CV0-003 · Question #806
A systems administrator strictly followed a CSP's documentation to federate identity for the company's users; however, even when using the correct credentials, the users receive an error message indic
The correct answer is A. The date on the company's identity server is configured incorrectly.. Token expiration errors in federated identity are almost always caused by clock skew between the identity provider and the service provider, not by credential or network issues.
Question
A systems administrator strictly followed a CSP's documentation to federate identity for the company's users; however, even when using the correct credentials, the users receive an error message indicating their tokens are expired. Which of the following is MOST likely the cause of the error?
Options
- AThe date on the company's identity server is configured incorrectly.
- BThe CSP's documentation is incorrect.
- CThere is a connection issue between the company and the CSP's networks.
- DMFA was enforced on the CSP.
How the community answered
(59 responses)- A83% (49)
- B5% (3)
- C3% (2)
- D8% (5)
Why each option
Token expiration errors in federated identity are almost always caused by clock skew between the identity provider and the service provider, not by credential or network issues.
Federated identity protocols like SAML and OIDC embed timestamps (NotBefore and NotOnOrAfter) in tokens that are validated against the receiving system's clock. If the company's identity server clock is set incorrectly, the CSP will evaluate the token's validity window against its own synchronized clock and reject it as expired. Even a few minutes of drift can cause consistent token rejection despite valid credentials.
Incorrect documentation would more likely cause a configuration or authentication failure, not a token expiration error with otherwise correct credentials.
A network connectivity issue would produce a connection timeout or unreachable error, not a token expiration message.
Enforced MFA would trigger an additional authentication challenge or step-up prompt, not a token expiration error.
Concept tested: Federated identity clock skew and token validation
Source: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-overview
Topics
Community Discussion
No community discussion yet for this question.