User will be getting the following error if he waits for 2 min on the login portal and attempt to login.

The SAML RelayState was invalid. The AuthN request may have expired. Try to authenticate again

The SAML RelayState was invalid. The AuthN request may have expired. Try to authenticate again

The client has setup SAML authentication in a reverse proxy environment

This is an expected behavior since the relay state timeout is 2 min by default. This can be changed using the below commands.

#(config)security saml edit-realm "realm name"

#(config saml test)relaystate-timeout "140"

Here's a sample output of a test realm

192.168.2.3 - Blue Coat SG-VA Series#(config saml test)view
  Realm name:                      test
  Display name:                    test
  Federated IDP entity ID:
  Federated IDP SLO POST URL:
  Federated IDP SSO POST URL:
  Federated IDP SSO Redirect URL:
  Federated IDP CCL:               bluecoat-appliance
  Realm Entity ID:
  SSL Device Profile Name:         default
  Not Before:                      60
  Not After:                       60
  RelayState Timeout:              140 <<<< Modified Relay state