SAML assertion timeout

Could you let me know what could cause this exception?
“The SAML assertion is outside the valid time period.”

The SAML assertion typically includes NotBefore and NotOnOrAfter conditions. This means that the SAML assertion is only valid for the specified time period. This helps detect replay attacks.
Make sure that the times are correct on both the identity provider server and service provider server. If they’re off by too much then this will cause the error you see.
If there’s still an issue, please enable SAML trace and send the generated log file to We can then take a look at exactly what’s going on with the times.

Thanks. SP server time is 3 mins behind.

I guess this is the message that you would see when there is a replay attack?
“The SAML assertion is being replayed.”
Am I correct in saying assertions are by default valid for 1.5 minutes before and after?
How do I change before and after time limit in config?

That’s correct. The error message indicates the assertion has been replayed.
If you use our product to generate the SAML assertion then by default it’s valid for 3 minutes before and after now.
You can change this period by specifying an AssertionLifetime for the in the SAML configuration. The format is AssertionLifeTime=“hh:mm:ss”. The default is “00:03:00” ie 3 minutes either side of now.
There is no default validity period for assertions across SAML offerings. However, typically a period of a few minutes is suitable.

Yes we have been using your product since summer.
I am seeing few replay attacks which might be user error as they could be using same session.
In this case we are SP and I want the user to know they have to login again. So when there is replay attack I am thinking of redirect to SP SSO UI to initiate a new request.

Yes, that’s one option. Another is to display a generic error message and ask the user to try again.
These could be genuine replay attacks or it could be that users are hitting the browser’s back button during the SSO process.