Add initial support for a "pick your IdP" page (#9017)

During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
2025-10-21 23:26:05 -04:00 · 2021-01-05 11:25:28 +00:00 · 2021-01-05 11:25:28 +00:00 · 111b673fc1
commit 111b673fc1
parent d2c616a413
11 changed files with 194 additions and 3 deletions
--- a/synapse/handlers/cas_handler.py
+++ b/synapse/handlers/cas_handler.py
@ -77,6 +77,9 @@ class CasHandler:
        # identifier for the external_ids table
        self.idp_id = "cas"

+        # user-facing name of this auth provider
+        self.idp_name = "CAS"
+
        self._sso_handler = hs.get_sso_handler()

        self._sso_handler.register_identity_provider(self)
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@ -121,6 +121,9 @@ class OidcHandler(BaseHandler):
        # identifier for the external_ids table
        self.idp_id = "oidc"

+        # user-facing name of this auth provider
+        self.idp_name = "OIDC"
+
        self._sso_handler = hs.get_sso_handler()

        self._sso_handler.register_identity_provider(self)
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@ -75,6 +75,9 @@ class SamlHandler(BaseHandler):
        # identifier for the external_ids table
        self.idp_id = "saml"

+        # user-facing name of this auth provider
+        self.idp_name = "SAML"
+
        # a map from saml session id to Saml2SessionData object
        self._outstanding_requests_dict = {}  # type: Dict[str, Saml2SessionData]

--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@ -14,7 +14,8 @@
 # limitations under the License.
 import abc
 import logging
-from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Optional
+from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Mapping, Optional
+from urllib.parse import urlencode

 import attr
 from typing_extensions import NoReturn, Protocol
@ -66,6 +67,11 @@ class SsoIdentityProvider(Protocol):
        Eg, "saml", "cas", "github"
        """

+    @property
+    @abc.abstractmethod
+    def idp_name(self) -> str:
+        """User-facing name for this provider"""
+
    @abc.abstractmethod
    async def handle_redirect_request(
        self,
@ -156,6 +162,10 @@ class SsoHandler:
        assert p_id not in self._identity_providers
        self._identity_providers[p_id] = p

+    def get_identity_providers(self) -> Mapping[str, SsoIdentityProvider]:
+        """Get the configured identity providers"""
+        return self._identity_providers
+
    def render_error(
        self,
        request: Request,
@ -203,8 +213,10 @@ class SsoHandler:
            ap = next(iter(self._identity_providers.values()))
            return await ap.handle_redirect_request(request, client_redirect_url)

-        # otherwise, we have a configuration error
-        raise Exception("Multiple SSO identity providers have been configured!")
+        # otherwise, redirect to the IDP picker
+        return "/_synapse/client/pick_idp?" + urlencode(
+            (("redirectUrl", client_redirect_url),)
+        )

    async def get_sso_user_by_remote_user_id(
        self, auth_provider_id: str, remote_user_id: str