Error: "Authentication Error - Failed to validate the user" SSO login server time issue

	English	
Deutsch - Machine Translation Español - Machine Translation Français (France) - Machine Translation Italiano - Machine Translation 日本語 - Machine Translation 한국어 - Machine Translation Português (Brasil) - Machine Translation Русский - Machine Translation 简体中文 - Machine Translation

Support Note KB0395817

Issue

When trying to log in using single sign-on (SSO), I am getting the following error:

Authentication Error - Failed to validate the user. Please contact your administrator for further assistance.

The error log shows Failed to get Name id. Stack: ariba.util.saml.SAMLException: condition is not valid.

Resolution

Your ADFS server time should be in sync with SAP Ariba's server time. There are two possible solutions:

Increase the skew value (tolerance) on SAP Ariba using the Application.SamlConfiguration.ValidationClockSkew parameter. Set a value (in milliseconds) to be considered the tolerance in case of a server time mismatch. There is no limit on the higher value, and it can be set to a valid value that resolves the issue.
Sync your ADFS server using Network Time Protocol (NTP), so that the server time won't drift over time. Without NTP, all servers' time drifts.

Cause

The NameID is rejected by SAP Ariba due to the Active Directory Federation Services (ADFS) server time. An example error log in the user interface (UI) shows:

<Conditions NotBefore="2017-01-20T13:31:23.829Z" NotOnOrAfter="2017-01-20T14:31:23.829Z"><AudienceRestriction><Audience>http://realmname.procurement-eu.ariba.com</Audience></AudienceRestriction></Conditions>

Fri Jan 20 05:31:15 PST 2017 (T93:*:*:*:dlpjbk:C23_UI3:x0914) (user:WARN) [ID100007]: Failed to get Name id. Stack: ariba.util.saml.SAMLException: condition is not valid.

The condition that failed (copied from the Security Assertion Markup Language (SAML) response that was received in the above scenario) follows:

Note: Z refers to Zulu Time. Hence, you need to convert the time from Zulu to Pacific Standard Time (PST).

The SAML response reaches SAP Ariba eight seconds earlier than the Not Before condition, which causes the condition to return false and the login to fail.

Additional Information

If the error log includes Failed to get Name id. Stack: ariba.util.saml.SAMLException: org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key instead of the above condition not met, see Certificate Expired.

If you are instead getting the error Authentication Error - Authentication Failed, see Invalid SAML.

Applies To

Purchasing
Spend Visibility
Strategic Contracts
Strategic Sourcing
Supplier Information & Performance Management