Carry IdP Session IDs through user-mapping sessions.

changelog.d/13839.misc

@@ -0,0 +1 @@
+Carry IdP Session IDs through user-mapping sessions.

synapse/handlers/sso.py

@@ -144,6 +144,9 @@ class UsernameMappingSession:
  # A unique identifier for this SSO provider, e.g. "oidc" or "saml".
  auth_provider_id: str
 
+ # An optional session ID from the IdP.
+ auth_provider_session_id: Optional[str]
+
  # user ID on the IdP server
  remote_user_id: str
 
@@ -461,6 +464,7 @@ async def complete_sso_login_request(
  client_redirect_url,
  next_step_url,
  extra_login_attributes,
+ auth_provider_session_id,
  )
 
  user_id = await self._register_mapped_user(
@@ -582,6 +586,7 @@ async def _redirect_to_next_new_user_step(
  client_redirect_url: str,
  next_step_url: bytes,
  extra_login_attributes: Optional[JsonDict],
+ auth_provider_session_id: Optional[str],
  ) -> NoReturn:
  """Creates a UsernameMappingSession and redirects the browser
 
@@ -604,6 +609,8 @@ async def _redirect_to_next_new_user_step(
  extra_login_attributes: An optional dictionary of extra
  attributes to be provided to the client in the login response.
 
+ auth_provider_session_id: An optional session ID from the IdP.
+
  Raises:
  RedirectException
  """
@@ -612,6 +619,7 @@ async def _redirect_to_next_new_user_step(
  now = self._clock.time_msec()
  session = UsernameMappingSession(
  auth_provider_id=auth_provider_id,
+ auth_provider_session_id=auth_provider_session_id,
  remote_user_id=remote_user_id,
  display_name=attributes.display_name,
  emails=attributes.emails,
@@ -965,6 +973,7 @@ async def register_sso_user(self, request: Request, session_id: str) -> None:
  session.client_redirect_url,
  session.extra_login_attributes,
  new_user=True,
+ auth_provider_session_id=session.auth_provider_session_id,
  )
 
  def _expire_old_sessions(self) -> None: