Under current configuration, users have to log in multiple times a day. This is especially painful with 2fa enabled.
Under Admin -> Settings -> General -> Account and limit, we've got a session duration of 10080 minutes (one week).
So this is probably about CAS session duration. Looks like we're specifying:
gitlab_rails['omniauth_cas3_session_duration'] = 1
Is that... 1 hour? The CAS OmniAuth provider docs say:
If your CAS instance does not use default TGC lifetimes, update the cas3.session_duration to at least the current TGC maximum lifetime. To explicitly disable SLO, regardless of CAS settings, set this to 0.
In ops/puppet I see:
11:39:10 brennen@inertia:~/code/wmf/operations/puppet (production $>) ✫ git grep 'max_session_length' hieradata/cloud.yaml:profile::idp::max_session_length: 604800 hieradata/common/profile/idp.yaml:profile::idp::max_session_length: 604800 modules/apereo_cas/manifests/init.pp: Integer[60,604800] $max_session_length = 604800, modules/apereo_cas/manifests/init.pp: Integer[60,604800] $max_rememberme_session_length = $max_session_length, modules/apereo_cas/templates/cas.properties.erb:cas.ticket.tgt.max-time-to-live-in-seconds=<%= @max_session_length %> modules/profile/manifests/idp.pp: Integer $max_session_length = lookup('profile::idp::max_session_length'), modules/profile/manifests/idp.pp: max_session_length => $max_session_length,