Error: "Current time is earlier than NotBefore condition"
This error can occur when there's too large of a time difference between your IdP and GitHub Enterprise Cloud, which commonly occurs with self-hosted IdPs.
If you encounter this error, make sure the time on your IdP is properly synced with your NTP server.
If you use ADFS as your IdP, also set NotBeforeSkew
in ADFS to 1 minute for GitHub. If NotBeforeSkew
is set to 0, even very small time differences, including milliseconds, can cause authentication problems.
Users are repeatedly redirected to authenticate
If users are repeatedly redirected to the SAML authentication prompt in a loop, you may need to increase the SAML session duration in your IdP settings.
The SessionNotOnOrAfter
value sent in a SAML response determines when a user will be redirected back to the IdP to authenticate. If a SAML session duration is configured for 2 hours or less, GitHub will refresh a SAML session 5 minutes before it expires. If your session duration is configured as 5 minutes or less, users can get stuck in a SAML authentication loop.
To fix this problem, we recommend configuring a minimum SAML session duration of 4 hours. For more information, see SAML configuration reference.