Complete the SAML2 implementation (#5422)

* SAML2 Improvements and redirect stuff Signed-off-by: Alexander Trost <galexrt@googlemail.com> * Code cleanups and simplifications. Also: share the saml client between redirect and response handlers. * changelog * Revert redundant changes to static js * Move all the saml stuff out to a centralised handler * Add support for tracking SAML2 sessions. This allows us to correctly handle `allow_unsolicited: False`. * update sample config * cleanups * update sample config * rename BaseSSORedirectServlet for consistency * Address review comments
author: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2019-07-02 11:18:11 +0100
committer: GitHub <noreply@github.com> 2019-07-02 11:18:11 +0100
commit: 6eecb6e500776bb6b72536458a9529985a819bfd (patch)
tree: 9a86ec961b14b31dfda91b81cb56b42340bcb569 /docs/sample_config.yaml
parent: Merge pull request #5587 from matrix-org/erikj/fix_synctl (diff)
parent: Merge branch 'develop' into rav/saml2_client (diff)
download: synapse-6eecb6e500776bb6b72536458a9529985a819bfd.tar.xz
1 files changed, 21 insertions, 1 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index bf9cd88b15..7fe7c94ac4 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -997,6 +997,12 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 # so it is not normally necessary to specify them unless you need to
 # override them.
 #
+# Once SAML support is enabled, a metadata file will be exposed at
+# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
+# use to configure your SAML IdP with. Alternatively, you can manually configure
+# the IdP to use an ACS location of
+# https://<server>:<port>/_matrix/saml2/authn_response.
+#
 #saml2_config:
 #  sp_config:
 #    # point this to the IdP's metadata. You can use either a local file or
@@ -1006,7 +1012,15 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 #      remote:
 #        - url: https://our_idp/metadata.xml
 #
-#    # The rest of sp_config is just used to generate our metadata xml, and you
+#    # By default, the user has to go to our login page first. If you'd like to
+#    # allow IdP-initiated login, set 'allow_unsolicited: True' in a
+#    # 'service.sp' section:
+#    #
+#    #service:
+#    #  sp:
+#    #    allow_unsolicited: True
+#
+#    # The examples below are just used to generate our metadata xml, and you
 #    # may well not need it, depending on your setup. Alternatively you
 #    # may need a whole lot more detail - see the pysaml2 docs!
 #
@@ -1029,6 +1043,12 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 #  # separate pysaml2 configuration file:
 #  #
 #  config_path: "CONFDIR/sp_conf.py"
+#
+#  # the lifetime of a SAML session. This defines how long a user has to
+#  # complete the authentication process, if allow_unsolicited is unset.
+#  # The default is 5 minutes.
+#  #
+#  # saml_session_lifetime: 5m
author	Richard van der Hoff <1389908+richvdh@users.noreply.github.com>	2019-07-02 11:18:11 +0100
committer	GitHub <noreply@github.com>	2019-07-02 11:18:11 +0100
commit	6eecb6e500776bb6b72536458a9529985a819bfd (patch)
tree	9a86ec961b14b31dfda91b81cb56b42340bcb569 /docs/sample_config.yaml
parent	Merge pull request #5587 from matrix-org/erikj/fix_synctl (diff)
parent	Merge branch 'develop' into rav/saml2_client (diff)
download	synapse-6eecb6e500776bb6b72536458a9529985a819bfd.tar.xz