Description:
When a SAML assertion contains conditions limiting the validity period of the request, the authentication fails due to the unexpected expiry of the the assertion when the clocks on the client system and BPM runtime are not in sync.

Error would look like the following.

04 Jan 2016 15:59:15,147 [httpConnector_28 - /amxbpm/EntityResolverService] [DEBUG] org.apache.xml.security.utils.DigesterOutputStream - <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="764BBEDA-1936-48B0-AF97-D7E2BBE88EB1" IssueInstant="2016-01-04T14:59:15.156Z" Version="2.0"><saml2:Issuer>BS</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"></saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2016-01-04T14:59:15.156Z" NotOnOrAfter="2016-01-04T15:19:15.156Z"></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2016-01-04T14:59:15.156Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion>

Symptoms:
The SAML authentication fails irrespective of the correct credentials.

Cause:
The clocks between the client system and BPM runtime are not in sync.