diff options
| author | Hubbe <HubbeKing@users.noreply.github.com> | 2021-03-16 17:46:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-16 11:46:07 -0400 |
| commit | dd5e5dc1d6c88a3532d25f18cfc312d8bc813473 (patch) | |
| tree | e030d17da10e55b25a5389a350aff6ef55dc37cd /docs | |
| parent | Return m.change_password.enabled=false if local database is disabled (#9588) (diff) | |
| download | synapse-dd5e5dc1d6c88a3532d25f18cfc312d8bc813473.tar.xz | |
Add SSO attribute requirements for OIDC providers (#9609)
Allows limiting who can login using OIDC via the claims made from the IdP.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/sample_config.yaml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 7de000f4a4..a9f59e39f7 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1873,6 +1873,24 @@ saml2_config: # which is set to the claims returned by the UserInfo Endpoint and/or # in the ID Token. # +# It is possible to configure Synapse to only allow logins if certain attributes +# match particular values in the OIDC userinfo. The requirements can be listed under +# `attribute_requirements` as shown below. All of the listed attributes must +# match for the login to be permitted. Additional attributes can be added to +# userinfo by expanding the `scopes` section of the OIDC config to retrieve +# additional information from the OIDC provider. +# +# If the OIDC claim is a list, then the attribute must match any value in the list. +# Otherwise, it must exactly match the value of the claim. Using the example +# below, the `family_name` claim MUST be "Stephensson", but the `groups` +# claim MUST contain "admin". +# +# attribute_requirements: +# - attribute: family_name +# value: "Stephensson" +# - attribute: groups +# value: "admin" +# # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md # for information on how to configure these options. # @@ -1905,6 +1923,9 @@ oidc_providers: # localpart_template: "{{ user.login }}" # display_name_template: "{{ user.name }}" # email_template: "{{ user.email }}" + # attribute_requirements: + # - attribute: userGroup + # value: "synapseUsers" # For use with Keycloak # @@ -1914,6 +1935,9 @@ oidc_providers: # client_id: "synapse" # client_secret: "copy secret generated in Keycloak UI" # scopes: ["openid", "profile"] + # attribute_requirements: + # - attribute: groups + # value: "admin" # For use with Github # |