Put SAML callback URI under /_synapse/client. (#9289)

This commit is contained in:
Richard van der Hoff 2021-02-02 09:43:50 +00:00 committed by GitHub
parent 846b9d3df0
commit 8f75bf1df7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 25 additions and 13 deletions

View File

@ -99,6 +99,10 @@ to the list of permitted "redirect URIs" at the identity provider.
See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID
Connect. Connect.
(Note: a similar change is being made for SAML2; in this case the old URI
``[synapse public baseurl]/_matrix/saml2`` is being deprecated, but will continue to
work, so no immediate changes are required for existing installations.)
Changes to HTML templates Changes to HTML templates
------------------------- -------------------------

1
changelog.d/9289.removal Normal file
View File

@ -0,0 +1 @@
Add new endpoint `/_synapse/client/saml2` for SAML2 authentication callbacks, and deprecate the old endpoint `/_matrix/saml2`.

View File

@ -1566,10 +1566,10 @@ trusted_key_servers:
# enable SAML login. # enable SAML login.
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
# use to configure your SAML IdP with. Alternatively, you can manually configure # use to configure your SAML IdP with. Alternatively, you can manually configure
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_synapse/client/saml2/authn_response.
# #
saml2_config: saml2_config:
# `sp_config` is the configuration for the pysaml2 Service Provider. # `sp_config` is the configuration for the pysaml2 Service Provider.

View File

@ -269,7 +269,7 @@ using):
^/_synapse/client/oidc/callback$ ^/_synapse/client/oidc/callback$
# SAML requests. # SAML requests.
^/_matrix/saml2/authn_response$ ^/_synapse/client/saml2/authn_response$
# CAS requests. # CAS requests.
^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$ ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$

View File

@ -194,8 +194,8 @@ class SAML2Config(Config):
optional_attributes.add(self.saml2_grandfathered_mxid_source_attribute) optional_attributes.add(self.saml2_grandfathered_mxid_source_attribute)
optional_attributes -= required_attributes optional_attributes -= required_attributes
metadata_url = public_baseurl + "_matrix/saml2/metadata.xml" metadata_url = public_baseurl + "_synapse/client/saml2/metadata.xml"
response_url = public_baseurl + "_matrix/saml2/authn_response" response_url = public_baseurl + "_synapse/client/saml2/authn_response"
return { return {
"entityid": metadata_url, "entityid": metadata_url,
"service": { "service": {
@ -233,10 +233,10 @@ class SAML2Config(Config):
# enable SAML login. # enable SAML login.
# #
# Once SAML support is enabled, a metadata file will be exposed at # Once SAML support is enabled, a metadata file will be exposed at
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to # https://<server>:<port>/_synapse/client/saml2/metadata.xml, which you may be able to
# use to configure your SAML IdP with. Alternatively, you can manually configure # use to configure your SAML IdP with. Alternatively, you can manually configure
# the IdP to use an ACS location of # the IdP to use an ACS location of
# https://<server>:<port>/_matrix/saml2/authn_response. # https://<server>:<port>/_synapse/client/saml2/authn_response.
# #
saml2_config: saml2_config:
# `sp_config` is the configuration for the pysaml2 Service Provider. # `sp_config` is the configuration for the pysaml2 Service Provider.

View File

@ -133,7 +133,7 @@ class SamlHandler(BaseHandler):
raise Exception("prepare_for_authenticate didn't return a Location header") raise Exception("prepare_for_authenticate didn't return a Location header")
async def handle_saml_response(self, request: SynapseRequest) -> None: async def handle_saml_response(self, request: SynapseRequest) -> None:
"""Handle an incoming request to /_matrix/saml2/authn_response """Handle an incoming request to /_synapse/client/saml2/authn_response
Args: Args:
request: the incoming request from the browser. We'll request: the incoming request from the browser. We'll

View File

@ -52,10 +52,13 @@ def build_synapse_client_resource_tree(hs: "HomeServer") -> Mapping[str, Resourc
resources["/_synapse/client/oidc"] = OIDCResource(hs) resources["/_synapse/client/oidc"] = OIDCResource(hs)
if hs.config.saml2_enabled: if hs.config.saml2_enabled:
from synapse.rest.saml2 import SAML2Resource from synapse.rest.synapse.client.saml2 import SAML2Resource
# This is mounted under '/_matrix' for backwards-compatibility. res = SAML2Resource(hs)
resources["/_matrix/saml2"] = SAML2Resource(hs) resources["/_synapse/client/saml2"] = res
# This is also mounted under '/_matrix' for backwards-compatibility.
resources["/_matrix/saml2"] = res
return resources return resources

View File

@ -12,12 +12,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import logging import logging
from twisted.web.resource import Resource from twisted.web.resource import Resource
from synapse.rest.saml2.metadata_resource import SAML2MetadataResource from synapse.rest.synapse.client.saml2.metadata_resource import SAML2MetadataResource
from synapse.rest.saml2.response_resource import SAML2ResponseResource from synapse.rest.synapse.client.saml2.response_resource import SAML2ResponseResource
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -27,3 +28,6 @@ class SAML2Resource(Resource):
Resource.__init__(self) Resource.__init__(self)
self.putChild(b"metadata.xml", SAML2MetadataResource(hs)) self.putChild(b"metadata.xml", SAML2MetadataResource(hs))
self.putChild(b"authn_response", SAML2ResponseResource(hs)) self.putChild(b"authn_response", SAML2ResponseResource(hs))
__all__ = ["SAML2Resource"]