From d8042851397e829c29ba193adc4090cf62f7ee59 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Thu, 18 Feb 2021 11:25:27 -0500 Subject: [PATCH] Clarify the release notes around SAML2 for v1.27.0. --- CHANGES.md | 2 +- UPGRADE.rst | 23 ++++++++++++----------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index d9afcaa52b..265555bfc6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,7 +3,7 @@ Synapse 1.27.0 (2021-02-16) Note that this release includes a change in Synapse to use Redis as a cache ─ as well as a pub/sub mechanism ─ if Redis support is enabled for workers. No action is needed by server administrators, and we do not expect resource usage of the Redis instance to change dramatically. -This release also changes the callback URI for OpenID Connect (OIDC) identity providers. If your server is configured to use single sign-on via an OIDC/OAuth2 IdP, you may need to make configuration changes. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes. +This release also changes the callback URI for OpenID Connect (OIDC) and SAML2 identity providers. If your server is configured to use single sign-on via an OIDC/OAuth2 or SAML2 IdP, you may need to make configuration changes. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes. This release also changes escaping of variables in the HTML templates for SSO or email notifications. If you have customised these templates, please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes. diff --git a/UPGRADE.rst b/UPGRADE.rst index 22edfe0d60..6f628a6947 100644 --- a/UPGRADE.rst +++ b/UPGRADE.rst @@ -88,20 +88,21 @@ for example: Upgrading to v1.27.0 ==================== -Changes to callback URI for OAuth2 / OpenID Connect ---------------------------------------------------- +Changes to callback URI for OAuth2 / OpenID Connect and SAML2 +------------------------------------------------------------- -This version changes the URI used for callbacks from OAuth2 identity providers. If -your server is configured for single sign-on via an OpenID Connect or OAuth2 identity -provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback`` -to the list of permitted "redirect URIs" at the identity provider. +This version changes the URI used for callbacks from OAuth2 and SAML2 identity providers: -See `docs/openid.md `_ for more information on setting up OpenID -Connect. +* If your server is configured for single sign-on via an OpenID Connect or OAuth2 identity + provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback`` + to the list of permitted "redirect URIs" at the identity provider. -(Note: a similar change is being made for SAML2; in this case the old URI -``[synapse public baseurl]/_matrix/saml2`` is being deprecated, but will continue to -work, so no immediate changes are required for existing installations.) + See `docs/openid.md `_ for more information on setting up OpenID + Connect. + +* If your server is configured for single sign-on via a SAML2 identity provider, you will + need to add ``[synapse public baseurl]/_synapse/client/saml2/authn_response`` as a permitted + "ACS location" (also known as "allowed callback URLs") at the identity provider. Changes to HTML templates -------------------------