| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
During login, if there are multiple IdPs enabled, offer the user a choice of
IdPs.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Implement CasHandler.handle_redirect_request
... to make it match OidcHandler and SamlHandler
* Clean up interface for OidcHandler.handle_redirect_request
Make it accept `client_redirect_url=None`.
* Clean up interface for `SamlHandler.handle_redirect_request`
... bring it into line with CAS and OIDC by making it take a Request parameter,
move the magic for `client_redirect_url` for UIA into the handler, and fix the
return type to be a `str` rather than a `bytes`.
* Define a common protocol for SSO auth provider impls
* Give SsoIdentityProvider an ID and register them
* Combine the SSO Redirect servlets
Now that the SsoHandler knows about the identity providers, we can combine the
various *RedirectServlets into a single implementation which delegates to the
right IdP.
* changelog
|
|
|
| |
This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* move simple_async_mock to test_utils
... so that it can be re-used
* Remove references to `SamlHandler._map_saml_response_to_user` from tests
This method is going away, so we can no longer use it as a test point. Instead,
factor out a higher-level method which takes a SAML object, and verify correct
behaviour by mocking out `AuthHandler.complete_sso_login`.
* changelog
|
|
|
|
|
|
|
| |
* Factor out _call_attribute_mapper and _register_mapped_user
This is mostly an attempt to simplify `get_mxid_from_sso`.
* Move mapping_lock down into SsoHandler.
|
|
|
|
|
|
|
|
|
| |
* SsoHandler: remove inheritance from BaseHandler
* Simplify the flow for SSO UIA
We don't need to do all the magic for mapping users when we are doing UIA, so
let's factor that out.
|
|
|
|
|
|
| |
This was broken in #8801 when abstracting code shared with OIDC.
After this change both SAML and OIDC have a concept of
grandfathering users, but with different implementations.
|
| |
|
|
|
|
| |
Abstracts the SAML and OpenID Connect code which attempts to regenerate
the localpart of a matrix ID if it is already in use.
|
|
|
|
|
| |
This also expands type-hints to the SSO and registration code.
Refactors the CAS code to more closely match OIDC/SAML.
|
| |
|
|
|
|
|
|
| |
Checks that the localpart returned by mapping providers for SAML and
OIDC are valid before registering new users.
Extends the OIDC tests for existing users and invalid data.
|
|
|
|
| |
If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.
|
|
|
| |
De-duplicates code between the SAML and OIDC implementations.
|
| |
|
|
|
|
|
| |
slots use less memory (and attribute access is faster) while slightly
limiting the flexibility of the class attributes. This focuses on objects
which are instantiated "often" and for short periods of time.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the
error handling.
Fixes #8047
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose `return_html_error`, and allow it to take a Jinja2 template instead of a raw string
* Clean up exception handling in SAML2ResponseResource
* use the existing code in `return_html_error` instead of re-implementing it
(giving it a jinja2 template rather than inventing a new form of template)
* do the exception-catching in the REST layer rather than in the handler
layer, to make sure we catch all exceptions.
|
|
|
| |
Signed-off-by: Christopher Cooper <cooperc@ocf.berkeley.edu>
|
| |
|
|
|
|
|
| |
By persisting the user interactive authentication sessions to the database, this fixes
situations where a user hits different works throughout their auth session and also
allows sessions to persist through restarts of Synapse.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Allow custom SAML handlers to redirect after processing an auth response.
Fixes #7149
Signed-off-by: Jason Robinson <jasonr@matrix.org>
|
|
|
|
|
|
| |
If an error happened while processing a SAML AuthN response, or a client
ends up doing a `GET` request to `/authn_response`, then render a
customisable error page rather than a confusing error.
|
| |
|
|\
| |
| | |
Log saml assertions rather than the whole response
|
| |
| |
| |
| |
| |
| | |
... since the whole response is huge.
We even need to break up the assertions, since kibana otherwise truncates them.
|
|/
|
| |
Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
|
| |
|
|
|
|
|
| |
... for consistency with other modules, and because we'll need it sooner or
later and it will be a pain to introduce later.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
We want to assign unique mxids to saml users based on an incrementing
suffix. For that to work, we need to record the allocated mxid in a separate
table.
|
| |
|
|
|