Synapse doesn't retrieve CAS attributes when using CAS Protocol 3.0

[agrimpard]

Description

I'm trying to limit access to Matrix by relying on CAS SSO attributes but Matrix does not retrieve CAS attributes, only the user ID.

However, when I call CAS from a PHP script on the same machine, I do retrieve the attributes.

I modified the python script synapse/handlers/cas.py line 130 to log the CAS response:

logging.warn('BODY CAS : %s',body)

Here's what I get, no attributes :

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>MYUSER</cas:user>
    </cas:authenticationSuccess>
</cas:serviceResponse>

With PHPCAS we can configure the CAS protocol version, and version 3 CAS_VERSION_3_0 must be used to retrieve the attributes. Would there be a problem like this with Matrix?

Steps to reproduce

homeserver.yaml:

cas_config:
  enabled: true
  server_url: "https://cas.example.com:443"
  displayname_attribute: displayName
  required_attributes:
    sn: "MYSN"

When we try to connect with an account having the correct sn attribute, Matrix returns an error: "You are not allowed to log in here."

Homeserver

Private server

Synapse Version

1.85.0

Installation Method

Debian packages from packages.matrix.org

Database

PostgreSQL

Workers

Single process

Platform

KVM / Debian 11

Configuration

No response

Relevant log output

synapse.handlers.sso - 1262 - INFO - GET-50 - SSO attribute missing

Anything else that would be useful to know?

No response