Authentication Clock Skew - Playbook Use Case

The number in seconds before notBefore constraint, or after notOnOrAfter constraint, to consider whether it is still valid. Update the SAML property glide.authenticate.sso.saml2.clockskew to a larger value with a default of 60 seconds. Some cases require a setting of 300 or higher. If the identity provider server is connected to a time sync server its time should not be out of sync. The customer’s network team will need to resolve this issue.

Symptom/Alert

This alert is generated when the identity provider and instance system time breaches the clock skew tolerance, which is a default value of 60 seconds. The datacenter monitoring system creates an incident for the integration team to investigate.

The information below details how to figure out what the clock skew delta is to determine what the new clock skew value should be.

1. If SAML debug logging is enabled, the SAML response is logged in the system log.
   • If SAML debugging is not enabled, have the customer enable debug logging.
2. Below is the SAML response needed to calculate the delta for the clock skew.

2016-11-03 15:03:12
information  SAML Response:
<samlp:Response ID="_8b21c0ab-b7dd-4f6b-9526-30d5f4bb64c9" Version="2.0"
IssueInstant="2016-11-03T15:49:23.315Z" Destination="https://<instance-name>.service-now.com/navpage.do"

• The first line with the date/time highlighted is the time the messages were created in the system log. If downloading the node log file, the created time is in US Pacific time zone, PDT/PST. If viewing the log in the instance using the System Log > All, the created time is in the default time zone for that instance.
  • For the SAML response listed above, review the SAML response in the System Log > All so both times are listed in UTC (Zulu) so the instance and identity provider are in the UTC time zone. 
• The second date/time is the time returned in the SAML response from the identity provider. This time is in UTC (Zulu) time zone.
• In order to calculate the clock skew delta, verify both times are in the same time zone.

3. If receiving a clock skew error, the SAML response is valid in the future. The clock skew is 15:03:12:686Z and the issueInstant is 15:49:23:315Z. The delta in time is approximately 48 minutes.
4. To resolve this error, the identity provider admin should check the time on the identity provider server and make the appropriate adjustment to the server time.
5. You can also update the Clock Skew item for the identity provider record to 3600 to resolve this example clock skew.

The Plugin being used determines where the Clock Skew has to be updated:

• For Multi-Provider SSO plugin
  • Navigate to Multi-Provider SSO > Identity Providers
  • Open the identity provider record that is receiving the clock skew
  • Update the Clock Skew field with the delta value calculated + 20
• For the SAML 2 – Update 1 – Security Enhancements plugin
  • Navigate to the sys_properties table, sys_properties.LIST
  • Search for the following system property name glide.authenticate.sso.saml2.clockskew
  • Update the Clock Skew field with the delta value you calculate + 20

Basic - if the issue has not been resolved

• Verify the time zone has been converted correctly
• Verify calculation is correct
• Verify the correct clock skew field was updated for the External Authentication plugin used

Escalation - for escalating the use case include the following information:

• Consult the Authentication SME
• Open a task for the Dev-Authentication team

Additional Documentation

• SAML 2.0 errors and Fixes
• Advanced SAML Properties (SAML 2 – Update 1 – Security Enhancements plugin)
• Create a SAML 2.0 update 1 SSO configuration for Multi-SSO