When attempting to integrate SSO with DLP, you are presented with the following error in the localhost.log:
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value [YYYY-MM-DDT hh:mm:ssZ]
This is caused by a timestamp mismatch between the Service Provider (SP, in our case DLP Enforce) and the Identity Provider (IdP). In other words, the IdP (frequently seen with OKTA integrations) is creating a token which is outside of DLP's expected timeframe and we are throwing an error.
The best course of action is to correct the server time mismatch between the IdP and SP. if both servers have the same timestamp, and the error persists then you can sometimes overcome it with the below configuration change.
Modify the springSecurityContext.xml file. Under the bean id "webSSOprofileConsumer" change it from
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl" />
And change it to the following
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl">
<property name="maxAuthenticationAge" value="302400" />
</bean>
That property is measured in seconds. See the below link for more information