Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

saml: allow specification of the IdP entityid #8630

Merged
merged 10 commits into from
Nov 19, 2020
Merged

saml: allow specification of the IdP entityid #8630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b9120af
saml: allow specification of the IdP entityid
benbz Oct 21, 2020
ec15ee1
Correct code style
benbz Oct 22, 2020
6c75abe
Add Newsfile
benbz Oct 22, 2020
d2fc6fb
Correct the Newsfile
benbz Oct 22, 2020
213cf34
Fix more codestyle that I missed
benbz Oct 23, 2020
705806a
Specify the IdP entity id outside of sp_config
benbz Nov 2, 2020
bc45f23
Update sample config
benbz Nov 2, 2020
1510218
Update synapse/config/saml2_config.py
benbz Nov 2, 2020
1d29948
Update sample config
erikjohnston Nov 2, 2020
d916c33
Merge branch 'develop' into bbz/specify-saml-idp
benbz Nov 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/8630.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow specification of the SAML IdP if the metadata returns multiple IdPs.
8 changes: 8 additions & 0 deletions docs/sample_config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1674,6 +1674,14 @@ saml2_config:
# - attribute: department
# value: "sales"

# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'


# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
#
Expand Down
10 changes: 10 additions & 0 deletions synapse/config/saml2_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ def read_config(self, config, **kwargs):
"grandfathered_mxid_source_attribute", "uid"
)

self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)

# user_mapping_provider may be None if the key is present but has no value
ump_dict = saml2_config.get("user_mapping_provider") or {}

Expand Down Expand Up @@ -383,6 +385,14 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
# value: "staff"
# - attribute: department
# value: "sales"

# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
""" % {
"config_dir_path": config_dir_path
}
Expand Down
3 changes: 2 additions & 1 deletion synapse/handlers/saml_handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
def __init__(self, hs: "synapse.server.HomeServer"):
super().__init__(hs)
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
self._saml_idp_entityid = hs.config.saml2_idp_entityid
self._auth_handler = hs.get_auth_handler()
self._registration_handler = hs.get_registration_handler()

Expand Down Expand Up @@ -100,7 +101,7 @@ def handle_redirect_request(
URL to redirect to
"""
reqid, info = self._saml_client.prepare_for_authenticate(
relay_state=client_redirect_url
entityid=self._saml_idp_entityid, relay_state=client_redirect_url
)

# Since SAML sessions timeout it is useful to log when they were created.
Expand Down