Missing support for SAML auth

[RyanMelenaNoesis]

Description

When SAML authentication is enabled in Synapse (saml2_config in homeserver.yaml) Riot clients no longer work for authentication.

Steps to reproduce

• Uncomment "saml2_config" section of default homeserver.yaml config
• Open Riot client (tested on Android, Windows, and https://riot.im/develop)
• Select "Custom server" radio button
• Enter "Home Server URL" of SAML-enabled Synapse server

Client will present an error message.

For Windows/Web client the message shown is:

Sorry, this homeserver is using a login which is not recognised (m.login.saml2)

For Android client the message shown is:

Log in with one of the following methods
Log in currently unavailable

Version information

• Platform: Web, Desktop, & Mobile

For the web app:

• Browser: Chrome 57.0.2987.110 (64-bit)
• OS: Windows
• URL: riot.im/develop /

For the desktop app:

• OS: Windows 10
• Version: matrix-react-sdk version: 0.8.6

For Mobile app:

• OS: Android
• Version: 7.1.0

[TechnicLab]

Very interested in this feature. Due to it's lack SAML support of matrix synapse is currently useless.

[Skons]

Is there any progress regarding this issue?

[TwoTwenty]

SAML would be extremely helpful for a group of organizations I belong to

[TwoTwenty]

The SAML portion of this goes no where, since the reference ultimately points to OAUTH.

[localguru]

Any news on SAML authentication?

[menturion]

Does Riot Web currently support SAML2 or not?

[Morcin]

Maybe @richvdh or @ara4n could shed some light on this?

[menturion]

@richvdh, @ara4n

Since SAML is only half implemented., ...

-1- Is there any (callback) function that can be called in a password provider to allow a custom SSO login when hitting the Riot Web index instead of SAML?

-2- Or is there any way to set the creds for Riot Web programmatically to establish a SSO, i.e. signing in the user in the backgound through the client-server API (https://matrix.org/docs/spec/client_server/r0.4.0.html#login) and handing over the creds to Riot Web (e.g. for function "Lifecycle.setLoggedIn([...})")?

[jryans]

As I understand it, SAML support is now fully implemented in Riot and Synapse... However, we'll still missing good docs on how to assemble everything together. We'll keep this issue open to track the docs work that remains.

[richvdh]

see also matrix-org/synapse#5764 on the docs front

[ptman]

SSO with SAML now works. And SSO can be used for UIA. But if both password auth and SAML are enabled in synapse, Riot will apparently prefer password auth, even if the current user has no password set: matrix-org/synapse#5667 (comment)

[t3chguy]

This should perhaps be consistent with login where if SSO and password are supported then Riot treats it as if only SSO existed.

[turt2live]

it's mostly a misconfiguration if you're advertising both as it's expected that your SSO system handle passwords for you.

---

I'm actually going to close this as the docs front should be a separate issue, and likely fall mostly on the Synapse side.