Remove deprecated SAML2 callback URL since it does not work. (#9434)

Updates documentation from #9289 and removes a deprecated
endpoint which didn't work as expected.
This commit is contained in:
Patrick Cloke 2021-02-18 11:20:33 -05:00 committed by GitHub
parent 90550f598e
commit 9ee3b9775f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 16 deletions

View File

@ -3,6 +3,8 @@ Synapse 1.xx.0 (2021-xx-xx)
Note that this release drops support for ARMv7 in the official Docker images, due to repeated problems building for ARMv7 (and the associated maintenance burden this entails). Note that this release drops support for ARMv7 in the official Docker images, due to repeated problems building for ARMv7 (and the associated maintenance burden this entails).
This release also fixes the documentation included in v1.27.0 around the callback URI for SAML2 identity providers. If your server is configured to use single sign-on via a SAML2 IdP, you may need to make configuration changes. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes.
Removal warning Removal warning
--------------- ---------------

View File

@ -88,20 +88,21 @@ for example:
Upgrading to v1.27.0 Upgrading to v1.27.0
==================== ====================
Changes to callback URI for OAuth2 / OpenID Connect Changes to callback URI for OAuth2 / OpenID Connect and SAML2
--------------------------------------------------- -------------------------------------------------------------
This version changes the URI used for callbacks from OAuth2 identity providers. If This version changes the URI used for callbacks from OAuth2 and SAML2 identity providers:
your server is configured for single sign-on via an OpenID Connect or OAuth2 identity
provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback``
to the list of permitted "redirect URIs" at the identity provider.
See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID * If your server is configured for single sign-on via an OpenID Connect or OAuth2 identity
Connect. provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback``
to the list of permitted "redirect URIs" at the identity provider.
(Note: a similar change is being made for SAML2; in this case the old URI See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID
``[synapse public baseurl]/_matrix/saml2`` is being deprecated, but will continue to Connect.
work, so no immediate changes are required for existing installations.)
* If your server is configured for single sign-on via a SAML2 identity provider, you will
need to add ``[synapse public baseurl]/_synapse/client/saml2/authn_response`` as a permitted
"ACS location" (also known as "allowed callback URLs") at the identity provider.
Changes to HTML templates Changes to HTML templates
------------------------- -------------------------

1
changelog.d/9434.doc Normal file
View File

@ -0,0 +1 @@
Fix erroneous documentation from v1.27.0 about updating the SAML2 callback URL.

View File

@ -54,11 +54,7 @@ def build_synapse_client_resource_tree(hs: "HomeServer") -> Mapping[str, Resourc
if hs.config.saml2_enabled: if hs.config.saml2_enabled:
from synapse.rest.synapse.client.saml2 import SAML2Resource from synapse.rest.synapse.client.saml2 import SAML2Resource
res = SAML2Resource(hs) resources["/_synapse/client/saml2"] = SAML2Resource(hs)
resources["/_synapse/client/saml2"] = res
# This is also mounted under '/_matrix' for backwards-compatibility.
resources["/_matrix/saml2"] = res
return resources return resources