Sudden Error | SAML Assertion expired (solved by restart)

Tech Stack

  • Docker image jboss/keycloak:9.0.0
  • Deployed in Kubernetes Cluster (AKS)
  • Connected to Windows AD FS

TL;DR: Everything was working fine till it stopped, after reboot of keycloak pod everything is working just fine again

Error Log

timestamp ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-15) Assertion expired.
timestamp WARN  [org.keycloak.events] (default task-15) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=xa_realm, clientId=null,
 userId=null, ipAddress=x.y.z.x, error=invalid_saml_response

the same error log is repeated multiple times

Workaround that I did to get it back up:

  • Kubectl delete pod X
  • After this everything is back normal

Any idea what could be wrong?

That looks like a problem with the time sync on some side. It can be a Keycloak time, but it can be also Windows AD FS time.