summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xsynapse/app/homeserver.py1
-rw-r--r--synapse/rest/client/v1/login.py3
-rw-r--r--synapse/rest/saml2/response_resource.py10
3 files changed, 10 insertions, 4 deletions
diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py
index df524a23dd..d6ffe8e9b7 100755
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@@ -378,6 +378,7 @@ def setup(config_options):
 
     logger.info("Database prepared in %s.", config.database_config['name'])
 
+    hs.samlreqs = {}
     hs.setup()
     hs.setup_master()
 
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index 1a886cbbbf..3fab4beaad 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -504,11 +504,14 @@ class SAMLRedirectServlet(BaseSsoRedirectServlet):
 
     def __init__(self, hs):
         self._saml_client = hs.get_saml_client()
+        self.samlreqs = hs.samlreqs
 
     def get_sso_url(self, client_redirect_url):
         reqid, info = self._saml_client.prepare_for_authenticate(
             relay_state=client_redirect_url,
         )
+        logger.info("prepared to auth - reqid: %r, info: %r, client redirect uri: %r", reqid, info, client_redirect_url)
+        self.samlreqs[reqid] = client_redirect_url
 
         for key, value in info['headers']:
             if key == 'Location':
diff --git a/synapse/rest/saml2/response_resource.py b/synapse/rest/saml2/response_resource.py
index 36ca1333a8..9aa04e6770 100644
--- a/synapse/rest/saml2/response_resource.py
+++ b/synapse/rest/saml2/response_resource.py
@@ -37,6 +37,7 @@ class SAML2ResponseResource(Resource):
         Resource.__init__(self)
         self._saml_client = hs.get_saml_client()
         self._sso_auth_handler = SSOAuthHandler(hs)
+        self.samlreqs = hs.samlreqs
 
     def render_POST(self, request):
         self._async_render_POST(request)
@@ -50,6 +51,7 @@ class SAML2ResponseResource(Resource):
         try:
             saml2_auth = self._saml_client.parse_authn_request_response(
                 resp_bytes, saml2.BINDING_HTTP_POST,
+                outstanding=self.samlreqs,
             )
         except Exception as e:
             logger.warning("Exception parsing SAML2 response", exc_info=1)
@@ -60,12 +62,12 @@ class SAML2ResponseResource(Resource):
         if saml2_auth.not_signed:
             raise CodeMessageException(400, "SAML2 response was not signed")
 
-        if "uid" not in saml2_auth.ava:
-            raise CodeMessageException(400, "uid not in SAML2 response")
+        if "http://schemas.auth0.com/name" not in saml2_auth.ava:
+            raise CodeMessageException(400, "name not in SAML2 response")
 
-        username = saml2_auth.ava["uid"][0]
+        username = saml2_auth.ava["http://schemas.auth0.com/name"][0]
 
-        displayName = saml2_auth.ava.get("displayName", [None])[0]
+        displayName = saml2_auth.ava.get("http://schemas.auth0.com/nickname", [None])[0]
         return self._sso_auth_handler.on_successful_auth(
             username, request, relay_state,
             user_display_name=displayName,
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-21 13:38:31 +0000