Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Implement SAML2 authentication #4267

Merged
merged 8 commits into from
Dec 7, 2018
Merged

Implement SAML2 authentication #4267

merged 8 commits into from
Dec 7, 2018

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Dec 5, 2018

This implements both a SAML2 metadata endpoint (at /_matrix/saml2/metadata.xml), and a SAML2 response receiver (at /_matrix/saml2/authn_response). If the SAML2 response matches what's been configured, we complete the SSO login flow by redirecting to the client url (aka RelayState in SAML2 jargon) with a login token.

What we don't yet have is anything to build a SAML2 request and redirect the user to the identity provider. That is left as an exercise for the reader.

(builds on top of #4264, #4265, and #4266)

This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
This implements both a SAML2 metadata endpoint (at
`/_matrix/saml2/metadata.xml`), and a SAML2 response receiver (at
`/_matrix/saml2/authn_response`). If the SAML2 response matches what's been
configured, we complete the SSO login flow by redirecting to the client url
(aka `RelayState` in SAML2 jargon) with a login token.

What we don't yet have is anything to build a SAML2 request and redirect the
user to the identity provider. That is left as an exercise for the reader.
@codecov-io
Copy link

codecov-io commented Dec 5, 2018

Codecov Report

Merging #4267 into develop will decrease coverage by 0.14%.
The diff coverage is 42.63%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #4267      +/-   ##
===========================================
- Coverage    73.63%   73.48%   -0.15%     
===========================================
  Files          298      302       +4     
  Lines        29776    29884     +108     
  Branches      4875     4884       +9     
===========================================
+ Hits         21925    21961      +36     
- Misses        6419     6488      +69     
- Partials      1432     1435       +3
Impacted Files Coverage Δ
synapse/python_dependencies.py 40.9% <ø> (ø) ⬆️
synapse/handlers/auth.py 70.95% <ø> (ø) ⬆️
synapse/app/homeserver.py 56.53% <0%> (-0.56%) ⬇️
synapse/rest/saml2/response_resource.py 0% <0%> (ø)
synapse/rest/saml2/__init__.py 0% <0%> (ø)
synapse/rest/saml2/metadata_resource.py 0% <0%> (ø)
synapse/types.py 80.5% <100%> (+2.64%) ⬆️
synapse/config/homeserver.py 90.62% <100%> (+0.3%) ⬆️
synapse/config/saml2_config.py 36% <36%> (ø)
synapse/rest/client/v1/login.py 64.8% <96.29%> (+0.93%) ⬆️
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b0c24a6...75843bd. Read the comment docs.

@richvdh richvdh requested a review from a team December 6, 2018 10:20
@richvdh richvdh merged commit c7401a6 into develop Dec 7, 2018
@richvdh richvdh deleted the rav/saml2_auth/saml2_login branch December 7, 2018 12:11
richvdh added a commit that referenced this pull request Jan 8, 2019
Synapse 0.34.1rc1 (2019-01-08)
==============================

Features
--------

- Special-case a support user for use in verifying behaviour of a given server. The support user does not appear in user directory or monthly active user counts. ([\#4141](#4141), [\#4344](#4344))
- Support for serving .well-known files ([\#4262](#4262))
- Rework SAML2 authentication ([\#4265](#4265), [\#4267](#4267))
- SAML2 authentication: Initialise user display name from SAML2 data ([\#4272](#4272))
- Synapse can now have its conditional/extra dependencies installed by pip. This functionality can be used by using `pip install matrix-synapse[feature]`, where feature is a comma separated list with the possible values `email.enable_notifs`, `matrix-synapse-ldap3`, `postgres`, `resources.consent`, `saml2`, `url_preview`, and `test`. If you want to install all optional dependencies, you can use "all" instead. ([\#4298](#4298), [\#4325](#4325), [\#4327](#4327))
- Add routes for reading account data. ([\#4303](#4303))
- Add opt-in support for v2 rooms ([\#4307](#4307))
- Add a script to generate a clean config file ([\#4315](#4315))
- Return server data in /login response ([\#4319](#4319))

Bugfixes
--------

- Fix contains_url check to be consistent with other instances in code-base and check that value is an instance of string. ([\#3405](#3405))
- Fix CAS login when username is not valid in an MXID ([\#4264](#4264))
- Send CORS headers for /media/config ([\#4279](#4279))
- Add 'sandbox' to CSP for media reprository ([\#4284](#4284))
- Make the new landing page prettier. ([\#4294](#4294))
- Fix deleting E2E room keys when using old SQLite versions. ([\#4295](#4295))
- The metric synapse_admin_mau:current previously did not update when config.mau_stats_only was set to True ([\#4305](#4305))
- Fixed per-room account data filters ([\#4309](#4309))
- Fix indentation in default config ([\#4313](#4313))
- Fix synapse:latest docker upload ([\#4316](#4316))
- Fix test_metric.py compatibility with prometheus_client 0.5. Contributed by Maarten de Vries <[email protected]>. ([\#4317](#4317))
- Avoid packaging _trial_temp directory in -py3 debian packages ([\#4326](#4326))
- Check jinja version for consent resource ([\#4327](#4327))
- fix NPE in /messages by checking if all events were filtered out ([\#4330](#4330))
- Fix `python -m synapse.config` on Python 3. ([\#4356](#4356))

Deprecations and Removals
-------------------------

- Remove the deprecated v1/register API on Python 2. It was never ported to Python 3. ([\#4334](#4334))

Internal Changes
----------------

- Getting URL previews of IP addresses no longer fails on Python 3. ([\#4215](#4215))
- drop undocumented dependency on dateutil ([\#4266](#4266))
- Update the example systemd config to use a virtualenv ([\#4273](#4273))
- Update link to kernel DCO guide ([\#4274](#4274))
- Make isort tox check print diff when it fails ([\#4283](#4283))
- Log room_id in Unknown room errors ([\#4297](#4297))
- Documentation improvements for coturn setup. Contributed by Krithin Sitaram. ([\#4333](#4333))
- Update pull request template to use absolute links ([\#4341](#4341))
- Update README to not lie about required restart when updating TLS certificates ([\#4343](#4343))
- Update debian packaging for compatibility with transitional package ([\#4349](#4349))
- Fix command hint to generate a config file when trying to start without a config file ([\#4353](#4353))
- Add better logging for unexpected errors while sending transactions ([\#4358](#4358))
@localguru
Copy link
Contributor

Is there any news on SAML auth?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants