The state of a session is the source of truth for relying parties. Synchronization of system clocks of the various Servers is required.
The system clock of the relying party might be out of synchronization with the SME clock. If the relying party's clock is:
Ahead of the session clock A relying party's request for authentication is made and the active sessionID is returned.
Behind the session clock: Event notifications to the relying party help invalidate the session.
For example, if a Web server clock is ahead of the server clock, a request sent from the Webgate to the OAM Server will contain a time that, to the OAM Server, has not yet occurred. This can cause login events to fail. When running in Simple or Cert mode, time stamps might become out of sync, or the client certificate might appear to be invalid.
Note:
To avoid event notification issues, ensure that all OAM Server clocks are synchronized to Time Services such as NIST internet time service.
For successful operation:
Ensure all computer clocks are synchronized. There is no tolerance level. If, for example, the Webgate clock is even slightly ahead of the OAM Server clock, a cookie generated by the Webgate will appear to be in the future and can cause problems in the OAM Server.
Confirm that the clock on each computer running a Webgate is not running ahead of the OAM Servers with which it is associated. The OAM Server must be ahead of the Webgate clock by a maximum of 60 seconds.