PLINK-735 has introduced a new configuration option clockSkew to the SAML2STSLoginModule for the case when the STS service and the STS client do not have synchronized clocks. Now it is possible to log in in such environment.

However, SAML2Handler which precedes the SAML2STSLoginModule in the handler chain logs an error about expired assertion. That happens before SAML2STSLoginModule takes place and note that SAML2Handler knows nothing about SAML2STSLoginModule configuration.

So even if nothing wrong happened there is an error message in the log.