mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Merge pull request #6064 from matrix-org/rav/saml_config_cleanup
Make the sample saml config closer to our standards
This commit is contained in:
commit
78e8ec368e
1
changelog.d/6064.misc
Normal file
1
changelog.d/6064.misc
Normal file
@ -0,0 +1 @@
|
|||||||
|
Clean up the sample config for SAML authentication.
|
@ -1104,12 +1104,13 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
|
|||||||
|
|
||||||
# Enable SAML2 for registration and login. Uses pysaml2.
|
# Enable SAML2 for registration and login. Uses pysaml2.
|
||||||
#
|
#
|
||||||
# `sp_config` is the configuration for the pysaml2 Service Provider.
|
# At least one of `sp_config` or `config_path` must be set in this section to
|
||||||
# See pysaml2 docs for format of config.
|
# enable SAML login.
|
||||||
#
|
#
|
||||||
# Default values will be used for the 'entityid' and 'service' settings,
|
# (You will probably also want to set the following options to `false` to
|
||||||
# so it is not normally necessary to specify them unless you need to
|
# disable the regular login/registration flows:
|
||||||
# override them.
|
# * enable_registration
|
||||||
|
# * password_config.enabled
|
||||||
#
|
#
|
||||||
# Once SAML support is enabled, a metadata file will be exposed at
|
# Once SAML support is enabled, a metadata file will be exposed at
|
||||||
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
||||||
@ -1117,52 +1118,59 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
|
|||||||
# the IdP to use an ACS location of
|
# the IdP to use an ACS location of
|
||||||
# https://<server>:<port>/_matrix/saml2/authn_response.
|
# https://<server>:<port>/_matrix/saml2/authn_response.
|
||||||
#
|
#
|
||||||
#saml2_config:
|
saml2_config:
|
||||||
# sp_config:
|
# `sp_config` is the configuration for the pysaml2 Service Provider.
|
||||||
# # point this to the IdP's metadata. You can use either a local file or
|
# See pysaml2 docs for format of config.
|
||||||
# # (preferably) a URL.
|
#
|
||||||
# metadata:
|
# Default values will be used for the 'entityid' and 'service' settings,
|
||||||
# #local: ["saml2/idp.xml"]
|
# so it is not normally necessary to specify them unless you need to
|
||||||
# remote:
|
# override them.
|
||||||
# - url: https://our_idp/metadata.xml
|
#
|
||||||
#
|
#sp_config:
|
||||||
# # By default, the user has to go to our login page first. If you'd like to
|
# # point this to the IdP's metadata. You can use either a local file or
|
||||||
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a
|
# # (preferably) a URL.
|
||||||
# # 'service.sp' section:
|
# metadata:
|
||||||
# #
|
# #local: ["saml2/idp.xml"]
|
||||||
# #service:
|
# remote:
|
||||||
# # sp:
|
# - url: https://our_idp/metadata.xml
|
||||||
# # allow_unsolicited: True
|
#
|
||||||
#
|
# # By default, the user has to go to our login page first. If you'd like
|
||||||
# # The examples below are just used to generate our metadata xml, and you
|
# # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
|
||||||
# # may well not need it, depending on your setup. Alternatively you
|
# # 'service.sp' section:
|
||||||
# # may need a whole lot more detail - see the pysaml2 docs!
|
# #
|
||||||
#
|
# #service:
|
||||||
# description: ["My awesome SP", "en"]
|
# # sp:
|
||||||
# name: ["Test SP", "en"]
|
# # allow_unsolicited: true
|
||||||
#
|
#
|
||||||
# organization:
|
# # The examples below are just used to generate our metadata xml, and you
|
||||||
# name: Example com
|
# # may well not need them, depending on your setup. Alternatively you
|
||||||
# display_name:
|
# # may need a whole lot more detail - see the pysaml2 docs!
|
||||||
# - ["Example co", "en"]
|
#
|
||||||
# url: "http://example.com"
|
# description: ["My awesome SP", "en"]
|
||||||
#
|
# name: ["Test SP", "en"]
|
||||||
# contact_person:
|
#
|
||||||
# - given_name: Bob
|
# organization:
|
||||||
# sur_name: "the Sysadmin"
|
# name: Example com
|
||||||
# email_address": ["admin@example.com"]
|
# display_name:
|
||||||
# contact_type": technical
|
# - ["Example co", "en"]
|
||||||
#
|
# url: "http://example.com"
|
||||||
# # Instead of putting the config inline as above, you can specify a
|
#
|
||||||
# # separate pysaml2 configuration file:
|
# contact_person:
|
||||||
# #
|
# - given_name: Bob
|
||||||
# config_path: "CONFDIR/sp_conf.py"
|
# sur_name: "the Sysadmin"
|
||||||
#
|
# email_address": ["admin@example.com"]
|
||||||
# # the lifetime of a SAML session. This defines how long a user has to
|
# contact_type": technical
|
||||||
# # complete the authentication process, if allow_unsolicited is unset.
|
|
||||||
# # The default is 5 minutes.
|
# Instead of putting the config inline as above, you can specify a
|
||||||
# #
|
# separate pysaml2 configuration file:
|
||||||
# # saml_session_lifetime: 5m
|
#
|
||||||
|
#config_path: "CONFDIR/sp_conf.py"
|
||||||
|
|
||||||
|
# the lifetime of a SAML session. This defines how long a user has to
|
||||||
|
# complete the authentication process, if allow_unsolicited is unset.
|
||||||
|
# The default is 5 minutes.
|
||||||
|
#
|
||||||
|
#saml_session_lifetime: 5m
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -26,6 +26,9 @@ class SAML2Config(Config):
|
|||||||
if not saml2_config or not saml2_config.get("enabled", True):
|
if not saml2_config or not saml2_config.get("enabled", True):
|
||||||
return
|
return
|
||||||
|
|
||||||
|
if not saml2_config.get("sp_config") and not saml2_config.get("config_path"):
|
||||||
|
return
|
||||||
|
|
||||||
try:
|
try:
|
||||||
check_requirements("saml2")
|
check_requirements("saml2")
|
||||||
except DependencyException as e:
|
except DependencyException as e:
|
||||||
@ -76,12 +79,13 @@ class SAML2Config(Config):
|
|||||||
return """\
|
return """\
|
||||||
# Enable SAML2 for registration and login. Uses pysaml2.
|
# Enable SAML2 for registration and login. Uses pysaml2.
|
||||||
#
|
#
|
||||||
# `sp_config` is the configuration for the pysaml2 Service Provider.
|
# At least one of `sp_config` or `config_path` must be set in this section to
|
||||||
# See pysaml2 docs for format of config.
|
# enable SAML login.
|
||||||
#
|
#
|
||||||
# Default values will be used for the 'entityid' and 'service' settings,
|
# (You will probably also want to set the following options to `false` to
|
||||||
# so it is not normally necessary to specify them unless you need to
|
# disable the regular login/registration flows:
|
||||||
# override them.
|
# * enable_registration
|
||||||
|
# * password_config.enabled
|
||||||
#
|
#
|
||||||
# Once SAML support is enabled, a metadata file will be exposed at
|
# Once SAML support is enabled, a metadata file will be exposed at
|
||||||
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
# https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
|
||||||
@ -89,8 +93,15 @@ class SAML2Config(Config):
|
|||||||
# the IdP to use an ACS location of
|
# the IdP to use an ACS location of
|
||||||
# https://<server>:<port>/_matrix/saml2/authn_response.
|
# https://<server>:<port>/_matrix/saml2/authn_response.
|
||||||
#
|
#
|
||||||
#saml2_config:
|
saml2_config:
|
||||||
# sp_config:
|
# `sp_config` is the configuration for the pysaml2 Service Provider.
|
||||||
|
# See pysaml2 docs for format of config.
|
||||||
|
#
|
||||||
|
# Default values will be used for the 'entityid' and 'service' settings,
|
||||||
|
# so it is not normally necessary to specify them unless you need to
|
||||||
|
# override them.
|
||||||
|
#
|
||||||
|
#sp_config:
|
||||||
# # point this to the IdP's metadata. You can use either a local file or
|
# # point this to the IdP's metadata. You can use either a local file or
|
||||||
# # (preferably) a URL.
|
# # (preferably) a URL.
|
||||||
# metadata:
|
# metadata:
|
||||||
@ -98,16 +109,16 @@ class SAML2Config(Config):
|
|||||||
# remote:
|
# remote:
|
||||||
# - url: https://our_idp/metadata.xml
|
# - url: https://our_idp/metadata.xml
|
||||||
#
|
#
|
||||||
# # By default, the user has to go to our login page first. If you'd like to
|
# # By default, the user has to go to our login page first. If you'd like
|
||||||
# # allow IdP-initiated login, set 'allow_unsolicited: True' in a
|
# # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
|
||||||
# # 'service.sp' section:
|
# # 'service.sp' section:
|
||||||
# #
|
# #
|
||||||
# #service:
|
# #service:
|
||||||
# # sp:
|
# # sp:
|
||||||
# # allow_unsolicited: True
|
# # allow_unsolicited: true
|
||||||
#
|
#
|
||||||
# # The examples below are just used to generate our metadata xml, and you
|
# # The examples below are just used to generate our metadata xml, and you
|
||||||
# # may well not need it, depending on your setup. Alternatively you
|
# # may well not need them, depending on your setup. Alternatively you
|
||||||
# # may need a whole lot more detail - see the pysaml2 docs!
|
# # may need a whole lot more detail - see the pysaml2 docs!
|
||||||
#
|
#
|
||||||
# description: ["My awesome SP", "en"]
|
# description: ["My awesome SP", "en"]
|
||||||
@ -124,17 +135,17 @@ class SAML2Config(Config):
|
|||||||
# sur_name: "the Sysadmin"
|
# sur_name: "the Sysadmin"
|
||||||
# email_address": ["admin@example.com"]
|
# email_address": ["admin@example.com"]
|
||||||
# contact_type": technical
|
# contact_type": technical
|
||||||
|
|
||||||
|
# Instead of putting the config inline as above, you can specify a
|
||||||
|
# separate pysaml2 configuration file:
|
||||||
#
|
#
|
||||||
# # Instead of putting the config inline as above, you can specify a
|
#config_path: "%(config_dir_path)s/sp_conf.py"
|
||||||
# # separate pysaml2 configuration file:
|
|
||||||
# #
|
# the lifetime of a SAML session. This defines how long a user has to
|
||||||
# config_path: "%(config_dir_path)s/sp_conf.py"
|
# complete the authentication process, if allow_unsolicited is unset.
|
||||||
|
# The default is 5 minutes.
|
||||||
#
|
#
|
||||||
# # the lifetime of a SAML session. This defines how long a user has to
|
#saml_session_lifetime: 5m
|
||||||
# # complete the authentication process, if allow_unsolicited is unset.
|
|
||||||
# # The default is 5 minutes.
|
|
||||||
# #
|
|
||||||
# # saml_session_lifetime: 5m
|
|
||||||
""" % {
|
""" % {
|
||||||
"config_dir_path": config_dir_path
|
"config_dir_path": config_dir_path
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user