Sudden Error | SAML Assertion expired (solved by restart)

Tech Stack

  • Docker image jboss/keycloak:9.0.0
  • Deployed in Kubernetes Cluster (AKS)
  • Connected to Windows AD FS

TL;DR: Everything was working fine till it stopped, after reboot of keycloak pod everything is working just fine again

Error Log

timestamp ERROR [] (default task-15) Assertion expired.
timestamp WARN  [] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xa_realm, clientId=null,
 userId=null, ipAddress=x.y.z.x, error=invalid_saml_response

the same error log is repeated multiple times

Workaround that I did to get it back up:

  • Kubectl delete pod X
  • After this everything is back normal

Any idea what could be wrong?

That looks like a problem with the time sync on some side. It can be a Keycloak time, but it can be also Windows AD FS time.

1 Like

thank you, I will check that out.

As an update:

  • I do not need to reboot anything (just refreshing the browser seems to work out)

timestamp seems to be all fine. check both keycloak and AD FS

Yes that was the problem.

Keycloak IDP setting has a “Allowed clock skew”. setting that helped me solve this