SAML: Allow specifying the IdP entityid to use. (#8630)

If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.
This commit is contained in:
Ben Banfield-Zanin 2020-11-19 14:57:13 +00:00 committed by GitHub
parent 950bb0305f
commit 53a6f5ddf0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 1 deletions

1
changelog.d/8630.feature Normal file
View File

@ -0,0 +1 @@
Allow specification of the SAML IdP if the metadata returns multiple IdPs.

View File

@ -1674,6 +1674,14 @@ saml2_config:
# - attribute: department
# value: "sales"
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
#

View File

@ -90,6 +90,8 @@ class SAML2Config(Config):
"grandfathered_mxid_source_attribute", "uid"
)
self.saml2_idp_entityid = saml2_config.get("idp_entityid", None)
# user_mapping_provider may be None if the key is present but has no value
ump_dict = saml2_config.get("user_mapping_provider") or {}
@ -383,6 +385,14 @@ class SAML2Config(Config):
# value: "staff"
# - attribute: department
# value: "sales"
# If the metadata XML contains multiple IdP entities then the `idp_entityid`
# option must be set to the entity to redirect users to.
#
# Most deployments only have a single IdP entity and so should omit this
# option.
#
#idp_entityid: 'https://our_idp/entityid'
""" % {
"config_dir_path": config_dir_path
}

View File

@ -58,6 +58,7 @@ class SamlHandler(BaseHandler):
def __init__(self, hs: "synapse.server.HomeServer"):
super().__init__(hs)
self._saml_client = Saml2Client(hs.config.saml2_sp_config)
self._saml_idp_entityid = hs.config.saml2_idp_entityid
self._auth_handler = hs.get_auth_handler()
self._registration_handler = hs.get_registration_handler()
@ -100,7 +101,7 @@ class SamlHandler(BaseHandler):
URL to redirect to
"""
reqid, info = self._saml_client.prepare_for_authenticate(
relay_state=client_redirect_url
entityid=self._saml_idp_entityid, relay_state=client_redirect_url
)
# Since SAML sessions timeout it is useful to log when they were created.