Clock Skew SAML

Hi all,

I have a Keycloak instance (version 7) running in a docker container (using the official Keycloak image from docker hub), I configured an identity provider with SAML, it delegates the authentication to an ADFS server, but when users are redirected back to Keycloak, they get a “Login timeout. Please login again” message.

When debugging the request/response I noticed a 400 error for the URL https://www.my-keycloak.com/auth/realms/my-realm/broker/my-broker/endpoint?client-request-id=nbahsgyt6534yhuhsjdhwuuweyeiuwhe… then if you refresh the page you get authenticated properly.

After googling for a while it seems to be a timing issue (between the ADFS and Keycloak). People recommend to add a clock skew time to Keycloak so when the SAML response arrives Keycloak is able to validate and authenticate properly.

The “add time skew” option seem to be possible for opened but I cant find it for SAML.

Is there a way to add that option when configuring an identity provider via SAML in Keycloak?

Regadrs,

Atleast the latest version of keycloak have a setting in IDP for “Allowed clock skew”