diff options
| author | David Baker <dave@matrix.org> | 2019-09-09 15:04:01 +0100 |
|---|---|---|
| committer | David Baker <dave@matrix.org> | 2019-09-09 15:04:01 +0100 |
| commit | 7c0487b01f33eb3f688ff98bc7ae123b6e6bfb7d (patch) | |
| tree | bf71b683b9ca404d1ccce726100ff5fb58b56554 | |
| parent | Servers-known-about statistic (#5981) (diff) | |
| download | synapse-7c0487b01f33eb3f688ff98bc7ae123b6e6bfb7d.tar.xz | |
Read localpart / displayName from attestations configured in config
Allow the attestations that we use for localpart & displayname to be configured in the config
| -rw-r--r-- | synapse/config/saml2_config.py | 10 | ||||
| -rw-r--r-- | synapse/handlers/saml_handler.py | 12 |
2 files changed, 17 insertions, 5 deletions
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index 6a8161547a..afaa518ba5 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -48,6 +48,9 @@ class SAML2Config(Config): saml2_config.get("saml_session_lifetime", "5m") ) + self.saml2_username_attestation = saml2_config.get("username_attestation", "uid") + self.saml2_displayname_attestation = saml2_config.get("displayname_attestation", "displayName") + def _default_saml_config_dict(self): import saml2 @@ -135,6 +138,13 @@ class SAML2Config(Config): # # The default is 5 minutes. # # # # saml_session_lifetime: 5m + # # + # # # The ID of the attestation that will be used for the localpart of the user's Matrix ID + # # # Deafault: 'uid' + # # username_attestation: "uid" + # # + # # # The ID of the attestation that will be used for the user's display name. Default: 'displayName' + # # displayname_attestation: "displayName" """ % { "config_dir_path": config_dir_path } diff --git a/synapse/handlers/saml_handler.py b/synapse/handlers/saml_handler.py index a1ce6929cf..b81ac75281 100644 --- a/synapse/handlers/saml_handler.py +++ b/synapse/handlers/saml_handler.py @@ -35,6 +35,8 @@ class SamlHandler: self._clock = hs.get_clock() self._saml2_session_lifetime = hs.config.saml2_session_lifetime + self.saml2_username_attestation = hs.config.saml2_username_attestation + self.saml2_displayname_attestation = hs.config.saml2_displayname_attestation def handle_redirect_request(self, client_redirect_url): """Handle an incoming request to /login/sso/redirect @@ -91,14 +93,14 @@ class SamlHandler: logger.warning("SAML2 response was not signed") raise SynapseError(400, "SAML2 response was not signed") - if "uid" not in saml2_auth.ava: - logger.warning("SAML2 response lacks a 'uid' attestation") - raise SynapseError(400, "uid not in SAML2 response") + if self.saml2_username_attestation not in saml2_auth.ava: + logger.warning("SAML2 response lacks a '%s' attestation", self.saml2_username_attestation) + raise SynapseError(400, "username attestation not in SAML2 response") self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None) - username = saml2_auth.ava["uid"][0] - displayName = saml2_auth.ava.get("displayName", [None])[0] + username = saml2_auth.ava[self.saml2_username_attestation][0] + displayName = saml2_auth.ava.get(self.saml2_displayname_attestation, [None])[0] return self._sso_auth_handler.on_successful_auth( username, request, relay_state, user_display_name=displayName |