Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Synapse doesn't retrieve CAS attributes when using CAS Protocol 3.0 #15807

Closed
agrimpard opened this issue Jun 20, 2023 · 0 comments · Fixed by #15816
Closed

Synapse doesn't retrieve CAS attributes when using CAS Protocol 3.0 #15807

agrimpard opened this issue Jun 20, 2023 · 0 comments · Fixed by #15816
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. z-auth (Deprecated Label)

Comments

@agrimpard
Copy link
Contributor

agrimpard commented Jun 20, 2023
edited by MadLittleMods
Loading

Description

I'm trying to limit access to Matrix by relying on CAS SSO attributes but Matrix does not retrieve CAS attributes, only the user ID.

However, when I call CAS from a PHP script on the same machine, I do retrieve the attributes.

I modified the python script synapse/handlers/cas.py line 130 to log the CAS response:

logging.warn('BODY CAS : %s',body)

Here's what I get, no attributes :

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>MYUSER</cas:user>
    </cas:authenticationSuccess>
</cas:serviceResponse>

With PHPCAS we can configure the CAS protocol version, and version 3 CAS_VERSION_3_0 must be used to retrieve the attributes. Would there be a problem like this with Matrix?

Steps to reproduce

homeserver.yaml:

cas_config:
  enabled: true
  server_url: "https://cas.example.com:443"
  displayname_attribute: displayName
  required_attributes:
    sn: "MYSN"

When we try to connect with an account having the correct sn attribute, Matrix returns an error: "You are not allowed to log in here."

Homeserver

Private server

Synapse Version

1.85.0

Installation Method

Debian packages from packages.matrix.org

Database

PostgreSQL

Workers

Single process

Platform

KVM / Debian 11

Configuration

No response

Relevant log output

synapse.handlers.sso - 1262 - INFO - GET-50 - SSO attribute missing

Anything else that would be useful to know?

No response
@clokep clokep changed the title Matrix doesn't retrieve CAS attributes Synapse doesn't retrieve CAS attributes Jun 20, 2023
@agrimpard agrimpard mentioned this issue Jun 20, 2023
Closed
@clokep clokep linked a pull request Jun 21, 2023 that will close this issue
Use CAS protocol version 3 to properly retrieve user attributes #15811
Closed
4 tasks
@clokep clokep mentioned this issue Jun 21, 2023
Closed
4 tasks
@agrimpard agrimpard mentioned this issue Jun 21, 2023
Merged
4 tasks
@MadLittleMods MadLittleMods added the z-auth (Deprecated Label) label Jun 26, 2023
@MadLittleMods MadLittleMods changed the title Synapse doesn't retrieve CAS attributes Synapse doesn't retrieve CAS attributes when using CAS Protocol 3.0 Jun 27, 2023
@MadLittleMods MadLittleMods added S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Jun 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. z-auth (Deprecated Label)
Projects
None yet
Milestone
No milestone
2 participants
@MadLittleMods @agrimpard