SAML: Document allowing a clock/time difference from IdP (#8731)

Updates the sample configuration with the pysaml2 configuration for accepting clock skew/drift between the homeserver and IdP.

SAML: Document allowing a clock/time difference from IdP (#8731)
d3565883 · Marcus Schopen · GitHub · b690542a · d3565883 · d3565883
Unverified Commit d3565883 authored 4 years ago by Marcus Schopen Committed by GitHub 4 years ago
--- a/changelog.d/8731.misc
+++ b/changelog.d/8731.misc
+Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1546,6 +1546,12 @@ saml2_config:
    #  remote:
    #    - url: https://our_idp/metadata.xml

+    # Allowed clock difference in seconds between the homeserver and IdP.
+    #
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+    #
+    #accepted_time_diff: 3
+
    # By default, the user has to go to our login page first. If you'd like
    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
    # 'service.sp' section:

--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -256,6 +256,12 @@ class SAML2Config(Config):
            #  remote:
            #    - url: https://our_idp/metadata.xml

+            # Allowed clock difference in seconds between the homeserver and IdP.
+            #
+            # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+            #
+            #accepted_time_diff: 3
+
            # By default, the user has to go to our login page first. If you'd like
            # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
            # 'service.sp' section: