AD FS SSO changes in November 2015 Arctera Unified Platform release

From the November 2015 quarterly release, Arctera Unified Platform takes into account the date and time that the NotBefore and NotOnOrAfter conditions specify in SAML 2.0 assertions during single sign-on (SSO).
The NotBefore value is the time from the AD FS server. If this time is in advance from that of the Arctera Unified Platform authorization server, SSO logins will fail. To ensure that SSO continues to function we recommend that you set the NotBeforeSkew condition to allow for time discrepancies.

AD FS 2.0 steps to set up NotBeforeSkew

The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.

1. Retrieve the name of the Relying Party Trust created to set up SSO for Arctera Unified Platform:
   1. Open AD FS 2.0 Management.
   2. Expand Trust Relationships and click on Relying Party Trusts.
   3. Note the Display Name for the Relying Party Trust for Arctera Unified Platform.
2. Open PowerShell.
3. Run the following command to add the ADFS snapin to your Powershell session:
   Add-PSSnapin Microsoft.Adfs.Powershell
4. Run the following command to set the NotBeforeSkew:
   Get-ADFSRelyingPartyTrust -name “displayname for your Arctera Unified Platform relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”

AD FS 2.1 steps to set up NotBeforeSkew

The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.

1. Retrieve the name of the Relying Party Trust created to set up SSO for Arctera Unified Platform:
   1. Open AD FS Management.
   2. Expand Trust Relationships and click on Relying Party Trusts.
   3. Note the Display Name for the Relying Party Trust for Enterprise Vault.cloud.
2. Open PowerShell.
3. Run the following command to set the NotBeforeSkew:
   Get-ADFSRelyingPartyTrust -name “displayname for your Arctera Unified Platform relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”

AD FS 3.0 steps to set up NotBeforeSkew

The following steps need to be performed on the AD FS server to ensure SSO will function in the case of server time mismatch.

1. Retrieve the name of the Relying Party Trust created to set up SSO for Arctera Unified Platform:
   1. Open AD FS Management.
   2. Expand Trust Relationships and click on Relying Party Trusts.
   3. Note the Display Name for the Relying Party Trust for Arctera Unified Platform.
2. Open PowerShell.
3. Run the following command to set the NotBeforeSkew:
   Get-ADFSRelyingPartyTrust -name “displayname for your Arctera Unified Platform relying party trust” | Set-ADFSRelyingPartyTrust –NotBeforeSkew “Numeric value for time in minutes”

To set NotBeforeSkew, follow the appropriate instructions below for your version of AD FS.
Any time discrepancy is likely to be a matter of seconds, however this can vary.   The NotBeforeSkew should be set to a minimum value of 1 minute.  Please see the attachment if the PowerShell commands listed below have been translated.

AD FS SSO changes in November 2015 Arctera Unified Platform release

From the November 2015 quarterly release, Arctera Unified Platform takes into account the date and time that the NotBefore and NotOnOrAfter conditions specify in SAML 2.0 assertions during single sign-on (SSO).
The NotBefore value is the time from the AD FS server. If this time is in advance from that of the Arctera Unified Platform authorization server, SSO logins will fail. To ensure that SSO continues to function we recommend that you set the NotBeforeSkew condition to allow for time discrepancies.