Is your feature request related to a problem? Please describe.
The default allowed clock drift for SAML client access appears to be 1 second. Even clusters with properly configured NTP may run into issues depending on how often they are synced and how heavily they drift and/or how geographically distributed the nodes are.
We should consider increasing this limit to something a little less aggressive (2s, 5s.. etc)
We could also consider making the field configurable via Zarf var.
Additional context
I think there is benefit to keeping the value small, but a little more wiggle room would be nice.
It's also worth calling out time syncing as a requirement in the docs.
Is your feature request related to a problem? Please describe.
The default allowed clock drift for SAML client access appears to be 1 second. Even clusters with properly configured NTP may run into issues depending on how often they are synced and how heavily they drift and/or how geographically distributed the nodes are.
We should consider increasing this limit to something a little less aggressive (2s, 5s.. etc)
Describe the solution you'd like
According to the docs this could be accomplished by adding an
allowed_clock_drift
field to our gitlab-sso secret args.We could also consider making the field configurable via Zarf var.
Additional context
I think there is benefit to keeping the value small, but a little more wiggle room would be nice. It's also worth calling out time syncing as a requirement in the docs.