So, if ADFS is setup as the account partner, and TFIM is setup as the resource partner, the ADFS federation server’s time cannot be ahead of the TFIM federation server’s time. Suppose an ADFS FS-A issued a SAML token with a Not Before time of .
For more information about setting up ADFS and TFIM check out the ADFS Step-by-step Guide: Federation with IBM Tivoli Federated Identity Manager. I’ll discuss what a SAML token is, why it’s important, and what happens when TFIM tries to validate one from ADFS. Today I’m going to touch on Security Assertion Markup Language (SAML) tokens, and an issue we’ve run into when federating with Tivoli Federated Identity Manager (TFIM).If instead you want to give SAML federated users other ways to access AWS, see one of these topics: Note This specific use of SAML differs from the more general one illustrated at About SAML 2.0-based Federation because this workflow opens the AWS Management Console on behalf of the user.This requires the use of the AWS SSO endpoint instead of directly calling the From the user's perspective, the process happens transparently: The user starts at your organization's internal portal and ends up at the AWS Management Console, without ever having to supply any AWS credentials.