summary refs log tree commit diff
diff options
context:
space:
mode:
authorBen Banfield-Zanin <benbz@matrix.org>2020-11-19 14:57:13 +0000
committerGitHub <noreply@github.com>2020-11-19 09:57:13 -0500
commit53a6f5ddf0c6bf2a8c8c3b757fb54a0c7755daf7 (patch)
tree9dc5edaf1408de85cc569a0dd12fbe7643ca31cd
parentConsistently use room_id from federation request body (#8776) (diff)
downloadsynapse-53a6f5ddf0c6bf2a8c8c3b757fb54a0c7755daf7.tar.xz
SAML: Allow specifying the IdP entityid to use. (#8630)
If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.
-rw-r--r--changelog.d/8630.feature1
-rw-r--r--docs/sample_config.yaml8
-rw-r--r--synapse/config/saml2_config.py10
-rw-r--r--synapse/handlers/saml_handler.py3
4 files changed, 21 insertions, 1 deletions
diff --git a/changelog.d/8630.feature b/changelog.d/8630.feature
new file mode 100644
index 0000000000..706051f131
--- /dev/null
+++ b/changelog.d/8630.feature
@@ -0,0 +1 @@
+Allow specification of the SAML IdP if the metadata returns multiple IdPs.
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index bedc147770..52a1d8b853 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1674,6 +1674,14 @@ saml2_config:
   #  - attribute: department
   #    value: "sales"
 
+  # If the metadata XML contains multiple IdP entities then the `idp_entityid`
+  # option must be set to the entity to redirect users to.
+  #
+  # Most deployments only have a single IdP entity and so should omit this
+  # option.
+  #
+  #idp_entityid: 'https://our_idp/entityid'
+
 
 # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
 #
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index f233854941..c1b8e98ae0 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -90,6 +90,8 @@ class SAML2Config(Config):
             "grandfathered_mxid_source_attribute", "uid"
         )
 
+        self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
+
         # user_mapping_provider may be None if the key is present but has no value
         ump_dict = saml2_config.get("user_mapping_provider") or {}
 
@@ -383,6 +385,14 @@ class SAML2Config(Config):
           #    value: "staff"
           #  - attribute: department
           #    value: "sales"
+
+          # If the metadata XML contains multiple IdP entities then the `idp_entityid`
+          # option must be set to the entity to redirect users to.
+          #
+          # Most deployments only have a single IdP entity and so should omit this
+          # option.
+          #
+          #idp_entityid: 'https://our_idp/entityid'
         """ % {
             "config_dir_path": config_dir_path
         }
diff --git a/synapse/handlers/saml_handler.py b/synapse/handlers/saml_handler.py
index aee772239a..9bf430b656 100644
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
     def __init__(self, hs: "synapse.server.HomeServer"):
         super().__init__(hs)
         self._saml_client = Saml2Client(hs.config.saml2_sp_config)
+        self._saml_idp_entityid = hs.config.saml2_idp_entityid
         self._auth_handler = hs.get_auth_handler()
         self._registration_handler = hs.get_registration_handler()
 
@@ -100,7 +101,7 @@ class SamlHandler(BaseHandler):
             URL to redirect to
         """
         reqid, info = self._saml_client.prepare_for_authenticate(
-            relay_state=client_redirect_url
+            entityid=self._saml_idp_entityid, relay_state=client_redirect_url
         )
 
         # Since SAML sessions timeout it is useful to log when they were created.