Make SAML2 optional and add some references/comments

2 files changed, 23 insertions, 4 deletions

diff --git a/synapse/config/saml2.py b/synapse/config/saml2.py

index d18d076a89..be5176db52 100644
--- a/synapse/config/saml2.py
+++ b/synapse/config/saml2.py
@@ -16,6 +16,19 @@
 from ._base import Config
 
 
+#
+# SAML2 Configuration
+# Synapse uses pysaml2 libraries for providing SAML2 support
+#
+# config_path:      Path to the sp_conf.py configuration file
+# idp_redirect_url: Identity provider URL which will redirect
+#                   the user back to /login/saml2 with proper info.
+#
+# sp_conf.py file is something like:
+# https://github.com/rohe/pysaml2/blob/master/example/sp-repoze/sp_conf.py.example
+#
+# More information: https://pythonhosted.org/pysaml2/howto/config.html
+#
 class SAML2Config(Config):
     def read_config(self, config):
         self.saml2_config = config["saml2_config"]
@@ -23,6 +36,7 @@ class SAML2Config(Config):
     def default_config(self, config_dir_path, server_name):
         return """
         saml2_config:
+            enabled: false
             config_path: "%s/sp_conf.py"
             idp_redirect_url: "http://%s/idp"
         """ % (config_dir_path, server_name)
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py

index b4894497be..f64f5e990e 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -39,10 +39,13 @@ class LoginRestServlet(ClientV1RestServlet):
     def __init__(self, hs):
         super(LoginRestServlet, self).__init__(hs)
         self.idp_redirect_url = hs.config.saml2_config['idp_redirect_url']
+        self.saml2_enabled = hs.config.saml2_config['enabled']
 
     def on_GET(self, request):
-        return (200, {"flows": [{"type": LoginRestServlet.PASS_TYPE},
-                                {"type": LoginRestServlet.SAML2_TYPE}]})
+        flows = [{"type": LoginRestServlet.PASS_TYPE}]
+        if self.saml2_enabled:
+            flows.append({"type": LoginRestServlet.SAML2_TYPE})
+        return (200, {"flows": flows})
 
     def on_OPTIONS(self, request):
         return (200, {})
@@ -54,7 +57,8 @@ class LoginRestServlet(ClientV1RestServlet):
             if login_submission["type"] == LoginRestServlet.PASS_TYPE:
                 result = yield self.do_password_login(login_submission)
                 defer.returnValue(result)
-            elif login_submission["type"] == LoginRestServlet.SAML2_TYPE:
+            elif self.saml2_enabled and (login_submission["type"] ==
+                                         LoginRestServlet.SAML2_TYPE):
                 relay_state = ""
                 if "relay_state" in login_submission:
                     relay_state = "&RelayState="+urllib.quote(
@@ -173,5 +177,6 @@ def _parse_json(request):
 
 def register_servlets(hs, http_server):
     LoginRestServlet(hs).register(http_server)
-    SAML2RestServlet(hs).register(http_server)
+    if hs.config.saml2_config['enabled']:
+        SAML2RestServlet(hs).register(http_server)
     # TODO PasswordResetRestServlet(hs).register(http_server)