Adjust Clock Skew for SAML Enterprise Connections

auth0.knowledge2 · January 3, 2025, 4:45pm

Overview

This article provides steps on how to reduce the clock skew tolerance related to expired SAML assertion from 3 to 2 minutes when Auth0 is acting as a Service Provider (SP) using SAML.

Applies To

SAML enterprise connections

Solution

Auth0 allows < 3min expired assertions due to our (configurable) clock skew. To reduce the allowed clockSkew, for example, to 2 minutes, insert options.clockSkew:2 with the following steps:

Call the GET /api/v2/connections/{id} endpoint by passing the connection_id of the SAML connection.

See Get a connection

Copy everything in options section in the response.
Insert "clockSkew":2 inside of the block of options.
Call the PATCH /API/v2/connections/{id} endpoint again by passing the connection_id of the SAML connection. The payload should only include the options section.

Topic		Replies	Views
Did auth0 server just experience clock skew? And what can I do about it? Help jwt , auth0	6	5073	September 4, 2019
Token generated in future - Leeway does not work when [token time] - [system time] > 60 seconds Help token	4	6210	March 2, 2018
Configure SAML certificate expiry emails' notification window Feedback	1	559	November 13, 2023
Still getting Token used before issued error after adding a leeway of 2min Help jwt , authentication , go	0	3300	June 14, 2021
"assertion has expired" error: enforcement of SAML assertion lifetime values Knowledge Articles expire , saml-enterprise-connections , lifetime , assertion	1	1510	May 8, 2023

Adjust Clock Skew for SAML Enterprise Connections

Overview

Applies To

Solution

Related topics