To prevent tampering and replay attacks messages used in authentication with SAML are timestamped and parties are supposed to verify that validity of the timestamps.

In the ideal world all servers involved in authentication - the server where your Atlassian application runs and the one where your Identity Provider (IdP) is hosted, have their clock in perfect sync. However in reality clocks do drift, sometimes but a relatively minuscule milliseconds amount that causes validation to fail.

To address this a concept of "time skew" is introduced to specify the "tolerance" threshold on the consumer side.

We suggest to set the Time Skew parameter in the first tab of SAML configuration to some reasonable value you are comfortable with eg. 5-15 seconds. This works to counteract any time drift (difference) between the IdP and Atlassian application server. 

How can I tell if I need to increase the Time Skew parameter value to resolve the access issues?

Some users are able to log in but other users are getting the warning message:

You must be logged in, in order to access this page

When you check the logs, there is an exception as below:

2019-06-12 12:37:05,592 http-nio-8080-exec-7 FATAL anonymous 757x365547x1 gd08nd 192.168.1.1,0:0:0:0:0:0:0:1 /plugins/servlet/easysso/saml [o.t.easysso.saml.SAMLComponent] Could not process SAML response org.techtime.easysso.saml.SAMLValidatorException: The response came before. Current time: 2019-06-12T12:37:05.592+02:00 NotBefore not skewed: 2019-06-12T10:37:05.924Z
org.techtime.easysso.saml.SAMLProcessorException: org.techtime.easysso.saml.SAMLValidatorException: The response came before. Current time: 2019-06-12T12:37:05.592+02:00 NotBefore not skewed: 2019-06-12T10:37:05.924Z
    at org.techtime.easysso.saml.SAMLComponent.processSAMLResponseMessage(SAMLComponent.java:484)
    at org.techtime.easysso.saml.SAMLComponent.processSAML(SAMLComponent.java:926)
    at org.techtime.easysso.integration.filtering.PrincipalUserComponent.processPrincipalUser(PrincipalUserComponent.java:120)
    at org.techtime.easysso.logic.TechTimeStrategy.doPrincipalFiltering(TechTimeStrategy.java:98)
    at org.techtime.easysso.interfaces.JespaPrincipalFilter.doFilter(JespaPrincipalFilter.java:27)
    ... 3 filtered
    at org.techtime.easysso.logic.TechTimeStrategy.doX509Filtering(TechTimeStrategy.java:119)

In this example the time drift is 332 milliseconds, so any value above 1 second will solve the issue.



EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free