Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)

2025-08-05 12:44:27 -04:00 · 2020-10-30 10:01:59 -04:00 · 2020-10-30 10:01:59 -04:00 · 8f1aefa694
commit 8f1aefa694
parent cbc82aa09f
5 changed files with 157 additions and 104 deletions
--- a/synapse/config/cas.py
+++ b/synapse/config/cas.py
@ -26,14 +26,14 @@ class CasConfig(Config):

    def read_config(self, config, **kwargs):
        cas_config = config.get("cas_config", None)
-        if cas_config:
-            self.cas_enabled = cas_config.get("enabled", True)
+        self.cas_enabled = cas_config and cas_config.get("enabled", True)
+
+        if self.cas_enabled:
            self.cas_server_url = cas_config["server_url"]
            self.cas_service_url = cas_config["service_url"]
            self.cas_displayname_attribute = cas_config.get("displayname_attribute")
-            self.cas_required_attributes = cas_config.get("required_attributes", {})
+            self.cas_required_attributes = cas_config.get("required_attributes") or {}
        else:
-            self.cas_enabled = False
            self.cas_server_url = None
            self.cas_service_url = None
            self.cas_displayname_attribute = None
@ -41,13 +41,35 @@ class CasConfig(Config):

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
        return """
-        # Enable CAS for registration and login.
+        # Enable Central Authentication Service (CAS) for registration and login.
        #
-        #cas_config:
-        #   enabled: true
-        #   server_url: "https://cas-server.com"
-        #   service_url: "https://homeserver.domain.com:8448"
-        #   #displayname_attribute: name
-        #   #required_attributes:
-        #   #    name: value
+        cas_config:
+          # Uncomment the following to enable authorization against a CAS server.
+          # Defaults to false.
+          #
+          #enabled: true
+
+          # The URL of the CAS authorization endpoint.
+          #
+          #server_url: "https://cas-server.com"
+
+          # The public URL of the homeserver.
+          #
+          #service_url: "https://homeserver.domain.com:8448"
+
+          # The attribute of the CAS response to use as the display name.
+          #
+          # If unset, no displayname will be set.
+          #
+          #displayname_attribute: name
+
+          # It is possible to configure Synapse to only allow logins if CAS attributes
+          # match particular values. All of the keys in the mapping below must exist
+          # and the values must match the given value. Alternately if the given value
+          # is None then any value is allowed (the attribute just must exist).
+          # All of the listed attributes must match for the login to be permitted.
+          #
+          #required_attributes:
+          #  userGroup: "staff"
+          #  department: None
        """