From f16931abf61ca9d5288099a79bff69f1eb0c8330 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Fri, 6 Nov 2020 18:27:36 +0100 Subject: [PATCH 1/9] SAML: add accepted_time_diff --- docs/sample_config.yaml | 3 +++ synapse/config/saml2_config.py | 3 +++ 2 files changed, 6 insertions(+) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 7e2cf97c3efc..ec1eaad7fa65 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,6 +1545,9 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml + # Allowed clock difference in seconds from Identity Provider. + #accepted_time_diff: 3 + # By default, the user has to go to our login page first. If you'd like # to allow IdP-initiated login, set 'allow_unsolicited: true' in a # 'service.sp' section: diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 778750f43be0..2370a82895bb 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,6 +256,9 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml + # Allowed clock difference in seconds from Identity Provider. + #accepted_time_diff: 3 + # By default, the user has to go to our login page first. If you'd like # to allow IdP-initiated login, set 'allow_unsolicited: true' in a # 'service.sp' section: From 4eb6cc9cdd741e9e8d84a9d9403296e57d26fa5d Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Fri, 6 Nov 2020 18:30:19 +0100 Subject: [PATCH 2/9] remove spaces from blank line --- synapse/config/saml2_config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 2370a82895bb..86c4ff19b674 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -258,7 +258,7 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # Allowed clock difference in seconds from Identity Provider. #accepted_time_diff: 3 - + # By default, the user has to go to our login page first. If you'd like # to allow IdP-initiated login, set 'allow_unsolicited: true' in a # 'service.sp' section: From c52d68ff9c85a1b3d87c1d035bdf9254d761ddd9 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Fri, 6 Nov 2020 18:53:19 +0100 Subject: [PATCH 3/9] add changelog file --- changelog.d/8731.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/8731.misc diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc new file mode 100644 index 000000000000..b21eb6496133 --- /dev/null +++ b/changelog.d/8731.misc @@ -0,0 +1 @@ +SAML: add `accepted_time_diff` example to `saml2_config:` config to allow clock/time difference from IDP. From fcb5f8a40924cd49e5330a9dd588637019b82e98 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Sat, 7 Nov 2020 00:17:44 +0100 Subject: [PATCH 4/9] some wording --- changelog.d/8731.misc | 2 +- docs/sample_config.yaml | 2 +- synapse/config/saml2_config.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc index b21eb6496133..9e03c1e4fccf 100644 --- a/changelog.d/8731.misc +++ b/changelog.d/8731.misc @@ -1 +1 @@ -SAML: add `accepted_time_diff` example to `saml2_config:` config to allow clock/time difference from IDP. +SAML: add `accepted_time_diff` example to `saml2_config:` config to allow clock/time difference from IdP. diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index ec1eaad7fa65..3608b42b1d4b 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,7 +1545,7 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from Identity Provider. + # Allowed clock difference in seconds from IdP. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 86c4ff19b674..39dec519a62b 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,7 +256,7 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from Identity Provider. + # Allowed clock difference in seconds from IdP. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like From 0ba80adf82cd077f91f05f9e9cfbc1229735110d Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Tue, 17 Nov 2020 17:01:57 +0100 Subject: [PATCH 5/9] add further documentation for the option --- docs/sample_config.yaml | 3 ++- synapse/config/saml2_config.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 3608b42b1d4b..b7d240a3c2de 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,7 +1545,8 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. + # Allowed clock difference in seconds from IdP. Uncomment the below to + # increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 39dec519a62b..47c135242c33 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,7 +256,8 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. + # Allowed clock difference in seconds from IdP. Uncomment the below to + # increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like From 833a297c6e8cfb7836247eb999267984440255de Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Wed, 18 Nov 2020 12:09:18 +0100 Subject: [PATCH 6/9] remove trailing whitespace --- docs/sample_config.yaml | 2 +- synapse/config/saml2_config.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index b7d240a3c2de..021eda9deea3 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,7 +1545,7 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. Uncomment the below to + # Allowed clock difference in seconds from IdP. Uncomment the below to # increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 47c135242c33..4880a5cb2ea2 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,7 +256,7 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. Uncomment the below to + # Allowed clock difference in seconds from IdP. Uncomment the below to # increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 From c858af09dc203486b4137ddbe54ba6e5f9d85b97 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Wed, 18 Nov 2020 12:13:30 +0100 Subject: [PATCH 7/9] text style changes --- docs/sample_config.yaml | 4 ++-- synapse/config/saml2_config.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 021eda9deea3..1a3746060900 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,8 +1545,8 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. Uncomment the below to - # increase the accepted time difference from 0 to 3 seconds. + # Allowed clock difference in seconds from IdP. + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 4880a5cb2ea2..e40063558d50 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,8 +256,8 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. Uncomment the below to - # increase the accepted time difference from 0 to 3 seconds. + # Allowed clock difference in seconds from IdP. + # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like From cf8affd25f59dd5452efef055c00799dd405e966 Mon Sep 17 00:00:00 2001 From: Marcus Schopen Date: Wed, 18 Nov 2020 12:21:31 +0100 Subject: [PATCH 8/9] minor changes in changelog --- changelog.d/8731.misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc index 9e03c1e4fccf..df5882e960a2 100644 --- a/changelog.d/8731.misc +++ b/changelog.d/8731.misc @@ -1 +1 @@ -SAML: add `accepted_time_diff` example to `saml2_config:` config to allow clock/time difference from IdP. +Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru. From b925c61381e09e8aa055dc3ed0f19f1223c2d5a0 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Wed, 18 Nov 2020 07:12:10 -0500 Subject: [PATCH 9/9] Clean-up formatting of sample config. --- docs/sample_config.yaml | 4 +++- synapse/config/saml2_config.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 1a3746060900..d6a90d547b01 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1545,8 +1545,10 @@ saml2_config: # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. + # Allowed clock difference in seconds between the homeserver and IdP. + # # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index e40063558d50..6d2e80e0f75f 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -256,8 +256,10 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): # remote: # - url: https://our_idp/metadata.xml - # Allowed clock difference in seconds from IdP. + # Allowed clock difference in seconds between the homeserver and IdP. + # # Uncomment the below to increase the accepted time difference from 0 to 3 seconds. + # #accepted_time_diff: 3 # By default, the user has to go to our login page first. If you'd like