Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SAML is only half implemented #5130

Closed
ptman opened this issue May 2, 2019 · 10 comments
Closed

SAML is only half implemented #5130

ptman opened this issue May 2, 2019 · 10 comments
Labels
z-auth (Deprecated Label) z-p2 (Deprecated Label)

Comments

@ptman
Copy link
Contributor

ptman commented May 2, 2019

@ara4n:

synapse/synapse/config/saml2_config.py

Line 68 in 35442ef

# Enable SAML2 for registration and login. Uses pysaml2.

@richvdh: "saml is only half implemented"
"only works with a custom proxy to prepare the saml query"
@localguru
Copy link
Contributor

What exactly means "only works with a custom proxy to prepare the saml query". Any further documentation on that?

@ptman
Copy link
Contributor Author

ptman commented May 6, 2019

Which clients can be used for SAML auth? element-hq/element-web#3544

@richvdh
Copy link
Member

richvdh commented May 6, 2019

once saml support in synapse is completed, any client that supports the m.login.sso flow, or fallback auth will support saml.

The part that is missing is step 2 of https://matrix.org/docs/spec/client_server/unstable.html#sso-client-login: Synapse needs to handle the /login/sso/redirect endpoint and 302 to the SAML interface.

@neilisfragile neilisfragile mentioned this issue May 7, 2019
Closed
@neilisfragile neilisfragile added z-auth (Deprecated Label) z-p2 (Deprecated Label) labels May 7, 2019
@galexrt galexrt mentioned this issue Jun 2, 2019
Closed
6 tasks
@richvdh richvdh mentioned this issue Jun 10, 2019
Merged
@menturion
Copy link

Is there already a date on which SAML will probably be fully implemented?

@richvdh
Copy link
Member

richvdh commented Jul 16, 2019

This was fixed by #5422

@richvdh richvdh closed this as completed Jul 16, 2019
@slipeer
Copy link
Contributor

slipeer commented Jul 25, 2019

Some SAML2 related stuff still unimplemented. Such as:

  • SAML logout
  • UPDATE user's displayname from SAML IdP (on_successfil_auth update it only at registration phase)
  • Documenting how make it work. For example only displayname attribute used from SAML Authn Responce and it isn't referenced in documentation. To make it work with Ad FS, I needed to set up additional AD FS rules - it wasn't trivial to deal with this.

@ara4n
Copy link
Member

ara4n commented Jul 25, 2019

@slipeer do you have doc for how you got it to work with AD?

This was referenced Jul 25, 2019
Open
Open
@ara4n
Copy link
Member

ara4n commented Jul 25, 2019

i've split this out into new issues (updating an closed bug with new scope typically gets lost)

@slipeer
Copy link
Contributor

slipeer commented Jul 25, 2019

@ara4n not complete docs today, only AD FS Issuance Transform Rules that work for me:
Rule 1
to match NameID format (without it error MSIS7070 present in AD FS event log)

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

Rule 2
to add uid and displayname attributes

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid", "displaname"), query = ";sAMAccountName,displayName;{0}", param = c.Value);

Another problem: AD FS 2.0 (Windows Server 2012R2 may be still in use) does not know about TLS1.3.
I had to allow TLS1.0 for it on Synapse's side reverse-proxy.

It's the key thing. It's been the longest thing I've dealt with.

Otherwise, the @galexrt 's instruction works. With only one note: he described additional attributes there, which synapse does not look at in reality.

@dvoijen
Copy link

dvoijen commented Mar 18, 2020

@ara4n not complete docs today, only AD FS Issuance Transform Rules that work for me:
Rule 1
to match NameID format (without it error MSIS7070 present in AD FS event log)

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");

Rule 2
to add uid and displayname attributes

 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("uid", "displaname"), query = ";sAMAccountName,displayName;{0}", param = c.Value);

Another problem: AD FS 2.0 (Windows Server 2012R2 may be still in use) does not know about TLS1.3.
I had to allow TLS1.0 for it on Synapse's side reverse-proxy.

It's the key thing. It's been the longest thing I've dealt with.

Otherwise, the @galexrt 's instruction works. With only one note: he described additional attributes there, which synapse does not look at in reality.

How did you setup ADFS?
Do you have some kind of manual for it?

@anoadragon453 anoadragon453 mentioned this issue Jun 30, 2022
Closed
@richvdh richvdh mentioned this issue Oct 3, 2022
Closed
This was referenced Dec 21, 2023
Open
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
z-auth (Deprecated Label) z-p2 (Deprecated Label)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ptman @neilisfragile @ara4n @richvdh @slipeer @localguru @dvoijen @menturion