") was created in the future (not_before "2023-01-08T15:46:59.518Z" - max_clock_skew 60 > now Sun Jan 8 09:38:09 2023 )
Environment
- Security Assertion Markup Language (SAML)
- Authentication
- Panorama or Palo Alto NGFW firewall
Cause
- By default, a maximum clock skew of 60 seconds is configured/acceptable.
- If the IdP and the firewall/Panorama authenticating exceed this time, authentication fails.
- One common reason is that the local time of the firewall/Panorama is out of sync with its NTP.
- Even when NTP is sync, The issue can occur if there is considerable latency between the IdP and the authenticating device (firewall/Panorama).
Resolution
- Follow troubleshooting steps documented at How to troubleshoot NTP server connection failure
- Change the Max clock skew setting.
- For NGFW, go to Device > Server Profile > SAML Identity Provider > [SAML IdP name] > Maximum Clock Skew (seconds)
- For Panorama, go to Panorama > Server Profiles > SAML Identity Provider > [SAML IdP name] > Maximum Clock Skew (seconds)
- "Max clock skew" setting is the allowed difference in seconds between the system times of the IdP and the firewall/Panorama when the firewall validates IdP messages.
- The default value is 60 and the range is 1 to 900.
Additional Information
SAML authentication failures can occur due to time discrepancies between the Identity Provider (IdP) and the firewall/Panorama, often caused by out-of-sync local time or network latency.
To resolve this, ensure the NTP server is properly synchronized and consider adjusting the maximum clock skew settings on the NGFW or Panorama to accommodate potential time differences.