tileradotorg/synapse
1
0
Fork 0
forked from MirrorHub/synapse
Code Pull requests Activity

SAML: Allow specifying the IdP entityid to use. (#8630)

Browse source 
If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.
This commit is contained in:
Ben Banfield-Zanin 2020-11-19 14:57:13 +00:00 committed by GitHub
parent 950bb0305f
commit 53a6f5ddf0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelog.d/8630.feature Normal file
View file

@ -0,0 +1 @@
Allow specification of the SAML IdP if the metadata returns multiple IdPs.

8
docs/sample_config.yaml
View file

@ -1674,6 +1674,14 @@ saml2_config:
# - attribute: department # - attribute: department
# value: "sales" # value: "sales"
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
# #

10
synapse/config/saml2_config.py
View file

@ -90,6 +90,8 @@ class SAML2Config(Config):
"grandfathered_mxid_source_attribute", "uid" "grandfathered_mxid_source_attribute", "uid"
) )
self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
# user_mapping_provider may be None if the key is present but has no value # user_mapping_provider may be None if the key is present but has no value
ump_dict = saml2_config.get("user_mapping_provider") or {} ump_dict = saml2_config.get("user_mapping_provider") or {}
@ -383,6 +385,14 @@ class SAML2Config(Config):
# value: "staff" # value: "staff"
# - attribute: department # - attribute: department
# value: "sales" # value: "sales"
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
""" % { """ % {
"config_dir_path": config_dir_path "config_dir_path": config_dir_path
} }

3
synapse/handlers/saml_handler.py
View file

@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
def __init__(self, hs: "synapse.server.HomeServer"): def __init__(self, hs: "synapse.server.HomeServer"):
super().__init__(hs) super().__init__(hs)
self._saml_client = Saml2Client(hs.config.saml2_sp_config) self._saml_client = Saml2Client(hs.config.saml2_sp_config)
self._saml_idp_entityid = hs.config.saml2_idp_entityid
self._auth_handler = hs.get_auth_handler() self._auth_handler = hs.get_auth_handler()
self._registration_handler = hs.get_registration_handler() self._registration_handler = hs.get_registration_handler()
@ -100,7 +101,7 @@ class SamlHandler(BaseHandler):
URL to redirect to URL to redirect to
""" """
reqid, info = self._saml_client.prepare_for_authenticate( reqid, info = self._saml_client.prepare_for_authenticate(
relay_state=client_redirect_url entityid=self._saml_idp_entityid, relay_state=client_redirect_url
) )
# Since SAML sessions timeout it is useful to log when they were created. # Since SAML sessions timeout it is useful to log when they were created.