Merge pull request #6064 from matrix-org/rav/saml_config_cleanup

Make the sample saml config closer to our standards
This commit is contained in:
Richard van der Hoff 2019-09-23 20:36:51 +01:00 committed by GitHub
commit 78e8ec368e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 122 additions and 102 deletions

1
changelog.d/6064.misc Normal file
View File

@ -0,0 +1 @@
Clean up the sample config for SAML authentication.

View File

@ -1104,12 +1104,13 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
# Enable SAML2 for registration and login. Uses pysaml2. # Enable SAML2 for registration and login. Uses pysaml2.
# #
# `sp_config` is the configuration for the pysaml2 Service Provider. # At least one of `sp_config` or `config_path` must be set in this section to
# See pysaml2 docs for format of config. # enable SAML login.
# #
# Default values will be used for the 'entityid' and 'service' settings, # (You will probably also want to set the following options to `false` to
# so it is not normally necessary to specify them unless you need to # disable the regular login/registration flows:
# override them. # * enable_registration
# * password_config.enabled
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@ -1117,52 +1118,59 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_matrix/saml2/authn_response.
# #
#saml2_config: saml2_config:
# sp_config: # `sp_config` is the configuration for the pysaml2 Service Provider.
# # point this to the IdP's metadata. You can use either a local file or # See pysaml2 docs for format of config.
# # (preferably) a URL. #
# metadata: # Default values will be used for the 'entityid' and 'service' settings,
# #local: ["saml2/idp.xml"] # so it is not normally necessary to specify them unless you need to
# remote: # override them.
# - url: https://our_idp/metadata.xml #
# #sp_config:
# # By default, the user has to go to our login page first. If you'd like to # # point this to the IdP's metadata. You can use either a local file or
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a # # (preferably) a URL.
# # 'service.sp' section: # metadata:
# # # #local: ["saml2/idp.xml"]
# #service: # remote:
# # sp: # - url: https://our_idp/metadata.xml
# # allow_unsolicited: True #
# # # By default, the user has to go to our login page first. If you'd like
# # The examples below are just used to generate our metadata xml, and you # # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
# # may well not need it, depending on your setup. Alternatively you # # 'service.sp' section:
# # may need a whole lot more detail - see the pysaml2 docs! # #
# # #service:
# description: ["My awesome SP", "en"] # # sp:
# name: ["Test SP", "en"] # # allow_unsolicited: true
# #
# organization: # # The examples below are just used to generate our metadata xml, and you
# name: Example com # # may well not need them, depending on your setup. Alternatively you
# display_name: # # may need a whole lot more detail - see the pysaml2 docs!
# - ["Example co", "en"] #
# url: "http://example.com" # description: ["My awesome SP", "en"]
# # name: ["Test SP", "en"]
# contact_person: #
# - given_name: Bob # organization:
# sur_name: "the Sysadmin" # name: Example com
# email_address": ["admin@example.com"] # display_name:
# contact_type": technical # - ["Example co", "en"]
# # url: "http://example.com"
# # Instead of putting the config inline as above, you can specify a #
# # separate pysaml2 configuration file: # contact_person:
# # # - given_name: Bob
# config_path: "CONFDIR/sp_conf.py" # sur_name: "the Sysadmin"
# # email_address": ["admin@example.com"]
# # the lifetime of a SAML session. This defines how long a user has to # contact_type": technical
# # complete the authentication process, if allow_unsolicited is unset.
# # The default is 5 minutes. # Instead of putting the config inline as above, you can specify a
# # # separate pysaml2 configuration file:
# # saml_session_lifetime: 5m #
#config_path: "CONFDIR/sp_conf.py"
# the lifetime of a SAML session. This defines how long a user has to
# complete the authentication process, if allow_unsolicited is unset.
# The default is 5 minutes.
#
#saml_session_lifetime: 5m

View File

@ -26,6 +26,9 @@ class SAML2Config(Config):
if not saml2_config or not saml2_config.get("enabled", True): if not saml2_config or not saml2_config.get("enabled", True):
return return
if not saml2_config.get("sp_config") and not saml2_config.get("config_path"):
return
try: try:
check_requirements("saml2") check_requirements("saml2")
except DependencyException as e: except DependencyException as e:
@ -76,12 +79,13 @@ class SAML2Config(Config):
return """\ return """\
# Enable SAML2 for registration and login. Uses pysaml2. # Enable SAML2 for registration and login. Uses pysaml2.
# #
# `sp_config` is the configuration for the pysaml2 Service Provider. # At least one of `sp_config` or `config_path` must be set in this section to
# See pysaml2 docs for format of config. # enable SAML login.
# #
# Default values will be used for the 'entityid' and 'service' settings, # (You will probably also want to set the following options to `false` to
# so it is not normally necessary to specify them unless you need to # disable the regular login/registration flows:
# override them. # * enable_registration
# * password_config.enabled
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@ -89,52 +93,59 @@ class SAML2Config(Config):
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_matrix/saml2/authn_response.
# #
#saml2_config: saml2_config:
# sp_config: # `sp_config` is the configuration for the pysaml2 Service Provider.
# # point this to the IdP's metadata. You can use either a local file or # See pysaml2 docs for format of config.
# # (preferably) a URL. #
# metadata: # Default values will be used for the 'entityid' and 'service' settings,
# #local: ["saml2/idp.xml"] # so it is not normally necessary to specify them unless you need to
# remote: # override them.
# - url: https://our_idp/metadata.xml #
# #sp_config:
# # By default, the user has to go to our login page first. If you'd like to # # point this to the IdP's metadata. You can use either a local file or
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a # # (preferably) a URL.
# # 'service.sp' section: # metadata:
# # # #local: ["saml2/idp.xml"]
# #service: # remote:
# # sp: # - url: https://our_idp/metadata.xml
# # allow_unsolicited: True #
# # # By default, the user has to go to our login page first. If you'd like
# # The examples below are just used to generate our metadata xml, and you # # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
# # may well not need it, depending on your setup. Alternatively you # # 'service.sp' section:
# # may need a whole lot more detail - see the pysaml2 docs! # #
# # #service:
# description: ["My awesome SP", "en"] # # sp:
# name: ["Test SP", "en"] # # allow_unsolicited: true
# #
# organization: # # The examples below are just used to generate our metadata xml, and you
# name: Example com # # may well not need them, depending on your setup. Alternatively you
# display_name: # # may need a whole lot more detail - see the pysaml2 docs!
# - ["Example co", "en"] #
# url: "http://example.com" # description: ["My awesome SP", "en"]
# # name: ["Test SP", "en"]
# contact_person: #
# - given_name: Bob # organization:
# sur_name: "the Sysadmin" # name: Example com
# email_address": ["admin@example.com"] # display_name:
# contact_type": technical # - ["Example co", "en"]
# # url: "http://example.com"
# # Instead of putting the config inline as above, you can specify a #
# # separate pysaml2 configuration file: # contact_person:
# # # - given_name: Bob
# config_path: "%(config_dir_path)s/sp_conf.py" # sur_name: "the Sysadmin"
# # email_address": ["admin@example.com"]
# # the lifetime of a SAML session. This defines how long a user has to # contact_type": technical
# # complete the authentication process, if allow_unsolicited is unset.
# # The default is 5 minutes. # Instead of putting the config inline as above, you can specify a
# # # separate pysaml2 configuration file:
# # saml_session_lifetime: 5m #
#config_path: "%(config_dir_path)s/sp_conf.py"
# the lifetime of a SAML session. This defines how long a user has to
# complete the authentication process, if allow_unsolicited is unset.
# The default is 5 minutes.
#
#saml_session_lifetime: 5m
""" % { """ % {
"config_dir_path": config_dir_path "config_dir_path": config_dir_path
} }