Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

SAML2 Improvements and redirect stuff#5316

Closed
galexrt wants to merge 1 commit intomatrix-org:developfrom
galexrt:saml2_better
Closed

SAML2 Improvements and redirect stuff#5316
galexrt wants to merge 1 commit intomatrix-org:developfrom
galexrt:saml2_better

Conversation

@galexrt
Copy link
Contributor

@galexrt galexrt commented Jun 2, 2019

This is a "draft" right now and doesn't really comply with the guidelines of this repository / project (will work on the PR changelog file when I refined my changes). I just want to put out my changes to get SAML2 SSO working for me, so that other people can enjoy SAML2 with Matrix.

There are still things to fix:

  • Make SAML2 Client global in some way to prevent the "unsolicited" SAML2 requests / response error(s).
  • Improve logging for SAML2 for better debugging issues.
  • Add some documentation for using SAML2. I have it running with Keycloak working fine after a lot of trial and error.

NOTE This basically takes code from older PRs #200 and #4267 to get it working.

Please let me know what would needs to be improved to get this PR ready for review and / or merge.
Thanks!

Could potentially close #5130 when a SSO logout endpoint has been proposed and implemented?

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file
  • Pull request includes a sign off

@galexrt
SAML2 Improvements and redirect stuff
dc3e586 
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
@galexrt galexrt mentioned this pull request Jun 2, 2019
Closed
@richvdh
Copy link
Member

richvdh commented Jun 10, 2019

This is awesome. Thank you so much for doing and sharing this work. It turns out that I need to get this going in a hurry, so I'm going to make a branch based on it to fix up the global SAML2Client and logging issues you've already identified.

richvdh
richvdh reviewed Jun 10, 2019
View reviewed changes
synapse/config/saml2_config.py
# override them.
#
#saml2_config:
# enabled: true
Copy link
Member

@richvdh richvdh Jun 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tbh I think this is redundant. The default is for 'enabled' to be considered True: the only reason that the config parser checks it is to avoid breaking people who have enabled: false in their config files.

richvdh
richvdh reviewed Jun 10, 2019
View reviewed changes
synapse/handlers/auth.py
if canonical_user_id:
defer.returnValue((canonical_user_id, None))

if login_type == LoginType.SSO:
Copy link
Member

@richvdh richvdh Jun 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you share the thinking behind this change? it looks like it's turning a 400 into a 403, but which endpoint is this for?

Copy link
Contributor Author

@galexrt galexrt Jun 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I remember correctly, because of this

synapse/synapse/rest/client/v1/login.py

Lines 251 to 254 in dc3e586

canonical_user_id, callback = yield self.auth_handler.validate_login(
identifier["user"],
login_submission,
)

Due to no if condition being met it would fail because SSO is not a valid login type.

richvdh
richvdh reviewed Jun 10, 2019
View reviewed changes
synapse/static/client/login/js/login.js
}

if (matrixLogin.serverAcceptsSso) {
$("#sso_form").attr("action", "/_matrix/client/r0/login/sso/redirect");
Copy link
Member

@richvdh richvdh Jun 10, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't this the default?

Copy link
Contributor Author

@galexrt galexrt Jun 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In which point the default? This change was needed as otherwise no SSO redirect would have happened.

Copy link
Member

@richvdh richvdh Jun 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default action for #sso_form is /_matrix/client/r0/login/sso/redirect: https://github.com/matrix-org/synapse/blob/master/synapse/static/client/login/index.html#L22

@richvdh richvdh mentioned this pull request Jun 10, 2019
Merged
@richvdh
Copy link
Member

richvdh commented Jun 10, 2019

Ok I have taken this work and based a separate PR on it over at #5422. If you'd like to keep working on it, I suggest you start by merging my branch. Otherwise we'll probably land #5422 in the next few days.

@galexrt
Copy link
Contributor Author

galexrt commented Jun 11, 2019

@richvdh Thanks for the feedback! I'm fine with you picking up the PR in #5422. 🙂

I'm going ahead and closing this in favor of #5422.

@galexrt galexrt closed this Jun 11, 2019
@localguru
Copy link
Contributor

localguru commented Jul 4, 2019

@galexrt nice, thank you. I will test and give feedback!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@richvdh richvdh richvdh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@galexrt @richvdh @localguru