SSO Troubleshooting: Current time use earlier than NotBefore Condition
Learn what to do if you receive this error
Error Message
During single sign-on, after a user successfully authenticates with their identity provider (IdP), they return to Foundry and see this error:
Current time is earlier than NotBefore condition
Explanation
SAML messages include a short validity window as a security safeguard. This error occurs when there is a slight time difference between Foundry and the identity provider’s system clocks.
Resolution
If you are using AD FS, you can allow for clock drift by running the following command in a PowerShell session (not a DOS command line). Replace TrustName with the actual name of the relying party trust for Everfi (without quotes):
Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -TargetName TrustNameExample:
Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -TargetName EVERFI For more details, see NotBefore causing troubles when server times slightly out of sync.
The command above applies to AD FS 2.0. If you are running AD FS 1.0, use the corresponding command for that version.
Additional Notes:
- Foundry’s system time is synchronized with AWS.
- Foundry applies a 2-second clock drift (leeway). If your IdP adds
NotBeforeorNotOnOrAfterconditions to the SAML response, ensure these values are not so restrictive that they trigger this error.