This error is found on the uaa vm in the cf deployment in log file /var/vcap/sys/log/uaa.log.  A similar error may be observed in the web browser during sign on.

[2025-12-02T17:37:01.532652Z] uaa - 12 [https-jsse-nio-8443-exec-48] - [...] .... DEBUG --- SAMLAuthenticationProvider: Error validating SAML message
org.opensaml.common.SAMLException: Response issue time is either too old or with date in the future, skew 60, time 2025-12-02T17:32:57.031Z
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:162) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

Tanzu Elastic Runtime UAA

Tanzu Foundation Core UAA 

During Single Sign on Authentication the user will be redirected to the defined SAML identity provider.  After successful authentication the SAML provider will return a response and redirect the browser back to Tanzu UAA to interpret the response.    UAA will return an HTTP error if the SAML response timestamp is not within the current time window of 60 seconds. 

Here are some things to check

• Check if any of the bosh deployed VMs have a clock skew issue.  If there is a skew in the UAA vms then you may need to review the bosh director ntp settings

  • bosh -d cf-GUID ssh -rc "date"

• Check All ESXi Hosts associated with Tanzu Platform VMs have NTP configured.  If NTP is not configured correctly VMs can temporarily experience clock skew issues after a vmotion, new vm creation, or vm restart.
  • https://knowledge.broadcom.com/external/article/317537/configuring-network-time-protocol-ntp-on.html

• Check with your SAML Identity Provider hosts for possible NTP configuration issues.  In some cases a single host could have a clock skew which will cause intermittent errors.  How to check for this will be vendor specifc