[Setting]

• Authentication type SAML
• IDP is Auth Connector.
• The configuration was correct.

[Reproduce step]

1. Web traffic initiated
2. Authentication prompt is shown
3. Once proper authentication is confirmed it moves to a Account Restricted error.

SAML is dependent on time being in sync across all systems.  The Web Security Service proxies sync to atomic clocks to keep time in sync.  This is to ensure that the assertions have a common time reference.  If time is out of sync for more than 60 seconds, then SAML authentication issues will arise.

To remedy the issue, please check the IDP server's time and make sure time synchronization is functioning properly.  If time synchronization is not enabled on your IDP server, Blue Coat highly recommends that you enable time synchronization to prevent these kinds of issues from happening in the future.  The lack of time synchronization between the IDP and atomic clocks that are distributed throughout the Internet will likely end up with clock drift on your IDP server.  Once your IDP server's time is out of sync for more than 60 seconds (plus or minus) from the atomic clock, then you will start to see receive the "Account Restricted" messages.  To rectify this, please get the IDP's clock back in sync with atomic clock time and the issue should self-heal.

For help syncing the Windows/IDP server, please see http://serverfault.com/questions/294787/how-do-i-force-sync-the-time-on-windows-server-2008-r2-domain-controller

If using a Windows server, if you try and resync and get the error message, "the computer did not resync because no time data was available", you will want to switch time servers and try syncing after restarting the w32tm service.