This repository was archived by the owner on Apr 26, 2024. It is now read-only.
Improve the sample config for SSO (OIDC, SAML, and CAS) #8635
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Improve the sample configuration for single sign-on providers. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1505,10 +1505,8 @@ trusted_key_servers: | |
|
|
||
| ## Single sign-on integration ## | ||
|
|
||
| # The following settings can be used to make Synapse use a single sign-on | ||
| # provider for authentication, instead of its internal password database. | ||
| # | ||
| # You will probably also want to set the following options to `false` to | ||
| # disable the regular login/registration flows: | ||
|
|
@@ -1517,6 +1515,11 @@ trusted_key_servers: | |
| # | ||
| # You will also want to investigate the settings under the "sso" configuration | ||
| # section below. | ||
|
|
||
| # Enable SAML2 for registration and login. Uses pysaml2. | ||
| # | ||
| # At least one of `sp_config` or `config_path` must be set in this section to | ||
| # enable SAML login. | ||
| # | ||
| # Once SAML support is enabled, a metadata file will be exposed at | ||
| # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to | ||
|
|
@@ -1532,40 +1535,42 @@ saml2_config: | |
| # so it is not normally necessary to specify them unless you need to | ||
| # override them. | ||
| # | ||
| sp_config: | ||
| # Point this to the IdP's metadata. You must provide either a local | ||
| # file via the `local` attribute or (preferably) a URL via the | ||
| # `remote` attribute. | ||
| # | ||
| #metadata: | ||
| # local: ["saml2/idp.xml"] | ||
| # remote: | ||
| # - url: https://our_idp/metadata.xml | ||
clokep marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| # By default, the user has to go to our login page first. If you'd like | ||
| # to allow IdP-initiated login, set 'allow_unsolicited: true' in a | ||
| # 'service.sp' section: | ||
| # | ||
| #service: | ||
| # sp: | ||
| # allow_unsolicited: true | ||
|
|
||
| # The examples below are just used to generate our metadata xml, and you | ||
| # may well not need them, depending on your setup. Alternatively you | ||
| # may need a whole lot more detail - see the pysaml2 docs! | ||
|
|
||
| #description: ["My awesome SP", "en"] | ||
| #name: ["Test SP", "en"] | ||
|
|
||
| #organization: | ||
| # name: Example com | ||
| # display_name: | ||
| # - ["Example co", "en"] | ||
| # url: "http://example.com" | ||
|
|
||
| #contact_person: | ||
| # - given_name: Bob | ||
| # sur_name: "the Sysadmin" | ||
| # email_address": ["[email protected]"] | ||
| # contact_type": technical | ||
|
|
||
| # Instead of putting the config inline as above, you can specify a | ||
| # separate pysaml2 configuration file: | ||
|
|
@@ -1641,11 +1646,10 @@ saml2_config: | |
| # value: "sales" | ||
|
|
||
|
|
||
| # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. | ||
| # | ||
| # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md | ||
| # for some example configurations. | ||
| # | ||
| oidc_config: | ||
| # Uncomment the following to enable authorization against an OpenID Connect | ||
|
|
@@ -1778,15 +1782,37 @@ oidc_config: | |
|
|
||
|
|
||
|
|
||
| # Enable Central Authentication Service (CAS) for registration and login. | ||
| # | ||
| cas_config: | ||
| # Uncomment the following to enable authorization against a CAS server. | ||
| # Defaults to false. | ||
| # | ||
| #enabled: true | ||
|
|
||
| # The URL of the CAS authorization endpoint. | ||
| # | ||
| #server_url: "https://cas-server.com" | ||
|
|
||
| # The public URL of the homeserver. | ||
| # | ||
| #service_url: "https://homeserver.domain.com:8448" | ||
|
|
||
| # The attribute of the CAS response to use as the display name. | ||
| # | ||
| # If unset, no displayname will be set. | ||
| # | ||
| #displayname_attribute: name | ||
|
|
||
| # It is possible to configure Synapse to only allow logins if CAS attributes | ||
| # match particular values. All of the keys in the mapping below must exist | ||
| # and the values must match the given value. Alternately if the given value | ||
| # is None then any value is allowed (the attribute just must exist). | ||
| # All of the listed attributes must match for the login to be permitted. | ||
| # | ||
| #required_attributes: | ||
clokep marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # userGroup: "staff" | ||
| # department: None | ||
|
|
||
|
|
||
| # Additional settings to use with single-sign on systems such as OpenID Connect, | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,28 +26,50 @@ class CasConfig(Config): | |
|
|
||
| def read_config(self, config, **kwargs): | ||
| cas_config = config.get("cas_config", None) | ||
| self.cas_enabled = cas_config and cas_config.get("enabled", True) | ||
|
|
||
| if self.cas_enabled: | ||
| self.cas_server_url = cas_config["server_url"] | ||
| self.cas_service_url = cas_config["service_url"] | ||
| self.cas_displayname_attribute = cas_config.get("displayname_attribute") | ||
| self.cas_required_attributes = cas_config.get("required_attributes") or {} | ||
| else: | ||
| self.cas_server_url = None | ||
| self.cas_service_url = None | ||
| self.cas_displayname_attribute = None | ||
| self.cas_required_attributes = {} | ||
|
|
||
| def generate_config_section(self, config_dir_path, server_name, **kwargs): | ||
| return """ | ||
| # Enable Central Authentication Service (CAS) for registration and login. | ||
| # | ||
| cas_config: | ||
| # Uncomment the following to enable authorization against a CAS server. | ||
| # Defaults to false. | ||
| # | ||
| #enabled: true | ||
|
|
||
| # The URL of the CAS authorization endpoint. | ||
| # | ||
| #server_url: "https://cas-server.com" | ||
|
|
||
| # The public URL of the homeserver. | ||
| # | ||
| #service_url: "https://homeserver.domain.com:8448" | ||
|
Comment on lines
+56
to
+58
There was a problem hiding this comment. I think this example is bad, the redirect and ticket endpoints are both registered as part of (Changing the code to use |
||
|
|
||
| # The attribute of the CAS response to use as the display name. | ||
| # | ||
| # If unset, no displayname will be set. | ||
| # | ||
| #displayname_attribute: name | ||
|
|
||
| # It is possible to configure Synapse to only allow logins if CAS attributes | ||
| # match particular values. All of the keys in the mapping below must exist | ||
| # and the values must match the given value. Alternately if the given value | ||
| # is None then any value is allowed (the attribute just must exist). | ||
| # All of the listed attributes must match for the login to be permitted. | ||
|
Comment on lines
+66
to
+70
There was a problem hiding this comment. I cribbed this from the Unfortunately this has a reversed name and works slightly differently. 😢 |
||
| # | ||
| #required_attributes: | ||
| # userGroup: "staff" | ||
| # department: None | ||
| """ | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -216,10 +216,8 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): | |
| return """\ | ||
| ## Single sign-on integration ## | ||
|
|
||
| # The following settings can be used to make Synapse use a single sign-on | ||
| # provider for authentication, instead of its internal password database. | ||
| # | ||
| # You will probably also want to set the following options to `false` to | ||
| # disable the regular login/registration flows: | ||
|
|
@@ -228,6 +226,11 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): | |
| # | ||
| # You will also want to investigate the settings under the "sso" configuration | ||
| # section below. | ||
|
|
||
| # Enable SAML2 for registration and login. Uses pysaml2. | ||
| # | ||
| # At least one of `sp_config` or `config_path` must be set in this section to | ||
| # enable SAML login. | ||
|
Comment on lines
+230
to
+233
There was a problem hiding this comment. I moved this section down since the bits above apply to all of the SSO code. I actually wonder if it should be part of the |
||
| # | ||
| # Once SAML support is enabled, a metadata file will be exposed at | ||
| # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to | ||
|
|
@@ -243,40 +246,42 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs): | |
| # so it is not normally necessary to specify them unless you need to | ||
| # override them. | ||
| # | ||
| sp_config: | ||
| # Point this to the IdP's metadata. You must provide either a local | ||
| # file via the `local` attribute or (preferably) a URL via the | ||
| # `remote` attribute. | ||
| # | ||
| #metadata: | ||
| # local: ["saml2/idp.xml"] | ||
| # remote: | ||
| # - url: https://our_idp/metadata.xml | ||
|
|
||
| # By default, the user has to go to our login page first. If you'd like | ||
| # to allow IdP-initiated login, set 'allow_unsolicited: true' in a | ||
| # 'service.sp' section: | ||
| # | ||
| #service: | ||
| # sp: | ||
| # allow_unsolicited: true | ||
|
|
||
| # The examples below are just used to generate our metadata xml, and you | ||
| # may well not need them, depending on your setup. Alternatively you | ||
| # may need a whole lot more detail - see the pysaml2 docs! | ||
|
|
||
| #description: ["My awesome SP", "en"] | ||
| #name: ["Test SP", "en"] | ||
|
|
||
| #organization: | ||
| # name: Example com | ||
| # display_name: | ||
| # - ["Example co", "en"] | ||
| # url: "http://example.com" | ||
|
|
||
| #contact_person: | ||
| # - given_name: Bob | ||
| # sur_name: "the Sysadmin" | ||
| # email_address": ["[email protected]"] | ||
| # contact_type": technical | ||
|
|
||
| # Instead of putting the config inline as above, you can specify a | ||
| # separate pysaml2 configuration file: | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.