Hi,

@davparker Can you ensure the timezone is UTC, as validity time seen in the assertion is in UTC:

https://www.cisco.com/c/en/us/support/docs/interfaces-modules/catalyst-6500-series-7600-series-asa-services-module/223564-troubleshoot-common-problems-with-saml.html#toc-hId-350712260

You perform changes via Platform Settings:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/interfaces-settings-platform.html

Thanks,

Cristian.

When I ssh into FTD and issue "show time" it shows the correct current time in UTC format. The Platform settings do specify CST-6 for the FTD appliance. When I test auth to VPN it shows the validity period beginning several minutes into the future and not the 6 hour offset. When I 'connect fxos' and 'show clock' the time is UTC but the time is offset by what looks like the same several minutes behind as shown in the same debug webcpn saml 255 outut. Weird. I could try changing the Timezone. I'm not sure what impact that will have. We don't currently have any time based rules.

debug webvpn saml 255
Jan 28 22:21:22 [SAML] get_validity: Assertion validity: NotBefore:2026-01-28T22:24:19.244Z NotOnOrAfter:2026-01-28T23:29:19.244Z
Jan 28 22:21:22 [SAML] saml_util_check_expiration: Processing time values:
raw NotBefore: 22:24:19 UTC Jan 28 2026
raw NotOnOrAfter: 23:29:19 UTC Jan 28 2026
clock skew: 0
timeout: 0
Jan 28 22:21:22 [SAML] saml_util_check_expiration: Effective time values :
adjusted NotBefore: 22:24:19 UTC Jan 28 2026
adjusted NotOnOrAfter: 23:29:19 UTC Jan 28 2026
current time: 22:21:22 UTC Jan 28 2026
Jan 28 22:21:22 [SAML] saml_util_check_expiration: Assertion not yet valid.
Current time: 22:21:22 UTC Jan 28 2026
adjusted NotBefore: 22:24:19 UTC Jan 28 2026
Jan 28 22:21:22 [SAML] consume_assertion: assertion is expired or not valid
[saml] webvpn_login_primary_username: SAML assertion validation failed
saml_get_ac_token_data: Passed SAML token is NULL

So, I did try changing the Timezone to UTC. It didn't change anything. After extensive t-shooting with TAC it appears that the LINA side is experiencing a time drift. It is odd. Logging into FTD and inputting show clock shows correct time. Connect fxos and show clock displays correct time. Connecting to system support diagnostic-cli and show clock displays time that is behind. Time is set to sync from FMC which is on current time. No other firewalls are impacted. TAC couldn't figure out why the LINA side is out of sync. We may just put this on the back burner since we are close to migrating that firewall to new hardware.

You know I tried but they just wanted me to do the workaround, rebooting and failing over. That did work for now. Azure MFA is working. We are working towards replacing the 2110s with 3105s so this hopefully will become a non-issue.