Add support for tracking SAML2 sessions.
This allows us to correctly handle `allow_unsolicited: False`.
1 files changed, 19 insertions, 1 deletions
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py
index 463b5fdd68..965a97837f 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -27,7 +27,7 @@ class SAML2Config(Config):
return
try:
- check_requirements('saml2')
+ check_requirements("saml2")
except DependencyException as e:
raise ConfigError(e.message)
@@ -43,6 +43,11 @@ class SAML2Config(Config):
if config_path is not None:
self.saml2_sp_config.load_file(config_path)
+ # session lifetime: in milliseconds
+ self.saml2_session_lifetime = self.parse_duration(
+ saml2_config.get("saml_session_lifetime", "5m")
+ )
+
def _default_saml_config_dict(self):
import saml2
@@ -87,6 +92,13 @@ class SAML2Config(Config):
# remote:
# - url: https://our_idp/metadata.xml
#
+ # # By default, the user has to go to our login page first. If you'd like to
+ # # allow IdP-initiated login, set 'allow_unsolicited: True' in an 'sp'
+ # # section:
+ # #
+ # #sp:
+ # # allow_unsolicited: True
+ # #
# # The rest of sp_config is just used to generate our metadata xml, and you
# # may well not need it, depending on your setup. Alternatively you
# # may need a whole lot more detail - see the pysaml2 docs!
@@ -110,6 +122,12 @@ class SAML2Config(Config):
# # separate pysaml2 configuration file:
# #
# config_path: "%(config_dir_path)s/sp_conf.py"
+ #
+ # # the lifetime of a SAML session. This defines how long a user has to
+ # # complete the authentication process, if allow_unsolicited is unset.
+ # # The default is 5 minutes.
+ # #
+ # # saml_session_lifetime: 5m
""" % {
"config_dir_path": config_dir_path
}
|
