ClockSkew SAML in IDP

carloshager · December 11, 2019, 9:56am

I need to set the SkewClock into my IdentityProvider SAML which does the bridge with an ADFS server.

I know it is possible to set the SkewCloak when I have a client application using SAML, but in this case the client itself is the keycloak.

Currently I’m using KC 4.8.3 and I can upgrade to a new version if necessary.
Any ideas?

mhajas · December 12, 2019, 9:31am

Hello carloshager,

I looked into the code and it looks like at the moment we don’t support this, the code is here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L436. I think this won’t be hard to add similarly as for OIDC identity providers as one of configuration option. Feel free to create a feature request in our issue tracker. Contribution is welcome.

Michal

SamyOteroGlez · February 21, 2021, 11:57pm

I wonder if you solved this issue?
I am facing the exact same problem with a Keycloak instance running in a container.

Regadrs,

mhajas · February 22, 2021, 8:24am

Hello @SamyOteroGlez. When you create SAML identity provider there is an Allowed clock skew option.

carloshager · February 22, 2021, 9:53am

Hi Samy, yes, it has been fixed on the Keycloak 9 version.
It is already possible to set the values in the interface.

Topic		Replies	Views
Clock Skew SAML Configuring the server saml	2	2846	October 13, 2022
SAML Client Time SKew Configuring the server client-configuration , saml	2	484	March 8, 2023
Keycloak as a broker between Application that only accepts OIDC, and ADFS which has been setup as SAML Securing applications authentication , identity-brokering , oidc , saml	1	345	May 3, 2023
AzureAD Saml SSO -> Keyclock Broker -> openid client \| questions Getting advice	0	334	July 28, 2021
SAML 2.0 and AD FS integration Getting advice saml	0	595	April 30, 2021