Scenario:
Unable to log into SaaS instance using SAML, and RTServer.log shows the following Error:
Error processing SAML authentication: NotOnOrAfter condition failed (Now: Date Time NotOnOrAfter: Date Time)
For example: Error processing SAML authentication: (Now: 2010/06/28 4:24:45 PM NotOnOrAfter: 2010/06/28 4:24:28 PM)

Summary:
This translates to the fact that SAML requires the time of authentication to match between the sending server and authenticating server in order to be able to authenticate. It doesn’t matter which time zone the server is as time is converted to UTC and Web TimeSheet verifies them with UTC. So if the SAML Server clock is 5 minutes fast or slow it might be enough for Web TimeSheet to think the assertions are expired. Our defaults are 30 seconds before and 60 seconds after.

Resolution:
The time on our server are matched with the official time from the following website:
http://www.time.gov/
In the above mentioned example, the server that is authenticating on Client side (SAML Server) is sending 4:24:28 PM where the time on our server here is 4:24:45 PM, therefore authentication fails.

Once we sync the SAML server with http://www.time.gov/, SAML authentication starts working.
Alternatively, we can change this in Web.config file available with SAML identity provider.
Under <AppSetting>, add the following 2 keys.
<add key="AllowedSecondsBeforeIssue" value="30" />
<add key="AssertionLifetimeInSeconds" value="60" />

These values are in seconds. Change this to a higher value to counter issues where server time lags or lead the UTC time.
After the Web.config is edited it would look like,

<appSettings>
<add key="AllowedSecondsBeforeIssue" value="30" />
<add key="AssertionLifetimeInSeconds" value="60" />
<add key="ServiceProviderURL" value="http://service.url/path/saml.ashx" />
</appSettings>