Terraform Enterprise SSO login fails with "Current time is earlier than NotBefore condition."

Problem

When you attempt to log in to Terraform Enterprise using SAML, the login fails with the following error message in the user interface:

An error occurred. Please contact your TFE Administrator for further information.

The application logs may show a more specific error:

ERROR: Current time is earlier than NotBefore condition (YYYY-MM-DD HH:MM:SS UTC < YYYY-MM-DD HH:MM:SS UTC)

Cause

This error occurs when the system time on the Terraform Enterprise server and the SAML Identity Provider (IdP) server are not synchronized. Even a small time difference, including milliseconds, can cause the SAML assertion to be considered invalid, leading to authentication failure.

Solutions

There are two primary solutions to resolve this issue. You may need to apply one or both depending on your environment.

Solution 1: Synchronize System Time on the Terraform Enterprise Host

Ensure that the Network Time Protocol (NTP) is active and synchronized on the Terraform Enterprise host to maintain accurate system time.

1. Check the current time, date, and NTP synchronization status by running the timedatectl command.

   $ timedatectl
   Local time: Thu 2020-12-10 20:29:19 UTC
   Universal time: Thu 2020-12-10 20:29:19 UTC
   RTC time: Thu 2020-12-10 20:29:19
   Time zone: Etc/UTC (UTC, +0000)
   Network time on: yes
   NTP synchronized: yes
   RTC in local TZ: no

   In the output, verify that Network time on: and NTP synchronized: are both set to yes.

2. If network time is disabled or NTP is not synchronized, enable it with the following command.

   $ sudo timedatectl set-ntp on

You will also need to confirm with your SAML administrator that the IdP server's time is also synchronized correctly.

Solution 2: Adjust ADFS NotBeforeSkew Setting

If you use Active Directory Federation Services (ADFS) as your IdP, you can configure a time skew to allow for minor time differences between servers.

Set the NotBeforeSkew property in ADFS to 1 minute. If this value is set to 0, even minuscule time differences can cause authentication to fail.

Additional Information

• For more details on ADFS settings, refer to the IBM documentation on troubleshooting ADFS.