Read localpart / displayName from attestations configured in config

Allow the attestations that we use for localpart & displayname to
be configured in the config

2 files changed, 17 insertions, 5 deletions

diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py

index 6a8161547a..afaa518ba5 100644
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -48,6 +48,9 @@ class SAML2Config(Config):
             saml2_config.get("saml_session_lifetime", "5m")
         )
 
+        self.saml2_username_attestation = saml2_config.get("username_attestation", "uid")
+        self.saml2_displayname_attestation = saml2_config.get("displayname_attestation", "displayName")
+
     def _default_saml_config_dict(self):
         import saml2
 
@@ -135,6 +138,13 @@ class SAML2Config(Config):
         #  # The default is 5 minutes.
         #  #
         #  # saml_session_lifetime: 5m
+        #  #
+        #  # # The ID of the attestation that will be used for the localpart of the user's Matrix ID
+        #  # # Deafault: 'uid'
+        #  # username_attestation: "uid"
+        #  #
+        #  # # The ID of the attestation that will be used for the user's display name. Default: 'displayName'
+        #  # displayname_attestation: "displayName"
         """ % {
             "config_dir_path": config_dir_path
         }
diff --git a/synapse/handlers/saml_handler.py b/synapse/handlers/saml_handler.py

index a1ce6929cf..b81ac75281 100644
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@@ -35,6 +35,8 @@ class SamlHandler:
 
         self._clock = hs.get_clock()
         self._saml2_session_lifetime = hs.config.saml2_session_lifetime
+        self.saml2_username_attestation = hs.config.saml2_username_attestation
+        self.saml2_displayname_attestation = hs.config.saml2_displayname_attestation
 
     def handle_redirect_request(self, client_redirect_url):
         """Handle an incoming request to /login/sso/redirect
@@ -91,14 +93,14 @@ class SamlHandler:
             logger.warning("SAML2 response was not signed")
             raise SynapseError(400, "SAML2 response was not signed")
 
-        if "uid" not in saml2_auth.ava:
-            logger.warning("SAML2 response lacks a 'uid' attestation")
-            raise SynapseError(400, "uid not in SAML2 response")
+        if self.saml2_username_attestation not in saml2_auth.ava:
+            logger.warning("SAML2 response lacks a '%s' attestation", self.saml2_username_attestation)
+            raise SynapseError(400, "username attestation not in SAML2 response")
 
         self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
 
-        username = saml2_auth.ava["uid"][0]
-        displayName = saml2_auth.ava.get("displayName", [None])[0]
+        username = saml2_auth.ava[self.saml2_username_attestation][0]
+        displayName = saml2_auth.ava.get(self.saml2_displayname_attestation, [None])[0]
 
         return self._sso_auth_handler.on_successful_auth(
             username, request, relay_state, user_display_name=displayName