When running Shibboleth as SP Federation Service in combination with SiteMinder IDP, one might see the Shibboleth reports an error:
opensaml::SecurityPolicyException: Message expired, was issued too long ago
The error shows that the issue is on the SP side as all IdP machines are time synced. All machines, including both sides IdP and SP should be time sync as shibboleth documentation reports it (1).
From Shibboleth logs, for all those lines, there's a difference of 8 minutes and 47 seconds.
2021-03-27 09:17:36 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833763), newest allowed (1616833236)
1616833763 : Sat, 27 Mar 2021 08:29:23 GMT
1616833236 : Sat, 27 Mar 2021 08:20:36 GMT
diff = 8 m 47
2021-03-27 09:18:43 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616833830), newest allowed (1616833303)
1616833830 : Sat, 27 Mar 2021 08:30:30 GMT
1616833303 : Sat, 27 Mar 2021 08:21:43 GMT
diff = 8 m 47
2021-03-27 09:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [5]: rejected not-yet-valid message, timestamp (1616833966), newest allowed (1616833439)
1616833966 : Sat, 27 Mar 2021 08:32:46 GMT
1616833439 : Sat, 27 Mar 2021 08:23:59 GMT
diff = 8 m 47
2021-03-27 10:20:59 ERROR OpenSAML.SecurityPolicyRule.MessageFlow [14]: rejected not-yet-valid message, timestamp (1616837566), newest allowed (1616837039)
1616837566 : Sat, 27 Mar 2021 09:32:46 GMT
1616837039 : Sat, 27 Mar 2021 09:23:59 GMT
diff = 8 m 47
Those lines are reported from Shibboleth source code.
Make sure that Shibboleth SP side machines are in sync for date, time and time format as per IdP SiteMinder side.