forked from MirrorHub/synapse
SAML: Allow specifying the IdP entityid to use. (#8630)
If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
This commit is contained in:
parent
950bb0305f
commit
53a6f5ddf0
4 changed files with 21 additions and 1 deletions
1
changelog.d/8630.feature
Normal file
1
changelog.d/8630.feature
Normal file
|
@ -0,0 +1 @@
|
|||
Allow specification of the SAML IdP if the metadata returns multiple IdPs.
|
|
@ -1674,6 +1674,14 @@ saml2_config:
|
|||
# - attribute: department
|
||||
# value: "sales"
|
||||
|
||||
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
||||
# option must be set to the entity to redirect users to.
|
||||
#
|
||||
# Most deployments only have a single IdP entity and so should omit this
|
||||
# option.
|
||||
#
|
||||
#idp_entityid: 'https://our_idp/entityid'
|
||||
|
||||
|
||||
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
|
||||
#
|
||||
|
|
|
@ -90,6 +90,8 @@ class SAML2Config(Config):
|
|||
"grandfathered_mxid_source_attribute", "uid"
|
||||
)
|
||||
|
||||
self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
|
||||
|
||||
# user_mapping_provider may be None if the key is present but has no value
|
||||
ump_dict = saml2_config.get("user_mapping_provider") or {}
|
||||
|
||||
|
@ -383,6 +385,14 @@ class SAML2Config(Config):
|
|||
# value: "staff"
|
||||
# - attribute: department
|
||||
# value: "sales"
|
||||
|
||||
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
||||
# option must be set to the entity to redirect users to.
|
||||
#
|
||||
# Most deployments only have a single IdP entity and so should omit this
|
||||
# option.
|
||||
#
|
||||
#idp_entityid: 'https://our_idp/entityid'
|
||||
""" % {
|
||||
"config_dir_path": config_dir_path
|
||||
}
|
||||
|
|
|
@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
|
|||
def __init__(self, hs: "synapse.server.HomeServer"):
|
||||
super().__init__(hs)
|
||||
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
||||
self._saml_idp_entityid = hs.config.saml2_idp_entityid
|
||||
self._auth_handler = hs.get_auth_handler()
|
||||
self._registration_handler = hs.get_registration_handler()
|
||||
|
||||
|
@ -100,7 +101,7 @@ class SamlHandler(BaseHandler):
|
|||
URL to redirect to
|
||||
"""
|
||||
reqid, info = self._saml_client.prepare_for_authenticate(
|
||||
relay_state=client_redirect_url
|
||||
entityid=self._saml_idp_entityid, relay_state=client_redirect_url
|
||||
)
|
||||
|
||||
# Since SAML sessions timeout it is useful to log when they were created.
|
||||
|
|
Loading…
Reference in a new issue