summary refs log tree commit diff
diff options
context:
space:
mode:
authorMarcus Schopen <lists@localguru.de>2020-11-18 13:36:28 +0100
committerGitHub <noreply@github.com>2020-11-18 07:36:28 -0500
commitd356588339db627397e84e98d3468a4c996253ab (patch)
treed6d48f880128812cb396665a4da3a9e3be0ad6ea
parentMerge branch 'master' into develop (diff)
downloadsynapse-d356588339db627397e84e98d3468a4c996253ab.tar.xz
SAML: Document allowing a clock/time difference from IdP (#8731)
Updates the sample configuration with the pysaml2 configuration for
accepting clock skew/drift between the homeserver and IdP.
Diffstat (limited to '')
-rw-r--r--changelog.d/8731.misc1
-rw-r--r--docs/sample_config.yaml6
-rw-r--r--synapse/config/saml2_config.py6
3 files changed, 13 insertions, 0 deletions
diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc
new file mode 100644
index 0000000000..df5882e960
--- /dev/null
+++ b/changelog.d/8731.misc
@@ -0,0 +1 @@
+Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index e9e77ca94e..bedc147770 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1546,6 +1546,12 @@ saml2_config:
     #  remote:
     #    - url: https://our_idp/metadata.xml
 
+    # Allowed clock difference in seconds between the homeserver and IdP.
+    #
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+    #
+    #accepted_time_diff: 3
+
     # By default, the user has to go to our login page first. If you'd like
     # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
     # 'service.sp' section:
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index 2ff7dfb311..f233854941 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -256,6 +256,12 @@ class SAML2Config(Config):
             #  remote:
             #    - url: https://our_idp/metadata.xml
 
+            # Allowed clock difference in seconds between the homeserver and IdP.
+            #
+            # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+            #
+            #accepted_time_diff: 3
+
             # By default, the user has to go to our login page first. If you'd like
             # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
             # 'service.sp' section: