summary refs log tree commit diff
path: root/docs/sample_config.yaml
diff options
context:
space:
mode:
authorHubbe <HubbeKing@users.noreply.github.com>2021-03-16 17:46:07 +0200
committerGitHub <noreply@github.com>2021-03-16 11:46:07 -0400
commitdd5e5dc1d6c88a3532d25f18cfc312d8bc813473 (patch)
treee030d17da10e55b25a5389a350aff6ef55dc37cd /docs/sample_config.yaml
parentReturn m.change_password.enabled=false if local database is disabled (#9588) (diff)
downloadsynapse-dd5e5dc1d6c88a3532d25f18cfc312d8bc813473.tar.xz
Add SSO attribute requirements for OIDC providers (#9609)
Allows limiting who can login using OIDC via the claims
made from the IdP.
Diffstat (limited to 'docs/sample_config.yaml')
-rw-r--r--docs/sample_config.yaml24
1 files changed, 24 insertions, 0 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index 7de000f4a4..a9f59e39f7 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1873,6 +1873,24 @@ saml2_config:
 #           which is set to the claims returned by the UserInfo Endpoint and/or
 #           in the ID Token.
 #
+#   It is possible to configure Synapse to only allow logins if certain attributes
+#   match particular values in the OIDC userinfo. The requirements can be listed under
+#   `attribute_requirements` as shown below. All of the listed attributes must
+#   match for the login to be permitted. Additional attributes can be added to
+#   userinfo by expanding the `scopes` section of the OIDC config to retrieve
+#   additional information from the OIDC provider.
+#
+#   If the OIDC claim is a list, then the attribute must match any value in the list.
+#   Otherwise, it must exactly match the value of the claim. Using the example
+#   below, the `family_name` claim MUST be "Stephensson", but the `groups`
+#   claim MUST contain "admin".
+#
+#   attribute_requirements:
+#     - attribute: family_name
+#       value: "Stephensson"
+#     - attribute: groups
+#       value: "admin"
+#
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
 # for information on how to configure these options.
 #
@@ -1905,6 +1923,9 @@ oidc_providers:
   #      localpart_template: "{{ user.login }}"
   #      display_name_template: "{{ user.name }}"
   #      email_template: "{{ user.email }}"
+  #  attribute_requirements:
+  #    - attribute: userGroup
+  #      value: "synapseUsers"
 
   # For use with Keycloak
   #
@@ -1914,6 +1935,9 @@ oidc_providers:
   #  client_id: "synapse"
   #  client_secret: "copy secret generated in Keycloak UI"
   #  scopes: ["openid", "profile"]
+  #  attribute_requirements:
+  #    - attribute: groups
+  #      value: "admin"
 
   # For use with Github
   #