1 files changed, 16 insertions, 1 deletions

diff --git a/synapse/config/sso.py b/synapse/config/sso.py
index 95762689bc..5ae9db83d0 100644
--- a/synapse/config/sso.py
+++ b/synapse/config/sso.py
@@ -39,6 +39,17 @@ class SSOConfig(Config):
 
         self.sso_client_whitelist = sso_config.get("client_whitelist") or []
 
+        # Attempt to also whitelist the server's login fallback, since that fallback sets
+        # the redirect URL to itself (so it can process the login token then return
+        # gracefully to the client). This would make it pointless to ask the user for
+        # confirmation, since the URL the confirmation page would be showing wouldn't be
+        # the client's.
+        # public_baseurl is an optional setting, so we only add the fallback's URL to the
+        # list if it's provided (because we can't figure out what that URL is otherwise).
+        if self.public_baseurl:
+            login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
+            self.sso_client_whitelist.append(login_fallback_url)
+
     def generate_config_section(self, **kwargs):
         return """\
         # Additional settings to use with single-sign on systems such as SAML2 and CAS.
@@ -54,7 +65,11 @@ class SSOConfig(Config):
             # phishing attacks from evil.site. To avoid this, include a slash after the
             # hostname: "https://my.client/".
             #
-            # By default, this list is empty.
+            # If public_baseurl is set, then the login fallback page (used by clients
+            # that don't have full support for SSO) is always included in this list.
+            #
+            # By default, this list is empty, except if public_baseurl is set (in which
+            # case the login fallback page is the only element in the list).
             #
             #client_whitelist:
             #  - https://riot.im/develop