I am using Windows Server 2012 and installed ADFS 3.0 on it. The server is configured to generate SAML 2.0 assertions to single relying party as of now (my test application).
I am getting the Assertions is expired error on the Relying Party side, so I used SAML Tracer to check the generated assertion and found that the generated assertions from Win 2012 server itself are expired 1 hour from the current server time.
The part from SAML assertion: NotBefore="2016-05-05T12:19:15.789Z" NotOnOrAfter="2016-05-05T13:19:15.789Z"
And my server time at that point was 2.29 PM on the system clock.
Any idea what is causing this time difference and how to fix it?
This typically means that your app server has a significant time skew from the ADFS server and the validation library for your app is not allowing this. I think the default allowance for time skew in ADFS is 5 minutes, but I may be mistaken.
First, try to get the time in sync. If you are syncing from NTP servers, this should typically be OK.
You can also try to change the SKEW setting in ADFS. This is not recommended because it is good to ensure that servers are in time sync.
Set-ADFSRelyingPartyTrust -NotBeforeSkew "5" -targetname "your app name"