Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Implement SAML2 authentication #4267

Merged
merged 8 commits into from
Dec 7, 2018
Merged

Implement SAML2 authentication #4267

merged 8 commits into from
Dec 7, 2018

Conversation

richvdh
Copy link
Member

@richvdh richvdh commented Dec 5, 2018
edited
Loading

This implements both a SAML2 metadata endpoint (at /_matrix/saml2/metadata.xml), and a SAML2 response receiver (at /_matrix/saml2/authn_response). If the SAML2 response matches what's been configured, we complete the SSO login flow by redirecting to the client url (aka RelayState in SAML2 jargon) with a login token.

What we don't yet have is anything to build a SAML2 request and redirect the user to the identity provider. That is left as an exercise for the reader.

(builds on top of #4264, #4265, and #4266)

@richvdh
Rip out half-implemented m.login.saml2 support
4433796 
This was implemented in an odd way that left most of the work to the client, in
a way that I really didn't understand. It's going to be a pain to maintain, so
let's start by ripping it out.
@richvdh
drop undocumented dependency on dateutil
51d23e4 
It turns out we were relying on dateutil being pulled in transitively by
pysaml2. There's no need for that bloat.
@richvdh
Merge branch 'rav/drop_dateutil' into rav/remove_old_saml2
c6d1858
@richvdh
Factor SSO success handling out of CAS login
c79afcb 
This is mostly factoring out the post-CAS-login code to somewhere we can reuse
it for other SSO flows, but it also fixes the userid mapping while we're at it.
@richvdh
Merge branch 'rav/factor_out_sso_handling' into rav/saml2_auth/base
c71d76f
@richvdh
Implement SAML2 authentication
4e7643a 
This implements both a SAML2 metadata endpoint (at
`/_matrix/saml2/metadata.xml`), and a SAML2 response receiver (at
`/_matrix/saml2/authn_response`). If the SAML2 response matches what's been
configured, we complete the SSO login flow by redirecting to the client url
(aka `RelayState` in SAML2 jargon) with a login token.

What we don't yet have is anything to build a SAML2 request and redirect the
user to the identity provider. That is left as an exercise for the reader.
@codecov-io
Copy link

codecov-io commented Dec 5, 2018
edited
Loading

Codecov Report

Merging #4267 into develop will decrease coverage by 0.14%.
The diff coverage is 42.63%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #4267      +/-   ##
===========================================
- Coverage    73.63%   73.48%   -0.15%     
===========================================
  Files          298      302       +4     
  Lines        29776    29884     +108     
  Branches      4875     4884       +9     
===========================================
+ Hits         21925    21961      +36     
- Misses        6419     6488      +69     
- Partials      1432     1435       +3
Impacted Files Coverage Δ
synapse/python_dependencies.py 40.9% <ø> (ø) ⬆️
synapse/handlers/auth.py 70.95% <ø> (ø) ⬆️
synapse/app/homeserver.py 56.53% <0%> (-0.56%) ⬇️
synapse/rest/saml2/response_resource.py 0% <0%> (ø)
synapse/rest/saml2/__init__.py 0% <0%> (ø)
synapse/rest/saml2/metadata_resource.py 0% <0%> (ø)
synapse/types.py 80.5% <100%> (+2.64%) ⬆️
synapse/config/homeserver.py 90.62% <100%> (+0.3%) ⬆️
synapse/config/saml2_config.py 36% <36%> (ø)
synapse/rest/client/v1/login.py 64.8% <96.29%> (+0.93%) ⬆️
... and 7 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b0c24a6...75843bd. Read the comment docs.

@richvdh richvdh requested a review from a team December 6, 2018 10:20
@richvdh richvdh merged commit c7401a6 into develop Dec 7, 2018
@richvdh richvdh deleted the rav/saml2_auth/saml2_login branch December 7, 2018 12:11
richvdh added a commit that referenced this pull request Jan 8, 2019
@richvdh
Merge tag 'v0.34.1rc1' into matrix-org-hotfixes
1d63046 
Synapse 0.34.1rc1 (2019-01-08)
==============================

Features
--------

- Special-case a support user for use in verifying behaviour of a given server. The support user does not appear in user directory or monthly active user counts. ([\#4141](#4141), [\#4344](#4344))
- Support for serving .well-known files ([\#4262](#4262))
- Rework SAML2 authentication ([\#4265](#4265), [\#4267](#4267))
- SAML2 authentication: Initialise user display name from SAML2 data ([\#4272](#4272))
- Synapse can now have its conditional/extra dependencies installed by pip. This functionality can be used by using `pip install matrix-synapse[feature]`, where feature is a comma separated list with the possible values `email.enable_notifs`, `matrix-synapse-ldap3`, `postgres`, `resources.consent`, `saml2`, `url_preview`, and `test`. If you want to install all optional dependencies, you can use "all" instead. ([\#4298](#4298), [\#4325](#4325), [\#4327](#4327))
- Add routes for reading account data. ([\#4303](#4303))
- Add opt-in support for v2 rooms ([\#4307](#4307))
- Add a script to generate a clean config file ([\#4315](#4315))
- Return server data in /login response ([\#4319](#4319))

Bugfixes
--------

- Fix contains_url check to be consistent with other instances in code-base and check that value is an instance of string. ([\#3405](#3405))
- Fix CAS login when username is not valid in an MXID ([\#4264](#4264))
- Send CORS headers for /media/config ([\#4279](#4279))
- Add 'sandbox' to CSP for media reprository ([\#4284](#4284))
- Make the new landing page prettier. ([\#4294](#4294))
- Fix deleting E2E room keys when using old SQLite versions. ([\#4295](#4295))
- The metric synapse_admin_mau:current previously did not update when config.mau_stats_only was set to True ([\#4305](#4305))
- Fixed per-room account data filters ([\#4309](#4309))
- Fix indentation in default config ([\#4313](#4313))
- Fix synapse:latest docker upload ([\#4316](#4316))
- Fix test_metric.py compatibility with prometheus_client 0.5. Contributed by Maarten de Vries <[email protected]>. ([\#4317](#4317))
- Avoid packaging _trial_temp directory in -py3 debian packages ([\#4326](#4326))
- Check jinja version for consent resource ([\#4327](#4327))
- fix NPE in /messages by checking if all events were filtered out ([\#4330](#4330))
- Fix `python -m synapse.config` on Python 3. ([\#4356](#4356))

Deprecations and Removals
-------------------------

- Remove the deprecated v1/register API on Python 2. It was never ported to Python 3. ([\#4334](#4334))

Internal Changes
----------------

- Getting URL previews of IP addresses no longer fails on Python 3. ([\#4215](#4215))
- drop undocumented dependency on dateutil ([\#4266](#4266))
- Update the example systemd config to use a virtualenv ([\#4273](#4273))
- Update link to kernel DCO guide ([\#4274](#4274))
- Make isort tox check print diff when it fails ([\#4283](#4283))
- Log room_id in Unknown room errors ([\#4297](#4297))
- Documentation improvements for coturn setup. Contributed by Krithin Sitaram. ([\#4333](#4333))
- Update pull request template to use absolute links ([\#4341](#4341))
- Update README to not lie about required restart when updating TLS certificates ([\#4343](#4343))
- Update debian packaging for compatibility with transitional package ([\#4349](#4349))
- Fix command hint to generate a config file when trying to start without a config file ([\#4353](#4353))
- Add better logging for unexpected errors while sending transactions ([\#4358](#4358))
@localguru
Copy link
Contributor

Is there any news on SAML auth?

@galexrt galexrt mentioned this pull request Jun 2, 2019
Closed
6 tasks
@richvdh richvdh mentioned this pull request Jul 1, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@erikjohnston erikjohnston erikjohnston approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@richvdh @codecov-io @localguru @erikjohnston @hawkowl