summary refs log tree commit diff
path: root/synapse/handlers/saml_handler.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+3
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-7/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-25/+12
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Preparatory refactoring of the SamlHandlerTestCase (#8938)Richard van der Hoff2020-12-151-0/+23
| | | | | | | | | | | | | * move simple_async_mock to test_utils ... so that it can be re-used * Remove references to `SamlHandler._map_saml_response_to_user` from tests This method is going away, so we can no longer use it as a test point. Instead, factor out a higher-level method which takes a SAML object, and verify correct behaviour by mocking out `AuthHandler.complete_sso_login`. * changelog
* Refactor `SsoHandler.get_mxid_from_sso` (#8900)Richard van der Hoff2020-12-101-13/+8
| | | | | | | * Factor out _call_attribute_mapper and _register_mapped_user This is mostly an attempt to simplify `get_mxid_from_sso`. * Move mapping_lock down into SsoHandler.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-15/+49
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-4/+5
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Add basic SAML tests for mapping users. (#8800)Patrick Cloke2020-12-021-1/+1
|
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-63/+28
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Properly report user-agent/IP during registration of SSO users. (#8784)Patrick Cloke2020-11-231-3/+3
| | | | | This also expands type-hints to the SSO and registration code. Refactors the CAS code to more closely match OIDC/SAML.
* Improve logging of the mapping from SSO IDs to Matrix IDs. (#8773)Andrew Morgan2020-11-231-2/+3
|
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-0/+6
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* SAML: Allow specifying the IdP entityid to use. (#8630)Ben Banfield-Zanin2020-11-191-1/+2
| | | | If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-54/+23
| | | De-duplicates code between the SAML and OIDC implementations.
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-3/+1
|
* Use slots in attrs classes where possible (#8296)Patrick Cloke2020-09-141-1/+1
| | | | | slots use less memory (and attribute access is faster) while slightly limiting the flexibility of the class attributes. This focuses on objects which are instantiated "often" and for short periods of time.
* Improve SAML error messages (#8248)Patrick Cloke2020-09-141-59/+110
|
* Stop sub-classing object (#8249)Patrick Cloke2020-09-041-2/+2
|
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-2/+16
|
* Implement login blocking based on SAML attributes (#8052)Richard van der Hoff2020-08-111-6/+36
| | | | | | | Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the error handling. Fixes #8047
* Add additional logging for SAML sessions. (#7971)Patrick Cloke2020-07-291-0/+3
|
* Clean up exception handling in SAML2ResponseResource (#7614)Richard van der Hoff2020-06-031-30/+11
| | | | | | | | | | | | | * Expose `return_html_error`, and allow it to take a Jinja2 template instead of a raw string * Clean up exception handling in SAML2ResponseResource * use the existing code in `return_html_error` instead of re-implementing it (giving it a jinja2 template rather than inventing a new form of template) * do the exception-catching in the REST layer rather than in the handler layer, to make sure we catch all exceptions.
* allow emails to be passed through SAML (#7385)Christopher Cooper2020-05-271-2/+10
| | | Signed-off-by: Christopher Cooper <cooperc@ocf.berkeley.edu>
* Add more type hints to SAML handler. (#7445)Patrick Cloke2020-05-071-12/+16
|
* Persist user interactive authentication sessions (#7302)Patrick Cloke2020-04-301-1/+1
| | | | | By persisting the user interactive authentication sessions to the database, this fixes situations where a user hits different works throughout their auth session and also allows sessions to persist through restarts of Synapse.
* Do not allow a deactivated user to login via SSO. (#7240)Patrick Cloke2020-04-091-1/+1
|
* Support SAML in the user interactive authentication workflow. (#7102)Patrick Cloke2020-04-011-10/+41
|
* Allow RedirectResponse in SAML response handlerJason Robinson2020-03-261-0/+4
| | | | | | | | Allow custom SAML handlers to redirect after processing an auth response. Fixes #7149 Signed-off-by: Jason Robinson <jasonr@matrix.org>
* SAML2: render a comprehensible error page if something goes wrongBrendan Abolivier2020-03-101-1/+19
| | | | | | If an error happened while processing a SAML AuthN response, or a client ends up doing a `GET` request to `/authn_response`, then render a customisable error page rather than a confusing error.
* Fix wrong handler being used in SAML handlerBrendan Abolivier2020-03-031-3/+2
|
* Merge pull request #6724 from matrix-org/rav/log_saml_attributesRichard van der Hoff2020-01-171-1/+12
|\ | | | | Log saml assertions rather than the whole response
| * Log saml assertions rather than the whole responseRichard van der Hoff2020-01-161-1/+12
| | | | | | | | | | | | ... since the whole response is huge. We even need to break up the assertions, since kibana otherwise truncates them.
* | Delegate remote_user_id mapping to the saml mapping provider (#6723)Richard van der Hoff2020-01-171-6/+21
|/ | | Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
* Pass client redirect URL into SAML mapping providersRichard van der Hoff2020-01-121-4/+11
|
* Pass the module_api into the SamlMappingProviderRichard van der Hoff2020-01-121-2/+5
| | | | | ... for consistency with other modules, and because we'll need it sooner or later and it will be a pain to introduce later.
* Allow SAML username provider plugins (#6411)Andrew Morgan2019-12-101-28/+170
|
* More better loggingRichard van der Hoff2019-09-201-1/+2
|
* better loggingRichard van der Hoff2019-09-191-0/+2
|
* Record mappings from saml users in an external tableRichard van der Hoff2019-09-131-8/+95
| | | | | | We want to assign unique mxids to saml users based on an incrementing suffix. For that to work, we need to record the allocated mxid in a separate table.
* Address review commentsRichard van der Hoff2019-07-011-5/+7
|
* cleanupsRichard van der Hoff2019-06-271-0/+121