diff --git a/config-templates/config.php b/config-templates/config.php
index 09117a875692dbf102ced407c8b185d262346c51..02caaad904b3c78e10eacfe73f6e5c2060e4d111 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -176,6 +176,16 @@ $config = [
      */
     'enable.http_post' => false,
 
+    /*
+     * Set the allowed clock skew between encrypting/decrypting assertions
+     *
+     * If you have an server that is constantly out of sync, this option
+     * allows you to adjust the allowed clock-skew.
+     *
+     * Allowed range: 180 - 300
+     * Defaults to 180.
+     */
+    'assertion.allowed_clock_skew' => 180,
 
 
     /************************
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 7c1d5be68589aaf83009a59701b3c30d45bad3ec..986a1e105205c3c90743cafd4e839c7cddba28e1 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -646,20 +646,30 @@ class Message
         $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
 
         // check various properties of the assertion
+        $config = \SimpleSAML\Configuration::getInstance();
+        $allowed_clock_skew = $config->getInteger('assertion.allowed_clock_skew', 180);
+        $options = [
+            'options' => [
+                'default' => 180,
+                'min_range' => 180,
+                'max_range' => 300,
+            ],
+        ];
+        $allowed_clock_skew = filter_var($allowed_clock_skew, FILTER_VALIDATE_INT, $options);
         $notBefore = $assertion->getNotBefore();
-        if ($notBefore !== null && $notBefore > time() + 60) {
+        if ($notBefore !== null && $notBefore > time() + $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
             );
         }
         $notOnOrAfter = $assertion->getNotOnOrAfter();
-        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - 60) {
+        if ($notOnOrAfter !== null && $notOnOrAfter <= time() - $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
             );
         }
         $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
-        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - 60) {
+        if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - $allowed_clock_skew) {
             throw new \SimpleSAML\Error\Exception(
                 'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
             );