Implement login blocking based on SAML attributes (#8052)

Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
author: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2020-08-11 16:08:10 +0100
committer: GitHub <noreply@github.com> 2020-08-11 16:08:10 +0100
commit: 0cb169900ebd39b6f46dbff1b1909cc5b3c17493 (patch)
tree: f903fd61691b639be7deff59f819b83db3a15c51 /docs
parent: Merge remote-tracking branch 'origin/master' into develop (diff)
download: synapse-0cb169900ebd39b6f46dbff1b1909cc5b3c17493.tar.xz
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index fe85978a1f..9235b89fb1 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1577,6 +1577,17 @@ saml2_config:
   #
   #grandfathered_mxid_source_attribute: upn
 
+  # It is possible to configure Synapse to only allow logins if SAML attributes
+  # match particular values. The requirements can be listed under
+  # `attribute_requirements` as shown below. All of the listed attributes must
+  # match for the login to be permitted.
+  #
+  #attribute_requirements:
+  #  - attribute: userGroup
+  #    value: "staff"
+  #  - attribute: department
+  #    value: "sales"
+
   # Directory in which Synapse will try to find the template files below.
   # If not set, default templates from within the Synapse package will be used.
   #
author	Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2020-08-11 16:08:10 +0100
committer	GitHub <noreply@github.com>	2020-08-11 16:08:10 +0100
commit	0cb169900ebd39b6f46dbff1b1909cc5b3c17493 (patch)
tree	f903fd61691b639be7deff59f819b83db3a15c51 /docs
parent	Merge remote-tracking branch 'origin/master' into develop (diff)
download	synapse-0cb169900ebd39b6f46dbff1b1909cc5b3c17493.tar.xz