Remove SAML/2 auth

4 files changed, 7 insertions, 133 deletions

diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md

index b72fb36439..999a4c1a12 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3039,7 +3039,7 @@ use_appservice_legacy_authorization: true
 
 *(string|null)* A secret which is used to sign
 - access token for guest users,
-- short-term login token used during SSO logins (OIDC or SAML2) and
+- short-term login token used during SSO logins (OIDC) and
 - token used for unsubscribing from email notifications.
 
 If none is specified, the `registration_shared_secret` is used, if one is given; otherwise, a secret key is derived from the signing key.
@@ -3211,126 +3211,6 @@ You will probably also want to set the following options to `false` to disable t
 * [`password_config.enabled`](#password_config)
 
 ---
-### `saml2_config`
-
-*(object)* Enable SAML2 for registration and login. Uses pysaml2. To learn more about pysaml and to find a full list options for configuring pysaml, read the docs [here](https://pysaml2.readthedocs.io/en/latest/).
-
-At least one of `sp_config` or `config_path` must be set in this section to enable SAML login. You can either put your entire pysaml config inline using the `sp_config` option, or you can specify a path to a psyaml config file with the sub-option `config_path`.
-
-Once SAML support is enabled, a metadata file will be exposed at `https://<server>:<port>/_synapse/client/saml2/metadata.xml`, which you may be able to use to configure your SAML IdP with. Alternatively, you can manually configure the IdP to use an ACS location of `https://<server>:<port>/_synapse/client/saml2/authn_response`.
-
-This setting has the following sub-options:
-
-* `idp_name` (string): A user-facing name for this identity provider, which is used to offer the user a choice of login mechanisms.
-
-* `idp_icon` (string|null): An optional icon for this identity provider, which is presented by clients and Synapse's own IdP picker page. If given, must be an MXC URI of the format `mxc://<server-name>/<media-id>`. (An easy way to obtain such an MXC URI is to upload an image to an (unencrypted) room and then copy the URL from the source of the event.)
-
-* `idp_brand`: An optional brand for this identity provider, allowing clients to style the login flow according to the identity provider in question. See the [spec](https://spec.matrix.org/latest/) for possible options here.
-
-* `sp_config` (object|null): Configuration for the pysaml2 Service Provider. See pysaml2 docs for format of config. Default values will be used for the `entityid` and `service` settings, so it is not normally necessary to specify them unless you need to override them. Here are a few useful sub-options for configuring pysaml:
-  * `metadata`: Point this to the IdP's metadata. You must provide either a local file via the `local` attribute or (preferably) a URL via the `remote` attribute.
-  * `accepted_time_diff: 3`: Allowed clock difference in seconds between the homeserver and IdP. Defaults to 0.
-  * `service`: By default, the user has to go to our login page first. If you'd like to allow IdP-initiated login, set `allow_unsolicited` to true under `sp` in the `service` section. Defaults to `null`.
-
-* `config_path` (string|null): Specify a separate pysaml2 configuration file. Defaults to `null`.
-
-* `saml_session_lifetime` (duration): The lifetime of a SAML session. This defines how long a user has to complete the authentication process, if `allow_unsolicited` is unset. Defaults to `"15m"`.
-
-* `user_mapping_provider` (object): Using this option, an external module can be provided as a custom solution to mapping attributes returned from a saml provider onto a matrix user.
-
-  This setting has the following sub-options:
-
-  * `module` (string): The custom module's class.
-
-  * `config` (object): Custom configuration values for the module. Use the values provided in the example if you are using the built-in user_mapping_provider, or provide your own config values for a custom class if you are using one. This section will be passed as a Python dictionary to the module's `parse_config` method. The built-in provider takes the following two options:
-    * `mxid_source_attribute`: The SAML attribute (after mapping via the attribute maps) to use to derive the Matrix ID from. It is "uid" by default. Note: This used to be configured by the `saml2_config.mxid_source_attribute option`. If that is still defined, its value will be used instead.
-    * `mxid_mapping`: The mapping system to use for mapping the saml attribute onto a matrix ID. Options include: `hexencode` (which maps unpermitted characters to `=xx`) and `dotreplace` (which replaces unpermitted characters with `.`). The default is `hexencode`. Note: This used to be configured by the `saml2_config.mxid_mapping option`. If that is still defined, its value will be used instead.
-
-* `grandfathered_mxid_source_attribute` (string): In previous versions of synapse, the mapping from SAML attribute to MXID was always calculated dynamically rather than stored in a table. For backwards-compatibility, we will look for `user_ids` matching such a pattern before creating a new account. This setting controls the SAML attribute which will be used for this backwards-compatibility lookup. Typically it should be "uid", but if the attribute maps are changed, it may be necessary to change it. Defaults to `"uid"`.
-
-* `attribute_requirements` (array): It is possible to configure Synapse to only allow logins if SAML attributes match particular values. The requirements can be listed under `attribute_requirements` as shown in the example. All of the listed attributes must match for the login to be permitted. Values can be specified in a `one_of` list to allow multiple values for an attribute.
-
-  Options for each entry include:
-
-  * `attribute` (string): SAML attribute for which to allow logins.
-
-  * `value` (string): Value the SAML attribute must match.
-
-  * `one_of` (array): List of values the SAML attribute must all match.
-
-* `idp_entityid` (string|null): If the metadata XML contains multiple IdP entities then the `idp_entityid` option must be set to the entity to redirect users to. Most deployments only have a single IdP entity and so should omit this option. Defaults to `null`.
-
-Example configuration:
-```yaml
-saml2_config:
-  sp_config:
-    metadata:
-      local:
-      - saml2/idp.xml
-      remote:
-      - url: https://our_idp/metadata.xml
-    accepted_time_diff: 3
-    service:
-      sp:
-        allow_unsolicited: true
-    description:
-    - My awesome SP
-    - en
-    name:
-    - Test SP
-    - en
-    ui_info:
-      display_name:
-      - lang: en
-        text: Display Name is the descriptive name of your service.
-      description:
-      - lang: en
-        text: Description should be a short paragraph explaining the purpose of the
-          service.
-      information_url:
-      - lang: en
-        text: https://example.com/terms-of-service
-      privacy_statement_url:
-      - lang: en
-        text: https://example.com/privacy-policy
-      keywords:
-      - lang: en
-        text:
-        - Matrix
-        - Element
-      logo:
-      - lang: en
-        text: https://example.com/logo.svg
-        width: '200'
-        height: '80'
-    organization:
-      name: Example com
-      display_name:
-      - - Example co
-        - en
-      url: http://example.com
-    contact_person:
-    - given_name: Bob
-      sur_name: the Sysadmin
-      email_address:
-      - admin@example.com
-      contact_type: technical
-  saml_session_lifetime: 5m
-  user_mapping_provider:
-    config:
-      mxid_source_attribute: displayName
-      mxid_mapping: dotreplace
-  grandfathered_mxid_source_attribute: upn
-  attribute_requirements:
-  - attribute: userGroup
-    value: staff
-  - attribute: department
-    one_of:
-    - sales
-    - admins
-  idp_entityid: https://our_idp/entityid
-```
----
 ### `oidc_providers`
 
 *(array)* List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration and login. See [here](../../openid.md) for information on how to configure these options.
@@ -3516,7 +3396,7 @@ oidc_providers:
 ---
 ### `sso`
 
-*(object)* Additional settings to use with single-sign on systems such as OpenID Connect, SAML2 and CAS.
+*(object)* Additional settings to use with single-sign on systems such as OpenID Connect.
 
 Server admins can configure custom templates for pages related to SSO. See [here](../../templates.md) for more information.
 
diff --git a/docs/usage/configuration/user_authentication/README.md b/docs/usage/configuration/user_authentication/README.md

index 087ae053cf..644ca66445 100644
--- a/docs/usage/configuration/user_authentication/README.md
+++ b/docs/usage/configuration/user_authentication/README.md
@@ -7,7 +7,7 @@ Included in Synapse is support for authenticating users via:
 
 * A username and password.
 * An email address and password.
-* Single Sign-On through the SAML, Open ID Connect or CAS protocols.
+* Single Sign-On through the Open ID Connect protocol.
 * JSON Web Tokens.
 * An administrator's shared secret.
 
diff --git a/docs/usage/configuration/user_authentication/single_sign_on/README.md b/docs/usage/configuration/user_authentication/single_sign_on/README.md

index b94aad92cf..b6e0b080b5 100644
--- a/docs/usage/configuration/user_authentication/single_sign_on/README.md
+++ b/docs/usage/configuration/user_authentication/single_sign_on/README.md
@@ -1,5 +1,7 @@
 # Single Sign-On
 
-Synapse supports single sign-on through the SAML, Open ID Connect or CAS protocols. 
+Synapse supports single sign-on through the Open ID Connect protocol. 
 LDAP and other login methods are supported through first and third-party password
-auth provider modules.
\ No newline at end of file
+auth provider modules.
+
+Note that this patchset removes SAML and CAS protocol support.
\ No newline at end of file
diff --git a/docs/usage/configuration/user_authentication/single_sign_on/saml.md b/docs/usage/configuration/user_authentication/single_sign_on/saml.md
deleted file mode 100644

index 2b6f052cc1..0000000000
--- a/docs/usage/configuration/user_authentication/single_sign_on/saml.md
+++ /dev/null
@@ -1,8 +0,0 @@
-# SAML
-
-Synapse supports authenticating users via the [Security Assertion
-Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language)
-(SAML) protocol natively.
-
-Please see the `saml2_config` and `sso` sections of the [Synapse configuration
-file](../../../configuration/homeserver_sample_config.md) for more details.
\ No newline at end of file