Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC1721: Rename m.login.cas to m.login.sso #1721

Merged
merged 2 commits into from
Dec 1, 2018
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions proposals/1721-rename-cas-to-sso.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# MSC1721: Rename `m.login.cas` to `m.login.sso`

The Matrix Client-Server spec includes a [section on client login using Central
Authentication Service
(CAS)](https://matrix.org/docs/spec/client_server/r0.4.0.html#cas-based-client-login).

The spec currently fails to mention it, but this process is triggered when [`GET
/login`](https://matrix.org/docs/spec/client_server/r0.4.0.html#get-matrix-client-r0-login)
returns a flow type of `m.login.cas`.

Nothing in this flow is specific to CAS - it is equally applicable for other
web-based single-sign-on processes, such as SAML.

Accordingly, we should rename `cas` to `sso`.

## Proposal

1. `m.login.sso` should be defined as a valid login type for return from `GET
/login`. (We should probably mention `m.login.cas` in the spec while we are
there).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it return m.long.sso along with m.login.cas or instead of it? I'd probably recommend "along" for the transition period (but I'd really be interested to know how many clients are even watching for m.login.cas - probably there's nothing worth discussing).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/m.long.sso/m.login.sso

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup think it's best to return both for now.

riot-web has some very rudimentary support for m.login.cas, but that's it afaik


2. When a client wishes to use the SSO login type, it should redirect to
`/_matrix/client/r0/login/sso/redirect` (instead of
`/_matrix/client/r0/login/cas/redirect`).

3. Servers should treat `/_matrix/client/r0/login/sso/redirect` identically to
`/_matrix/client/r0/login/cas/redirect`: they should issue a redirect to
their configured single-sign-on system.

4. Servers should probably rename the post-authentication callback endpoint
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/probably// imo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've actually removed this section altogether. The server's behaviour needs to be completely different depending on whether it's handling a CAS or a SAML response, so it makes sense to leave it as /login/cas/ticket for a CAS response.

`/_matrix/client/r0/login/sso/ticket` instead of
`/_matrix/client/r0/login/cas/ticket`. Note, however, that this name is only
a suggestion: the full name of this endpoint is implementation-specific.

5. Servers which support `m.login.sso` should make sure they update their [login
fallback page](https://matrix.org/docs/spec/client_server/r0.4.0.html#login-fallback)
to understand the new login type.