Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Kerberos SSO (GSSAPI/SPNEGO) authentication to on-prem installations of synapse #9412

Open
aiobofh opened this issue Feb 15, 2021 · 0 comments
Labels
T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@aiobofh
Copy link

aiobofh commented Feb 15, 2021

It would be a killer feature to have real single-sign-on abilities in synapse. When deployed in an "enterprise" environment where computers are enrolled in a Kerberos realm.

I think the standards to look into is SPNEGO (since it's often used for any "kerberized" HTTP-service). Take a look at mod_auth_krb or mod_auth_gssapi for Apache for ideas.

I have coded a few things like this before (at least GSSAPI on client/server), and this way of authenticating to an on-prem installation would really be user friendly but as secure as one would like.

This way any user able to login to his/her computer on the local network, would automatically be able to sign-in to their respective matrix accounts.

@erikjohnston erikjohnston added the T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. label Feb 18, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Development

No branches or pull requests

2 participants