SAML: Document allowing a clock/time difference from IdP (#8731)

Updates the sample configuration with the pysaml2 configuration for
accepting clock skew/drift between the homeserver and IdP.

3 files changed, 13 insertions, 0 deletions

diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc
new file mode 100644
index 0000000000..df5882e960
--- /dev/null
+++ b/changelog.d/8731.misc
@@ -0,0 +1 @@
+Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index e9e77ca94e..bedc147770 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1546,6 +1546,12 @@ saml2_config:
     #  remote:
     #    - url: https://our_idp/metadata.xml
 
+    # Allowed clock difference in seconds between the homeserver and IdP.
+    #
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+    #
+    #accepted_time_diff: 3
+
     # By default, the user has to go to our login page first. If you'd like
     # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
     # 'service.sp' section:
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index 2ff7dfb311..f233854941 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -256,6 +256,12 @@ class SAML2Config(Config):
             #  remote:
             #    - url: https://our_idp/metadata.xml
 
+            # Allowed clock difference in seconds between the homeserver and IdP.
+            #
+            # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+            #
+            #accepted_time_diff: 3
+
             # By default, the user has to go to our login page first. If you'd like
             # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
             # 'service.sp' section: