SSO Troubleshooting: Current time use earlier than NotBefore Condition

What This Error Means

During single sign‑on, a user successfully authenticates with their identity provider (IdP) but encounters the following error after returning to Foundry:

Current time is earlier than NotBefore condition

Why This Happens

SAML responses include a short validity window as a security measure. This error occurs when there is a time difference (clock drift) between Foundry and the identity provider.

If the IdP’s system clock is ahead of Foundry’s clock, the SAML response may not yet be considered valid, which triggers this error.

How to Resolve the Issue

If you are using Microsoft Active Directory Federation Services (AD FS), you can allow for clock drift by updating the relying party trust settings.

Run the following command in a PowerShell session (not a Command Prompt). Replace TrustName with the actual name of the Foundry relying party trust.

Command to run in PowerShell:
Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -TargetName TrustName

Example:
Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -TargetName ComplyEQ

This setting allows a small time skew so authentication can succeed even if system clocks are slightly out of sync.

Important notes:

• This command applies to AD FS 2.0
• If you are running AD FS 1.0, use the equivalent command for that version

Additional Notes

• Foundry’s system time is synchronized using AWS
• Foundry allows a 2‑second clock drift (leeway)
• If your identity provider adds NotBefore or NotOnOrAfter conditions to the SAML response, ensure these values are not so restrictive that they fall outside this window