Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Authentication Clock Skew - Playbook Use Case - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Authentication Clock Skew - Playbook Use Case
KB0639127

Authentication Clock Skew - Playbook Use Case


4712 Views Last updated : Jul 24, 2025 public Copy Permalink
KB Summary by Now Assist

Issue

The number in seconds before notBefore constraint, or after notOnOrAfter constraint, to consider whether it is still valid. Update the SAML property glide.authenticate.sso.saml2.clockskew to a larger value with a default of 60 seconds. Some cases require a setting of 300 or higher. If the identity provider server is connected to a time sync server its time should not be out of sync. The customer’s network team will need to resolve this issue.

Symptom/Alert

This alert is generated when the identity provider and instance system time breaches the clock skew tolerance, which is a default value of 60 seconds. The datacenter monitoring system creates an incident for the integration team to investigate.

The information below details how to figure out what the clock skew delta is to determine what the new clock skew value should be.

  1. If SAML debug logging is enabled, the SAML response is logged in the system log.
    • If SAML debugging is not enabled, have the customer enable debug logging.
  2. Below is the SAML response needed to calculate the delta for the clock skew.

2016-11-03 15:03:12
information  SAML Response:
<samlp:Response ID="_8b21c0ab-b7dd-4f6b-9526-30d5f4bb64c9" Version="2.0"
IssueInstant="2016-11-03T15:49:23.315Z" Destination="https://<instance-name>.service-now.com/navpage.do"

  • The first line with the date/time highlighted is the time the messages were created in the system log. If downloading the node log file, the created time is in US Pacific time zone, PDT/PST. If viewing the log in the instance using the System Log > All, the created time is in the default time zone for that instance.
    • For the SAML response listed above, review the SAML response in the System Log > All so both times are listed in UTC (Zulu) so the instance and identity provider are in the UTC time zone. 
  • The second date/time is the time returned in the SAML response from the identity provider. This time is in UTC (Zulu) time zone.
  • In order to calculate the clock skew delta, verify both times are in the same time zone.
  1. If receiving a clock skew error, the SAML response is valid in the future. The clock skew is 15:03:12:686Z and the issueInstant is 15:49:23:315Z. The delta in time is approximately 48 minutes.
  2. To resolve this error, the identity provider admin should check the time on the identity provider server and make the appropriate adjustment to the server time.
  3. You can also update the Clock Skew item for the identity provider record to 3600 to resolve this example clock skew.

Resolution

The Plugin being used determines where the Clock Skew has to be updated:

  • For Multi-Provider SSO plugin
    • Navigate to Multi-Provider SSO > Identity Providers
    • Open the identity provider record that is receiving the clock skew
    • Update the Clock Skew field with the delta value calculated + 20
  • For the SAML 2 – Update 1 – Security Enhancements plugin
    • Navigate to the sys_properties table, sys_properties.LIST
    • Search for the following system property name glide.authenticate.sso.saml2.clockskew
    • Update the Clock Skew field with the delta value you calculate + 20

 

Related Links

Basic - if the issue has not been resolved

  • Verify the time zone has been converted correctly
  • Verify calculation is correct
  • Verify the correct clock skew field was updated for the External Authentication plugin used

Escalation - for escalating the use case include the following information:

  • Consult the Authentication SME
  • Open a task for the Dev-Authentication team

Additional Documentation

  • SAML 2.0 errors and Fixes
  • Advanced SAML Properties (SAML 2 – Update 1 – Security Enhancements plugin)
  • Create a SAML 2.0 update 1 SSO configuration for Multi-SSO

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.