Gaucho-Racing · BK1031 · Jun 4, 2026 · Jun 4, 2026
diff --git a/saml/service/identity.go b/saml/service/identity.go
@@ -68,9 +68,11 @@ func BuildSession(entityID string, clientID string) (*saml.Session, error) {
 	}
 
 	session := &saml.Session{
-		ID:           entityID,
-		CreateTime:   time.Now(),
-		ExpireTime:   time.Now().Add(time.Hour),
+		ID: entityID,
+		// UTC so the assertion's AuthnInstant/SessionNotOnOrAfter serialize in
+		// the Zulu form SAML requires (see GenerateResponse).
+		CreateTime:   time.Now().UTC(),
+		ExpireTime:   time.Now().Add(time.Hour).UTC(),
 		Index:        entityID,
 		NameID:       email,
 		NameIDFormat: string(saml.EmailAddressNameIDFormat),

diff --git a/saml/service/response.go b/saml/service/response.go
@@ -46,7 +46,10 @@ func GenerateResponse(requestBuffer []byte, relayState string, entityID string,
 	if err := req.Validate(); err != nil {
 		return ResponseForm{}, err
 	}
-	req.Now = time.Now()
+	// UTC: SAML serializes timestamps as xsd:dateTime and crewjam's layout emits
+	// a zone offset for non-UTC times (e.g. -07:00 under the pod's TZ), which
+	// strict SPs reject — they require the Zulu "...Z" form.
+	req.Now = time.Now().UTC()
 
 	sp, err := ResolveSP(req.Request.Issuer.Value)
 	if err != nil {