Problem

In the end of the SAML authentication process, the user gets one of the following error messages: 

SAML-message with NotBefore XXX is not valid yet

SAML-message with NotOnOrAfter XXX is no longer valid

Solution

This issue occurs if there is a difference between the clock on the Identity Provider and the application (Jira/Confluence/Bitbucket/Bamboo). Mostly this issues happen after application updates or migration processes, by which the clock times of your systems get mixed up.

To fix this issue quickly: Disable the Enforce response validity dates function (Service Provider section -> under Security).

Turning this function off permanently is not recommended, because it will disable one of the security mechanisms that built in to avoid replay attacks. While this may only be a very small risk, you should reenable it as early as possible as a best practice. Use it as valuable workaround while you troubleshoot your environment.


To solve the main issue

Try to adjust the Atlassian application and Identity Provider time clocks so they get synchronized. To edit the system time for Atlassian applications, the java timezone needs to be adjusted: Setting-the-timezone-for-the-java-environment. For changing the time of the Identity Provider, please check the Identity Provider's documentations.

If changing the system times didn't solve the issue, try to increase the Time Skew (Seconds) field (Service Provider section -> under Security) higher then 60 seconds (recommended values: 120 up to 180 seconds). To find an appropriate value, please get in contact with our support and attach an authentication tracker of the failed authentication.