Saml2 Error "Can't use it yet" "ToEarly"

I’ve setup our Seafile Pro edition to use SAML auth with ADFS which works really well when first booted up… for about a day.

After a day I get the infamous “Page unavailable. Sorry, but the requested page is unavailable due to a server hiccup.” error. When digging into the seahub logs I find the following errors:

saml2.response:592 condition_ok Exception on conditions: Can’t use it yet 1562758622 <= 1562758623 saml2.client_base:606 parse_authn_request_response XML parse error: Can’t use it yet 1562758622 <= 1562758623
django.request:135 handle_uncaught_exception Internal Server Error: /saml2/acs/

However, I’ve checked and it’s not to do with the system clock as it’s spot on for UTC what our ADFS server is so I’m not sure what’s going on. If I restart the service the issue is the same but if I restart the entire box it’s fine again for a while.

Any ideas?

Cheers

Looks like the time of your machine is to inprecise. Is some kind of NTP daemon running to keep the time in sync?

I did say that the system clock is identical to the ADFS server in the original post. Both servers use an NTP client and point to the same server and I’ve checked that they’re exactly the same.

After a reboot of the whole server (not the service) where the time is still the exact same, it resolves the issue for around a day.

Hello.

You can set the value of NotBeforeSkew to be a larger number on your adfs server:

Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
Get-ADFSRelyingPartyTrust –identifier “your replying party identifier” #Just to see what the values were
Set-ADFSRelyingPartyTrust –TargetIdentifier “your replying party identifier” –NotBeforeSkew 2 #Set the skew to 2 minutes

refer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f42d4f48-8169-4f38-866f-c0da11702a0d/skewing-the-samlp-notbefore-in-adfs-v2

Thanks, that looks spot on. I’ve set the values now and I’ll give it a test tomorrow after the reboot today.