summary refs log tree commit diff
path: root/synapse/config/saml2_config.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge tag 'v1.27.0rc2' into developPatrick Cloke2021-02-111-0/+2
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.27.0rc2 (2021-02-11) ============================== Features -------- - Further improvements to the user experience of registration via single sign-on. ([\#9297](https://github.com/matrix-org/synapse/issues/9297)) Bugfixes -------- - Fix ratelimiting introduced in v1.27.0rc1 for invites to respect the `ratelimit` flag on application services. ([\#9302](https://github.com/matrix-org/synapse/issues/9302)) - Do not automatically calculate `public_baseurl` since it can be wrong in some situations. Reverts behaviour introduced in v1.26.0. ([\#9313](https://github.com/matrix-org/synapse/issues/9313)) Improved Documentation ---------------------- - Clarify the sample configuration for changes made to the template loading code. ([\#9310](https://github.com/matrix-org/synapse/issues/9310))
| * Backout changes for automatically calculating the public baseurl. (#9313)Patrick Cloke2021-02-111-0/+2
| | | | | | | | This breaks some people's configurations (if their Client-Server API is not accessed via port 443).
* | Combine the CAS & SAML implementations for required attributes. (#9326)Patrick Cloke2021-02-111-20/+5
|/
* Put SAML callback URI under /_synapse/client. (#9289)Richard van der Hoff2021-02-021-4/+4
|
* Give `public_baseurl` a default value (#9159)Richard van der Hoff2021-01-201-2/+0
|
* Better formatting for config errors from modules (#8874)Richard van der Hoff2020-12-081-1/+1
| | | | | | | | | | The idea is that the parse_config method of extension modules can raise either a ConfigError or a JsonValidationError, and it will be magically turned into a legible error message. There's a few components to it: * Separating the "path" and the "message" parts of a ConfigError, so that we can fiddle with the path bit to turn it into an absolute path. * Generally improving the way ConfigErrors get printed. * Passing in the config path to load_module so that it can wrap any exceptions that get caught appropriately.
* SAML: Allow specifying the IdP entityid to use. (#8630)Ben Banfield-Zanin2020-11-191-0/+10
| | | | If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
* SAML: Document allowing a clock/time difference from IdP (#8731)Marcus Schopen2020-11-181-0/+6
| | | | Updates the sample configuration with the pysaml2 configuration for accepting clock skew/drift between the homeserver and IdP.
* SAML: add <mdui:UIInfo> element examples (#8718)Marcus Schopen2020-11-131-0/+22
| | | add some mdui:UIInfo element examples for saml2_config in homeserver.yaml
* Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)Patrick Cloke2020-10-301-38/+43
|
* Improve SAML error messages (#8248)Patrick Cloke2020-09-141-30/+4
|
* Fix a regression from calling read_templates. (#8252)Patrick Cloke2020-09-041-1/+1
| | | Regressed in #8037.
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-171-11/+3
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Implement login blocking based on SAML attributes (#8052)Richard van der Hoff2020-08-111-0/+50
| | | | | | | Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
* Increase the default SAML session expirary time to 15 minutes. (#7664)Patrick Cloke2020-06-111-2/+2
|
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-031-0/+2
| | | | docs, default configs, comments. Nothing very significant.
* Clean up exception handling in SAML2ResponseResource (#7614)Richard van der Hoff2020-06-031-5/+13
| | | | | | | | | | | | | * Expose `return_html_error`, and allow it to take a Jinja2 template instead of a raw string * Clean up exception handling in SAML2ResponseResource * use the existing code in `return_html_error` instead of re-implementing it (giving it a jinja2 template rather than inventing a new form of template) * do the exception-catching in the REST layer rather than in the handler layer, to make sure we catch all exceptions.
* Fix indention in generated config file (#7300)Lars Franke2020-04-201-22/+22
| | | | | | Also adjust sample_config.yaml Signed-off-by: Lars Franke <frcl@mailbox.org>
* LintBrendan Abolivier2020-03-111-2/+1
|
* Put the file in the templates directoryBrendan Abolivier2020-03-111-12/+21
|
* Update wording and configBrendan Abolivier2020-03-111-0/+3
|
* Move the default SAML2 error HTML to a dedicated fileBrendan Abolivier2020-03-111-18/+11
| | | | | Also add some JS to it to process any error we might have in the URI (see #6893).
* Rephrase default messageBrendan Abolivier2020-03-101-2/+2
|
* LintBrendan Abolivier2020-03-101-1/+1
|
* SAML2: render a comprehensible error page if something goes wrongBrendan Abolivier2020-03-101-0/+26
| | | | | | If an error happened while processing a SAML AuthN response, or a client ends up doing a `GET` request to `/authn_response`, then render a customisable error page rather than a confusing error.
* Delegate remote_user_id mapping to the saml mapping provider (#6723)Richard van der Hoff2020-01-171-0/+1
| | | Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
* Allow SAML username provider plugins (#6411)Andrew Morgan2019-12-101-60/+126
|
* Add config linting script that checks for bool casing (#6203)Andrew Morgan2019-10-231-1/+1
| | | | | Add a linting script that enforces all boolean values in the default config be lowercase. This has annoyed me for a while so I decided to fix it.
* Refactor HomeserverConfig so it can be typechecked (#6137)Amber Brown2019-10-101-0/+2
|
* Merge remote-tracking branch 'origin/develop' into rav/saml_mapping_workRichard van der Hoff2019-09-241-6/+42
|\
| * Merge pull request #6069 from matrix-org/rav/fix_attribute_mappingRichard van der Hoff2019-09-241-6/+42
| |\ | | | | | | Fix a bug with saml attribute maps.
| | * docstrings and commentsRichard van der Hoff2019-09-241-7/+21
| | |
| | * Fix a bug with saml attribute maps.Richard van der Hoff2019-09-191-6/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a bug where the default attribute maps were prioritised over user-specified ones, resulting in incorrect mappings. The problem is that if you call SPConfig.load() multiple times, it adds new attribute mappers to a list. So by calling it with the default config first, and then the user-specified config, we would always get the default mappers before the user-specified mappers. To solve this, let's merge the config dicts first, and then pass them to SPConfig.
* | | Record mappings from saml users in an external tableRichard van der Hoff2019-09-131-2/+76
|/ / | | | | | | | | | | We want to assign unique mxids to saml users based on an incrementing suffix. For that to work, we need to record the allocated mxid in a separate table.
* / Make the sample saml config closer to our standardsRichard van der Hoff2019-09-131-51/+62
|/ | | | It' still not great, thanks to the nested dictionaries, but it's better.
* cleanupsRichard van der Hoff2019-06-271-6/+13
|
* Add support for tracking SAML2 sessions.Richard van der Hoff2019-06-261-1/+19
| | | | This allows us to correctly handle `allow_unsolicited: False`.
* Merge branch 'develop' into rav/saml2_clientRichard van der Hoff2019-06-261-11/+11
|\
| * Don't load the generated config as the default.Richard van der Hoff2019-06-241-1/+1
| | | | | | | | It's too confusing.
| * Pass config_dir_path and data_dir_path into Config.read_config. (#5522)Richard van der Hoff2019-06-241-1/+1
| | | | | | | | | | | | * Pull config_dir_path and data_dir_path calculation out of read_config_files * Pass config_dir_path and data_dir_path into read_config
| * Run Black. (#5482)Amber Brown2019-06-201-9/+9
| |
* | Code cleanups and simplifications.Richard van der Hoff2019-06-111-1/+6
| | | | | | | | Also: share the saml client between redirect and response handlers.
* | SAML2 Improvements and redirect stuffAlexander Trost2019-06-021-0/+1
|/ | | | Signed-off-by: Alexander Trost <galexrt@googlemail.com>
* Remove periods from copyright headers (#5046)Andrew Morgan2019-04-111-1/+1
|
* Comment out most options in the generated config. (#4863)Richard van der Hoff2019-03-191-1/+1
| | | | | | | | | | | | | | | | | | | | Make it so that most options in the config are optional, and commented out in the generated config. The reasons this is a good thing are as follows: * If we decide that we should change the default for an option, we can do so, and only those admins that have deliberately chosen to override that option will be stuck on the old setting. * It moves us towards a point where we can get rid of the super-surprising feature of synapse where the default settings for the config come from the generated yaml. * It makes setting up a test config for unit testing an order of magnitude easier (see forthcoming PR). * It makes the generated config more consistent, and hopefully easier for users to understand.
* Attempt to make default config more consistentRichard van der Hoff2019-02-191-33/+32
| | | | | | The general idea here is that config examples should just have a hash and no extraneous whitespace, both to make it easier for people who don't understand yaml, and to make the examples stand out from the comments.
* Implement SAML2 authentication (#4267)Richard van der Hoff2018-12-071-0/+110
This implements both a SAML2 metadata endpoint (at `/_matrix/saml2/metadata.xml`), and a SAML2 response receiver (at `/_matrix/saml2/authn_response`). If the SAML2 response matches what's been configured, we complete the SSO login flow by redirecting to the client url (aka `RelayState` in SAML2 jargon) with a login token. What we don't yet have is anything to build a SAML2 request and redirect the user to the identity provider. That is left as an exercise for the reader.