Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SAML auth needs doc #5764

Open
ara4n opened this issue Jul 25, 2019 · 14 comments
Open

SAML auth needs doc #5764

ara4n opened this issue Jul 25, 2019 · 14 comments
Labels
A-Docs things relating to the documentation O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution

Comments

@ara4n
Copy link
Member

ara4n commented Jul 25, 2019
edited by richvdh
Loading

Particularly for integration with AD ADFS, according to #5130 (comment)
@richvdh
Copy link
Member

richvdh commented Jul 25, 2019

For the record, the existing doc is

synapse/docs/sample_config.yaml

Line 991 in b4fd86a

# Enable SAML2 for registration and login. Uses pysaml2.
.

Our impl is quite a thin wrapper around pysaml2, so the best bet for documentation is to look there: https://pysaml2.readthedocs.io/en/latest/howto/config.html#howto-config. Obviously it wouldn't be practical to replicate all of that.

I can see that there might be scope for better documentation of how to integrate with certain IdP impls, but given that we don't use AD ourselves, I wouldn't really be confident writing such a thing so I guess we'd be looking for community contributions (and I would be worried maintaining such a thing).

@ara4n
Copy link
Member Author

ara4n commented Jul 25, 2019

see #5130 (comment) for @slipeer's notes on AD

@slipeer
Copy link
Contributor

slipeer commented Jul 25, 2019

@ara4n, AD (Active Directory) <> AD FS (Active Directory Federation Service)
I'm wrote about Federation Service - commonly used IdP. I provide IdP side config that work fine with @galexrt's guide

But this guide also has some flaws: it describes setting up additional attributes that synapse doesn’t actually use (mail, givenname, surname).

the existing doc is synapse/docs/sample_config.yaml
Our impl is quite a thin wrapper around pysaml2, so the best bet for documentation is to look there: https://pysaml2.readthedocs.io/en/latest/howto/config.html#howto-config. Obviously it wouldn't be practical to replicate all of that.

There is a lack of information about the attributes and format needed for Synapse!

I suppose it is necessary to bring up in one document the actual information from all these sources on how to set it up SAML2 for Synapse.

@neilisfragile neilisfragile added A-Docs things relating to the documentation z-p2 (Deprecated Label) labels Jul 31, 2019
@richvdh richvdh mentioned this issue Sep 11, 2019
Closed
@volvicoasis
Copy link

Hello,

When we use an IDP like keycloak and using sso login method with riot/synapse, how can we use information like email or phone to auto fill a profile ? I ve got display name but no threepid info like email. (mxids login/auth endpoint is bypassed).

@sunsingerus
Copy link

@volvicoasis can you please share configuration details on how you've managed to fetch display name from Keycloak? I am trying the same config (keycloak + SAML2) and able to login, but no information is displayed in riot - say no printable name instead of userid. However, in synapse logs I clearly see 'displayName' fetched from Keycloak, but it does not appear in riot.
Thanks in advance

@benjamin-kirkbride
Copy link

I as well am having trouble getting everything configured properly in Keycloak. It would be great if someone more familiar with the underlying systems could give a write up.

I followed the instructions here:
https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/#your-matrix-synapse-homeserver-config-yaml-file

But that does give any info on how to populate emails or other attributes.

@hermann-san hermann-san mentioned this issue Mar 3, 2020
Open
@ptman
Copy link
Contributor

ptman commented May 7, 2020

Thank you @richvdh for helping me with synapse & SAML. I ended up following parts of the edenmal.moe guide and using this for synapse config:

saml2_config:
  sp_config:
    allow_unknown_attributes: true # either allow unknown or map uid using attribute_map_dir
    metadata:
      remote:
        - url: https://keycloak.fqdn/auth/realms/master/protocol/saml/descriptor
  cert_file: /etc/matrix-synapse/saml-cert.pem
  key_file: /etc/matrix-synapse/saml-key.pem

@ptman ptman mentioned this issue May 13, 2020
Merged
4 tasks
@ptman ptman mentioned this issue May 28, 2020
Closed
@hex-m
Copy link

hex-m commented Jul 13, 2020
edited
Loading

We've got basic SAML-Authentication working (with Shibboleth as IdP). 🎉

Where we struggle is restricting which users should be allowed to log in. (e.g. only users where the Attribute eduPersonScopedAffiliation contains staff should be authorized.) Does anyone have an example for how to configure this?

Update: my request was solved by #8052 (delivered in 1.13). Thanks - you are awesome! <3

@fooness
Copy link

fooness commented Sep 1, 2020

Is there anyone who successfully connected synapse to shibboleth and could share the configuration and or documentation on how they made it work? Maybe @hex-m … seems you’re the only one who mentioned shibboleth in all of synapse’s issues.

@NickHu
Copy link

NickHu commented Sep 13, 2020

@fooness I recently wrote up my experiences configuring synapse for Shibboleth here if it's of any use to you

@Tirokk Tirokk mentioned this issue Oct 5, 2020
Open
@Podolyan98
Copy link

Hello! I am trying to setup Keycloak as a IdP (Identity Provider) and Synapse as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page. I am running a Linux-Server. What is the correct configuration?

Keycloak will be running as http://domain.ddns.net:8008 (via docker)
Synapse will be running as https://domain.ddns.net/_matrix (via Yunohost)
Element will be running as https://domain.ddns.net/element (via Yunohost)

@ptman
Copy link
Contributor

ptman commented Oct 15, 2020
edited
Loading

@Podolyan98 keycloak supports OpenID Connect, no need to use SAML: https://github.com/matrix-org/synapse/blob/master/docs/openid.md#keycloak

@Podolyan98
Copy link

@ptman how to set up Keycloak and Synapse correctly? Can you share some documentation or guides? Thanks in advance.

@clokep
Copy link
Member

clokep commented Oct 15, 2020

@Podolyan98 I'd suggest joining #synapse:matrix.org for help in configuring Synapse. The documentation linked to above includes what settings to tweak in Synapse to configure this though.

@DMRobertson DMRobertson added Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution S-Minor Blocks non-critical functionality, workarounds exist. T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. O-Uncommon Most users are unlikely to come across this or unexpected workflow and removed z-p2 (Deprecated Label) labels Oct 3, 2022
@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-Docs things relating to the documentation O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Task Refactoring, removal, replacement, enabling or disabling functionality, other engineering tasks. Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests