This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Kerberos SSO (GSSAPI/SPNEGO) authentication to on-prem installations of synapse #9412
Labels
T-Enhancement
New features, changes in functionality, improvements in performance, or user-facing enhancements.
It would be a killer feature to have real single-sign-on abilities in synapse. When deployed in an "enterprise" environment where computers are enrolled in a Kerberos realm.
I think the standards to look into is SPNEGO (since it's often used for any "kerberized" HTTP-service). Take a look at mod_auth_krb or mod_auth_gssapi for Apache for ideas.
I have coded a few things like this before (at least GSSAPI on client/server), and this way of authenticating to an on-prem installation would really be user friendly but as secure as one would like.
This way any user able to login to his/her computer on the local network, would automatically be able to sign-in to their respective matrix accounts.
The text was updated successfully, but these errors were encountered: