When running Federation Services, and this one produces SAMLResponses that are out of the SAML Assertion "NotBefore" and the "NotOnOrAfter" values which seems to cause error 500 on the SP side.

Policy Server 12.8SP5 on RedHat 8
CA Access Gateway (SPS) 12.8SP5 on RedHat 8

The AuthnInstant is not the time the assertion gets generated, but when the user initiates the Federation journey (1).

From the SAML logs, the host.example.com server reports a time more than 3 days before and suddenly jumps to the expected date and time.

SAML-traces.txt :

      "method": "GET",
      "url": "https://host.example.com/myApps",

      "get": [],
      "responseStatus": 301,
      "responseStatusText": "HTTP/1.1 301 Moved Permanently",
      "responseHeaders": [
        {
          "name": "Date",
          "value": "Wed, 20 Jan 2021 23:24:26 GMT"

      [...]

      "method": "GET",
      "url": "https://host.example.com/myApps/",
      "responseStatus": 200,
      "responseStatusText": "HTTP/1.1 200 OK",
          "name": "Date",
          "value": "Wed, 20 Jan 2021 23:24:33 GMT"

      [...]

      "method": "GET",
      "url": "https://host.example.com/myApps/servlet/myApps",
      "get": [],
      "responseStatus": 302,
          "name": "Date",
          "value": "Sun, 24 Jan 2021 07:13:42 GMT"

 
Ensure all machines are on the same date and time continuously, and more, that the Time services on these machines have no problem at all. Consult the Operating System and network team on this.

The date and time are not given by the software itself, but by the Operating System. 

1. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
   https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf