Getting a SAML response is not yet valid error in Grist with Authentik

Hello! I hope I’m not making a very obvious mistake, but while trying to setup SAML auth in Grist with my instance of Authentik, I’m getting this error after performing the log-in flow:

SAML Response is not yet valid.

My environment is configured like this, in addition to the GRIST_DOCS_MINIO_SECRET_KEY, TYPEORM_PASSWORD, GRIST_SAML_IDP_CERTS, GRIST_SAML_SP_KEY, GRIST_SAML_SP_CERT environment variables:

    "GRIST_SESSION_SECRET"        = random_id.grist_session_secret.hex
    "GRIST_SANDBOX_FLAVOR"        = "gvisor"
    "APP_HOME_URL"                = "https://${}"
    "GRIST_SINGLE_ORG"            = "jenyus"
    "GRIST_DEFAULT_EMAIL"         = ""
    "TYPEORM_TYPE"                = "postgres"
    "TYPEORM_DATABASE"            =
    "TYPEORM_USERNAME"            =
    "TYPEORM_HOST"                = "postgres.default"
    "REDIS_URL"                   = "redis://${module.redis.redis_namespace_host}:6379"
    "GRIST_DOCS_MINIO_ACCESS_KEY" = minio_iam_service_account.grist.access_key
    "GRIST_DOCS_MINIO_ENDPOINT"   = var.s3_host
    "GRIST_DOCS_MINIO_BUCKET"     = minio_s3_bucket.grist.bucket
    "GRIST_SAML_SP_HOST"          = "https://${}"
    "GRIST_SAML_IDP_LOGIN"        = "${var.authentik_url}/application/saml/${authentik_application.grist.slug}/sso/binding/redirect/"
    "GRIST_SAML_IDP_LOGOUT"       = "${var.authentik_url}/if/session-end/${authentik_application.grist.slug}/"
    "TZ"                          = "Europe/Zurich"

I validated, that the .pem files exist and are valid. I have different certificates configured for Authentik’s signing request (self-signed certificate) and the verification certificate (new one for Grist) so it seems like it’s related to desync with container timezones maybe? Appreciate the help!

Hmm that does sound like a clock synchronization issue. We allow 5 seconds of skew:

If you are comfortable recompiling Grist, you could try increasing this number (and we should make it configurable).

Alternatively, you could be right that there is a timezone issue involved. I see a warning about this in Authentik’s documentation at docker-compose installation | authentik

Responding here to keep the thread active - I did some further debugging and tried setting the timezone to UTC, not setting at all, and checked out the Grist and Authentik logs. I wasn’t able to get any different outcomes from changing those parameters.

I can try to recompile Grist with a higher skew. But since I ran date in both containers and got the exact same output, I feel like the issue lies somewhere else.

I found the issue: I was using Terraform to create the Authentik SAML provider for Grist, which was setting different default values than the UI does.

One of those was the “Assertion not valid before” to minutes=3 which needs to be a negative number like minutes=-3. My Terraform config looks like this now:

resource "authentik_provider_saml" "grist_saml_provider" {
  name               = "grist-saml-provider"
  acs_url            = "https://${}/saml/assert"
  authorization_flow =
  sp_binding         = "post"
  signing_kp         =
  verification_kp    =
  property_mappings = concat(
  name_id_mapping               =
  assertion_valid_not_before    = "minutes=-3"
  session_valid_not_on_or_after = "minutes=86400"

After doing that, Grist was able to create my account, and give me access to the workspace. Important was just that I set GRIST_DEFAULT_EMAIL to the first mail account that logs in.

1 Like