Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledgebase
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Image Artist Spectrus, Percepta, Katalyst, Luminata and more
Downloads
Downloads
Community
Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Signals: Identifying SAML Clock Skew

Murillo, Sergio
  • Updated

Authentication to the Signals Platform using SAML can be denied if the SAML authentication time conditions are not satisfied.

If your tenant has been configured with SAML authentication, after navigating to the tenant URL you are taken to your IdP for authentication.

If authentication is successful, your IdP will send a SAML Assertion back to the Signals Platform. So far your IdP has confirmed your identify and is now sending this confirmation back to Signals.

Among a few other things, Signals will verify the following information on that SAML Assertion:

  • X509Certificate must match the SAML key value on Signals Configuration
  • Audience must match Signals SAML Application ID on Signals Configuration
  • NameID must match your email address on Signals Configuration
  • SAML Conditions must be within the expected time frame

Here is a sample conditions object (Observe NotBefore and NotOnOrAfter values):

<saml2:Conditions NotBefore="2026-02-03T20:44:38.702Z"
                  NotOnOrAfter="2026-02-03T20:54:38.702Z"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
	<saml2:AudienceRestriction>
		<saml2:Audience>SignalsNotebook</saml2:Audience>
	</saml2:AudienceRestriction>
</saml2:Conditions>

 

Here is a sample Authentication Statement object (observe AuthnInstant value):

 

<saml2:AuthnStatement AuthnInstant="2026-02-03T20:40:38.140Z"
                      SessionIndex="_9f7e68bb-cdd4-48b9-b7bc-66a1a29a21fd"
                      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
	<saml2:AuthnContext>
		<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
	</saml2:AuthnContext>
</saml2:AuthnStatement>

 

This authentication attempt succeeded on the IdP but failed to authenticate to Signals, this is because the IdP is sending an authentication confirmation timestamp that is in the past, (2026-02-03T20:40:38.702Z) beyond the minimum time established by the authentication conditions (2026-02-03T20:44:38.702Z).

Some degree of clock skew is acceptable, this is why the conditions allow for a reasonable time range.

Because these conditions are set by your IdP, in some instances you can increase this time range, ultimately you will need to work with your IdP to resolve a clock skew condition that exceeds the conditions established. 

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.