I found the issue: I was using Terraform to create the Authentik SAML provider for Grist, which was setting different default values than the UI does.
One of those was the “Assertion not valid before” to minutes=3 which needs to be a negative number like minutes=-3. My Terraform config looks like this now:
resource "authentik_provider_saml" "grist_saml_provider" {
name = "grist-saml-provider"
acs_url = "https://${var.host}/saml/assert"
authorization_flow = data.authentik_flow.default_authorization_flow.id
sp_binding = "post"
signing_kp = data.authentik_certificate_key_pair.self_signed.id
verification_kp = data.authentik_certificate_key_pair.grist.id
property_mappings = concat(
data.authentik_property_mapping_saml.managed.ids,
[
data.authentik_property_mapping_saml.first_name.id,
data.authentik_property_mapping_saml.last_name.id,
]
)
name_id_mapping = data.authentik_property_mapping_saml.uid.id
assertion_valid_not_before = "minutes=-3"
session_valid_not_on_or_after = "minutes=86400"
}
After doing that, Grist was able to create my account, and give me access to the workspace. Important was just that I set GRIST_DEFAULT_EMAIL to the first mail account that logs in.