A customer with external keycloak as identity provider saw tracebacks like this when trying to login: " File "/usr/lib/python3/dist-packages/saml2/validate.py", line 110, in validate_before "<= notbefore=%s" % (now_str, slack, not_before)) saml2.validate.ToEarly: Can't use response yet: (now=2023-40-10T11:40:01Z + slack=0) <= notbefore=2023-02-10T11:40:02.147Z" Rootcause was a typo in the python-pysaml2: https://github.com/IdentityPython/pysaml2/commit/4f0a45c361bbd46b1f56f468d4712c0ef9797c1b As no user was able to login the pain was (very) high.
Version: 5.0-7 errata1024 Error: Traceback (most recent call last): File "%PY3%/tornado/web.py", line 1595, in _execute result = yield result File "%PY3%/tornado/gen.py", line 1133, in run value = future.result() File "%PY3%/univention/management/console/saml.py", line 229, in get await acs(binding, message, relay_state) File "%PY3%/univention/management/console/saml.py", line 234, in attribute_consuming_service response = self.parse_authn_response(message, binding) File "%PY3%/univention/management/console/saml.py", line 321, in parse_authn_response response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "%PY3%/saml2/client_base.py", line 702, in parse_authn_request_response binding, **kwargs) File "%PY3%/saml2/entity.py", line 1170, in _parse_response response = response.verify(keys) File "%PY3%/saml2/response.py", line 1018, in verify if self.parse_assertion(keys): File "%PY3%/saml2/response.py", line 930, in parse_assertion if not self._assertion(assertion, False): File "%PY3%/saml2/response.py", line 803, in _assertion if not self.condition_ok(): File "%PY3%/saml2/response.py", line 593, in condition_ok validate_before(conditions.not_before, self.timeslack) File "%PY3%/saml2/validate.py", line 110, in validate_before "<= notbefore=%s" % (now_str, slack, not_before)) saml2.validate.ToEarly: Can't use response yet: (now=2024-40-19T18:40:23Z + slack=0) <= notbefore=2024-04-19T18:40:37Z Role: domaincontroller_slave
Created attachment 11331 [details] saml2-validate.patch
Wrong date settings on the server could be the cause for this issue. So, the session created by Keycloak was in the future, but the server’s date settings were behind. root@ucs5primary:~# date Di 7. Okt 06:29:42 CEST 2025 Set the correct date/time for the server, could fix this issue. root@ucs5primary:~# rdate -n 10.200.30.1 Tue Oct 7 10:08:08 CEST 2025
Changed user pain, because knowledge base article is available: https://help.univention.com/t/problem-saml-login-fails-saml2-validate-toearly/24394