SAML2: render a comprehensible error page if something goes wrong

If an error happened while processing a SAML AuthN response, or a client ends up doing a `GET` request to `/authn_response`, then render a customisable error page rather than a confusing error.
2024-10-01 08:25:44 -04:00 · 2020-03-10 13:49:11 +00:00 · 2020-03-10 13:49:11 +00:00 · 6b0efe73e2
commit 6b0efe73e2
parent 14b2ebe767
3 changed files with 62 additions and 2 deletions
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@ -27,6 +27,18 @@ DEFAULT_USER_MAPPING_PROVIDER = (
    "synapse.handlers.saml_handler.DefaultSamlMappingProvider"
 )

+SAML2_ERROR_DEFAULT_HTML = """
+<html>
+    <body>
+        <p>Oops! Something went wrong</p>
+        <p>
+            Try logging in again from the application and if the problem persists
+            please contact the administrator.
+        </p>
+    </body>
+</html>
+"""
+

 def _dict_merge(merge_dict, into_dict):
    """Do a deep merge of two dicts
@ -160,6 +172,13 @@ class SAML2Config(Config):
            saml2_config.get("saml_session_lifetime", "5m")
        )

+        if "error_html_path" in config:
+            self.saml2_error_html_content = self.read_file(
+                config["error_html_path"], "saml2_config.error_html_path",
+            )
+        else:
+            self.saml2_error_html_content = SAML2_ERROR_DEFAULT_HTML
+
    def _default_saml_config_dict(
        self, required_attributes: set, optional_attributes: set
    ):
@ -325,6 +344,13 @@ class SAML2Config(Config):
          # The default is 'uid'.
          #
          #grandfathered_mxid_source_attribute: upn
+          
+          # Path to a file containing HTML content to serve in case an error happens
+          # when the user gets redirected from the SAML IdP back to Synapse.
+          # If no file is provided, this defaults to some minimalistic HTML telling the
+          # user that something went wrong and they should try authenticating again.
+          #
+          #error_html_path: /path/to/static/content/saml_error.html
        """ % {
            "config_dir_path": config_dir_path
        }
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@ -23,6 +23,7 @@ from saml2.client import Saml2Client

 from synapse.api.errors import SynapseError
 from synapse.config import ConfigError
+from synapse.http.server import finish_request
 from synapse.http.servlet import parse_string
 from synapse.module_api import ModuleApi
 from synapse.types import (
@ -73,6 +74,8 @@ class SamlHandler:
        # a lock on the mappings
        self._mapping_lock = Linearizer(name="saml_mapping", clock=self._clock)

+        self._error_html_content = hs.config.saml2_error_html_content
+
    def handle_redirect_request(self, client_redirect_url):
        """Handle an incoming request to /login/sso/redirect

@ -114,7 +117,22 @@ class SamlHandler:
        # the dict.
        self.expire_sessions()

-        user_id = await self._map_saml_response_to_user(resp_bytes, relay_state)
+        try:
+            user_id = await self._map_saml_response_to_user(resp_bytes, relay_state)
+        except Exception as e:
+            # If decoding the response or mapping it to a user failed, then log the
+            # error and tell the user that something went wrong.
+            logger.error(e)
+
+            request.setResponseCode(400)
+            request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
+            request.setHeader(
+                b"Content-Length", b"%d" % (len(self._error_html_content),)
+            )
+            request.write(self._error_html_content.encode("utf8"))
+            finish_request(request)
+            return
+
        self._auth_handler.complete_sso_login(user_id, request, relay_state)

    async def _map_saml_response_to_user(self, resp_bytes, client_redirect_url):
--- a/synapse/rest/saml2/response_resource.py
+++ b/synapse/rest/saml2/response_resource.py
@ -14,7 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from synapse.http.server import DirectServeResource, wrap_html_request_handler
+from synapse.http.server import (
+    DirectServeResource,
+    finish_request,
+    wrap_html_request_handler,
+)


 class SAML2ResponseResource(DirectServeResource):
@ -24,8 +28,20 @@ class SAML2ResponseResource(DirectServeResource):

    def __init__(self, hs):
        super().__init__()
+        self._error_html_content = hs.config.saml2_error_html_content
        self._saml_handler = hs.get_saml_handler()

+    async def _async_render_GET(self, request):
+        # We're not expecting any GET request on that resource if everything goes right,
+        # but some IdPs sometimes end up responding with a 302 redirect on this endpoint.
+        # In this case, just tell the user that something went wrong and they should
+        # try to authenticate again.
+        request.setResponseCode(400)
+        request.setHeader(b"Content-Type", b"text/html; charset=utf-8")
+        request.setHeader(b"Content-Length", b"%d" % (len(self._error_html_content),))
+        request.write(self._error_html_content.encode("utf8"))
+        finish_request(request)
+
    @wrap_html_request_handler
    async def _async_render_POST(self, request):
        return await self._saml_handler.handle_saml_response(request)