Netscaler firmware 10.5 and above, provides you with the capability to use it as a SAML Identity Provider (Idp).
SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) standard that allows a user to log on once for affiliated but separate Web sites.

When your Netscaler is acting as a SAML Idp to protect a specific service, the user request will be authenticated against the Netscaler to get a assertion.

It basically works this way: The user enters his/hers LDAP credentials, the Netscaler validates those against the defined LDAP server, and resturns the user SAML token when authentication is succesfull, and finally access to the resource in question is provided.

Anyway, when configuring the Netscaler as a SAML SP, you may want to ensure that time difference between your Netscaler and SAML Idp does not affect the validation of the SAML token, otherwise the following error may be returned:

Invalid time in the Message sent by the Peer. Please ensure time synchronization between Netscaler and the Peer

It could be a good idéa to make sure that your Netscaler is configured using the right NTP servers. if that doesn’t help then try the following…

The above error occur when the Netscaler denies a SAML token that does not fall within the token valid time interval, and there is unfortunately nothing you can do on Netscaler side to prevent this from happening.

So, the solution for this kind of issues is to configure your SAML Idp to allow relaxation regarding time differences between the Netscaler and the SAML Idp, by reconfiguring the “NotBeforeSkew” timeout from “0” to “a value between 1 to 5”. I will suggest starting with 1 minute and test.

By doing this you are reconfiguring your SAML token time interval to be relaxed by 1 minute in the past, and the above error may disappear for good.


From your ADFS server, start Powershell as administrator, and type the following to add the required ADFS snapin

Get-ADFSRelyingPartyTrust -Identifier “The SAML SP identifier You Are Using”

Check the ADFS RPT identifier properties by entering the following
GetADFSRelyingPartyTrust Identifier “The SAML SP identifier You Are Using”
Note that per default the value of “NotBeforeSkew” is “0”. Now, type the following to change it to 1 minute

SetADFSRelyingPartyTrust TargetIdentifier “The SAML SP identifier You Are Using” NotBeforeSkew 1

Verify that the value has changed by entering the following again

GetADFSRelyingPartyTrust Identifier “The SAML SP identifier You Are Using”

That’s it 🙂