diff options
| author | Ben Banfield-Zanin <benbz@matrix.org> | 2020-11-19 14:57:13 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-19 09:57:13 -0500 |
| commit | 53a6f5ddf0c6bf2a8c8c3b757fb54a0c7755daf7 (patch) | |
| tree | 9dc5edaf1408de85cc569a0dd12fbe7643ca31cd /synapse | |
| parent | Consistently use room_id from federation request body (#8776) (diff) | |
| download | synapse-53a6f5ddf0c6bf2a8c8c3b757fb54a0c7755daf7.tar.xz | |
SAML: Allow specifying the IdP entityid to use. (#8630)
If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
Diffstat (limited to 'synapse')
| -rw-r--r-- | synapse/config/saml2_config.py | 10 | ||||
| -rw-r--r-- | synapse/handlers/saml_handler.py | 3 |
2 files changed, 12 insertions, 1 deletions
diff --git a/synapse/config/saml2_config.py b/synapse/config/saml2_config.py index f233854941..c1b8e98ae0 100644 --- a/synapse/config/saml2_config.py +++ b/synapse/config/saml2_config.py @@ -90,6 +90,8 @@ class SAML2Config(Config): "grandfathered_mxid_source_attribute", "uid" ) + self.saml2_idp_entityid = saml2_config.get("idp_entityid", None) + # user_mapping_provider may be None if the key is present but has no value ump_dict = saml2_config.get("user_mapping_provider") or {} @@ -383,6 +385,14 @@ class SAML2Config(Config): # value: "staff" # - attribute: department # value: "sales" + + # If the metadata XML contains multiple IdP entities then the `idp_entityid` + # option must be set to the entity to redirect users to. + # + # Most deployments only have a single IdP entity and so should omit this + # option. + # + #idp_entityid: 'https://our_idp/entityid' """ % { "config_dir_path": config_dir_path } diff --git a/synapse/handlers/saml_handler.py b/synapse/handlers/saml_handler.py index aee772239a..9bf430b656 100644 --- a/synapse/handlers/saml_handler.py +++ b/synapse/handlers/saml_handler.py @@ -58,6 +58,7 @@ class SamlHandler(BaseHandler): def __init__(self, hs: "synapse.server.HomeServer"): super().__init__(hs) self._saml_client = Saml2Client(hs.config.saml2_sp_config) + self._saml_idp_entityid = hs.config.saml2_idp_entityid self._auth_handler = hs.get_auth_handler() self._registration_handler = hs.get_registration_handler() @@ -100,7 +101,7 @@ class SamlHandler(BaseHandler): URL to redirect to """ reqid, info = self._saml_client.prepare_for_authenticate( - relay_state=client_redirect_url + entityid=self._saml_idp_entityid, relay_state=client_redirect_url ) # Since SAML sessions timeout it is useful to log when they were created. |