Troubleshooting - "Sorry you don't have access" - clock skew and assertion lifetime
Problem
Users are unable to log in to the intranet and encounter the following generic interface error:
This error is a generic wrapper message. Further investigation is required to determine if the root failure is caused by an identity provider clock skew or an assertion lifetime mismatch.
Understanding clock skew & assertion lifetime
This issue occurs when the system clock on the web server hosting your ThoughtFarmer application and the system clock on the server hosting your Identity Provider (IdP)—such as ADFS, Azure AD, Okta, or PingFederate—become desynchronized.
Security assertions within a SAML token contain an explicit cryptographic validity window (timestamp). If the time delta between the web server and the IdP exceeds the allowed threshold, the login request is rejected as expired or invalid to prevent replay attacks.
Diagnostic workflows
Review the specific logging environment below that matches your deployment model to verify if a clock skew issue applies to your environment:
Custom SAML providers (e.g., ADFS)
Inspect your Identity Provider's local event viewer or authentication logs. If you locate the following protocol exception, your server clocks are out of sync:
Exception: ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML assertion is outside the valid time period.Self-Hosted (On-Premise) clients
If an administrator can still authenticate using a local emergency account, navigate to Admin Panel > System Logs. Search the repository for an entry resembling the following block:
Error while processing SAML Response. Access Denied. - General - "1234578-1234-1234-1234-123456789012" - "OpenRoad.ThoughtFarmer.Web8"
ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML assertion is outside the valid time period.
at ComponentSpace.SAML2.InternalSAMLServiceProvider.CheckConditions(SAMLAssertion samlAssertion)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLAssertion(SAMLAssertion samlAssertion, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
at OpenRoad.ThoughtFarmer.Web8.Areas.Auth.Controllers.SAMLController.AssertionConsumerService() in c:\BuildAgent2\work\afd7230e597b25a9\OpenRoad.ThoughtFarmer.Web8\Areas\Auth\Controllers\SAMLController.cs:line 114Cloud-Hosted clients
Because you lack direct access to the web server environment, please open a support request directly with the ThoughtFarmer Helpdesk for engineering investigation.
Resolution strategy
Short-term workaround
If you must restore user access immediately before your infrastructure team can synchronize hardware clocks, you can temporarily expand the permitted time-delta window within ThoughtFarmer:
- Navigate to the Admin Panel > Configuration Settings.
- Locate the configuration key: authentication.assertionClockSkew
- Modify the value to 5 (this instructs the application to permit an acceptable variance of up to 5 minutes).
- Save the configuration changes.
- Important: Once the permanent fix below is successfully implemented, revert this setting back to 0 to maintain your environment's cryptographic security baseline.
Comments
0 comments
Please sign in to leave a comment.