SAML: Allow specifying the IdP entityid to use. (#8630)
If the SAML metadata includes multiple IdPs it is necessary to specify which IdP to redirect users to for authentication.
This commit is contained in:
parent
950bb0305f
commit
53a6f5ddf0
|
@ -0,0 +1 @@
|
||||||
|
Allow specification of the SAML IdP if the metadata returns multiple IdPs.
|
|
@ -1674,6 +1674,14 @@ saml2_config:
|
||||||
# - attribute: department
|
# - attribute: department
|
||||||
# value: "sales"
|
# value: "sales"
|
||||||
|
|
||||||
|
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
||||||
|
# option must be set to the entity to redirect users to.
|
||||||
|
#
|
||||||
|
# Most deployments only have a single IdP entity and so should omit this
|
||||||
|
# option.
|
||||||
|
#
|
||||||
|
#idp_entityid: 'https://our_idp/entityid'
|
||||||
|
|
||||||
|
|
||||||
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
|
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
|
||||||
#
|
#
|
||||||
|
|
|
@ -90,6 +90,8 @@ class SAML2Config(Config):
|
||||||
"grandfathered_mxid_source_attribute", "uid"
|
"grandfathered_mxid_source_attribute", "uid"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
|
||||||
|
|
||||||
# user_mapping_provider may be None if the key is present but has no value
|
# user_mapping_provider may be None if the key is present but has no value
|
||||||
ump_dict = saml2_config.get("user_mapping_provider") or {}
|
ump_dict = saml2_config.get("user_mapping_provider") or {}
|
||||||
|
|
||||||
|
@ -383,6 +385,14 @@ class SAML2Config(Config):
|
||||||
# value: "staff"
|
# value: "staff"
|
||||||
# - attribute: department
|
# - attribute: department
|
||||||
# value: "sales"
|
# value: "sales"
|
||||||
|
|
||||||
|
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
|
||||||
|
# option must be set to the entity to redirect users to.
|
||||||
|
#
|
||||||
|
# Most deployments only have a single IdP entity and so should omit this
|
||||||
|
# option.
|
||||||
|
#
|
||||||
|
#idp_entityid: 'https://our_idp/entityid'
|
||||||
""" % {
|
""" % {
|
||||||
"config_dir_path": config_dir_path
|
"config_dir_path": config_dir_path
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
|
||||||
def __init__(self, hs: "synapse.server.HomeServer"):
|
def __init__(self, hs: "synapse.server.HomeServer"):
|
||||||
super().__init__(hs)
|
super().__init__(hs)
|
||||||
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
|
||||||
|
self._saml_idp_entityid = hs.config.saml2_idp_entityid
|
||||||
self._auth_handler = hs.get_auth_handler()
|
self._auth_handler = hs.get_auth_handler()
|
||||||
self._registration_handler = hs.get_registration_handler()
|
self._registration_handler = hs.get_registration_handler()
|
||||||
|
|
||||||
|
@ -100,7 +101,7 @@ class SamlHandler(BaseHandler):
|
||||||
URL to redirect to
|
URL to redirect to
|
||||||
"""
|
"""
|
||||||
reqid, info = self._saml_client.prepare_for_authenticate(
|
reqid, info = self._saml_client.prepare_for_authenticate(
|
||||||
relay_state=client_redirect_url
|
entityid=self._saml_idp_entityid, relay_state=client_redirect_url
|
||||||
)
|
)
|
||||||
|
|
||||||
# Since SAML sessions timeout it is useful to log when they were created.
|
# Since SAML sessions timeout it is useful to log when they were created.
|
||||||
|
|
Loading…
Reference in New Issue