If the Okta Access Gateway has a time gap, then one of the following errors will show:

• Caused by: SimpleSAML\Error\Exception: Received an Assertion that Is Valid in the Future. Check Clock Synchronization on IdP and SP
• Caused by: SimpleSAML\Error\Exception: Error validating SubjectConfirmation in Assertion: NotOnOrAfter in SubjectConfirmationData is in the past

• Okta Access Gateway (OAG)

If the Okta Access Gateway's clock skew is more than 3 or 5 minutes, an error will be displayed, and users will not be able to authenticate. 

From the OAG management console (ssh to the server), select the following options: 2(services) > 3(NTP) > 5(Check status).

• If the current date and time are off, then change it (6 Set system time).
• If the service is not running, try starting it (2 Start chronyd).
• If the polling looks 0 out, then it is most likely not getting a response from the Network Time Protocol (NTP) server, so check with the networking team.

The NTP service works by adjusting the clock in very small increments. If the clock is off by a large amount of time, it will be best to manually update it in the management console or restart the service (if NTP is working):

• Set the time:
  • 2(services) > 3(NTP) > 6(Set System Time)
• Restart the service:
  • 2(services) > 3(NTP) > 4(Restart chronyd)

Related References

• Troubleshoot miscellaneous issues