5 files changed, 5 insertions, 159 deletions

diff --git a/synapse/rest/client/login.py b/synapse/rest/client/login.py

index f65f8f2130..cc6863cadc 100644
--- a/synapse/rest/client/login.py
+++ b/synapse/rest/client/login.py
@@ -96,7 +96,6 @@ class LoginRestServlet(RestServlet):
         self.jwt_enabled = hs.config.jwt.jwt_enabled
 
         # SSO configuration.
-        self.saml2_enabled = hs.config.saml2.saml2_enabled
         self.oidc_enabled = hs.config.oidc.oidc_enabled
         self._refresh_tokens_enabled = (
             hs.config.registration.refreshable_access_token_lifetime is not None
@@ -133,7 +132,7 @@ class LoginRestServlet(RestServlet):
             cfg=self.hs.config.ratelimiting.rc_login_account,
         )
 
-        # ensure the SAML/OIDC handlers are loaded on this worker instance.
+        # ensure the OIDC handlers are loaded on this worker instance.
         # The reason for this is to ensure that the auth_provider_ids are registered
         # with SsoHandler, which in turn ensures that the login/registration prometheus
         # counters are initialised for the auth_provider_ids.
@@ -147,7 +146,7 @@ class LoginRestServlet(RestServlet):
         # The login token flow requires m.login.token to be advertised.
         support_login_token_flow = self._get_login_token_enabled
 
-        if self.saml2_enabled or self.oidc_enabled:
+        if self.oidc_enabled:
             flows.append(
                 {
                     "type": LoginRestServlet.SSO_TYPE,
@@ -317,7 +316,7 @@ class LoginRestServlet(RestServlet):
         *,
         request_info: RequestInfo,
     ) -> LoginResponse:
-        """Handle non-token/saml/jwt logins
+        """Handle non-token/jwt logins
 
         Args:
             login_submission:
@@ -687,8 +686,7 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
     ):
         RefreshTokenServlet(hs).register(http_server)
     if (
-        hs.config.saml2.saml2_enabled
-        or hs.config.oidc.oidc_enabled
+        hs.config.oidc.oidc_enabled
     ):
         SsoRedirectServlet(hs).register(http_server)
 
@@ -696,12 +694,10 @@ def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
 def _load_sso_handlers(hs: "HomeServer") -> None:
     """Ensure that the SSO handlers are loaded, if they are enabled by configuration.
 
-    This is mostly useful to ensure that the SAML/OIDC handlers register themselves
+    This is mostly useful to ensure that the OIDC handler registers itself
     with the main SsoHandler.
 
     It's safe to call this multiple times.
     """
-    if hs.config.saml2.saml2_enabled:
-        hs.get_saml_handler()
     if hs.config.oidc.oidc_enabled:
         hs.get_oidc_handler()
diff --git a/synapse/rest/synapse/client/__init__.py b/synapse/rest/synapse/client/__init__.py

index 7b5bfc0421..3afeb97be2 100644
--- a/synapse/rest/synapse/client/__init__.py
+++ b/synapse/rest/synapse/client/__init__.py
@@ -68,16 +68,6 @@ def build_synapse_client_resource_tree(hs: "HomeServer") -> Mapping[str, Resourc
 
         resources["/_synapse/client/oidc"] = OIDCResource(hs)
 
-    if hs.config.saml2.saml2_enabled:
-        from synapse.rest.synapse.client.saml2 import SAML2Resource
-
-        res = SAML2Resource(hs)
-        resources["/_synapse/client/saml2"] = res
-
-        # This is also mounted under '/_matrix' for backwards-compatibility.
-        # To be removed in Synapse v1.32.0.
-        resources["/_matrix/saml2"] = res
-
     if hs.config.federation.federation_whitelist_endpoint_enabled:
         resources[FederationWhitelistResource.PATH] = FederationWhitelistResource(hs)
 
diff --git a/synapse/rest/synapse/client/saml2/__init__.py b/synapse/rest/synapse/client/saml2/__init__.py
deleted file mode 100644

index 3658c6a0e3..0000000000
--- a/synapse/rest/synapse/client/saml2/__init__.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# This file is licensed under the Affero General Public License (AGPL) version 3.
-#
-# Copyright (C) 2023 New Vector, Ltd
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# See the GNU Affero General Public License for more details:
-# <https://www.gnu.org/licenses/agpl-3.0.html>.
-#
-# Originally licensed under the Apache License, Version 2.0:
-# <http://www.apache.org/licenses/LICENSE-2.0>.
-#
-# [This file includes modifications made by New Vector Limited]
-#
-#
-
-import logging
-from typing import TYPE_CHECKING
-
-from twisted.web.resource import Resource
-
-from synapse.rest.synapse.client.saml2.metadata_resource import SAML2MetadataResource
-from synapse.rest.synapse.client.saml2.response_resource import SAML2ResponseResource
-
-if TYPE_CHECKING:
-    from synapse.server import HomeServer
-
-logger = logging.getLogger(__name__)
-
-
-class SAML2Resource(Resource):
-    def __init__(self, hs: "HomeServer"):
-        Resource.__init__(self)
-        self.putChild(b"metadata.xml", SAML2MetadataResource(hs))
-        self.putChild(b"authn_response", SAML2ResponseResource(hs))
-
-
-__all__ = ["SAML2Resource"]
diff --git a/synapse/rest/synapse/client/saml2/metadata_resource.py b/synapse/rest/synapse/client/saml2/metadata_resource.py
deleted file mode 100644

index bcd5195108..0000000000
--- a/synapse/rest/synapse/client/saml2/metadata_resource.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# This file is licensed under the Affero General Public License (AGPL) version 3.
-#
-# Copyright (C) 2023 New Vector, Ltd
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# See the GNU Affero General Public License for more details:
-# <https://www.gnu.org/licenses/agpl-3.0.html>.
-#
-# Originally licensed under the Apache License, Version 2.0:
-# <http://www.apache.org/licenses/LICENSE-2.0>.
-#
-# [This file includes modifications made by New Vector Limited]
-#
-#
-
-from typing import TYPE_CHECKING
-
-import saml2.metadata
-
-from twisted.web.resource import Resource
-from twisted.web.server import Request
-
-if TYPE_CHECKING:
-    from synapse.server import HomeServer
-
-
-class SAML2MetadataResource(Resource):
-    """A Twisted web resource which renders the SAML metadata"""
-
-    isLeaf = 1
-
-    def __init__(self, hs: "HomeServer"):
-        Resource.__init__(self)
-        self.sp_config = hs.config.saml2.saml2_sp_config
-
-    def render_GET(self, request: Request) -> bytes:
-        metadata_xml = saml2.metadata.create_metadata_string(
-            configfile=None, config=self.sp_config
-        )
-        request.setHeader(b"Content-Type", b"text/xml; charset=utf-8")
-        return metadata_xml
diff --git a/synapse/rest/synapse/client/saml2/response_resource.py b/synapse/rest/synapse/client/saml2/response_resource.py
deleted file mode 100644

index 7b8667e04c..0000000000
--- a/synapse/rest/synapse/client/saml2/response_resource.py
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# This file is licensed under the Affero General Public License (AGPL) version 3.
-#
-# Copyright (C) 2023 New Vector, Ltd
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# See the GNU Affero General Public License for more details:
-# <https://www.gnu.org/licenses/agpl-3.0.html>.
-#
-# Originally licensed under the Apache License, Version 2.0:
-# <http://www.apache.org/licenses/LICENSE-2.0>.
-#
-# [This file includes modifications made by New Vector Limited]
-#
-#
-
-from typing import TYPE_CHECKING
-
-from twisted.web.server import Request
-
-from synapse.http.server import DirectServeHtmlResource
-from synapse.http.site import SynapseRequest
-
-if TYPE_CHECKING:
-    from synapse.server import HomeServer
-
-
-class SAML2ResponseResource(DirectServeHtmlResource):
-    """A Twisted web resource which handles the SAML response"""
-
-    isLeaf = 1
-
-    def __init__(self, hs: "HomeServer"):
-        super().__init__()
-        self._saml_handler = hs.get_saml_handler()
-        self._sso_handler = hs.get_sso_handler()
-
-    async def _async_render_GET(self, request: Request) -> None:
-        # We're not expecting any GET request on that resource if everything goes right,
-        # but some IdPs sometimes end up responding with a 302 redirect on this endpoint.
-        # In this case, just tell the user that something went wrong and they should
-        # try to authenticate again.
-        self._sso_handler.render_error(
-            request, "unexpected_get", "Unexpected GET request on /saml2/authn_response"
-        )
-
-    async def _async_render_POST(self, request: SynapseRequest) -> None:
-        await self._saml_handler.handle_saml_response(request)