From c129ea7fb5b17f33d7c202a8a69ab4950268d6c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20Rodr=C3=ADguez?= Date: Wed, 9 Aug 2023 17:05:19 -0400 Subject: [PATCH 1/5] add name, icon and brand to SAML and CAS --- synapse/config/cas.py | 4 ++++ synapse/config/saml2.py | 6 ++++++ synapse/handlers/cas.py | 11 ++++++----- synapse/handlers/saml.py | 11 ++++++----- 4 files changed, 22 insertions(+), 10 deletions(-) diff --git a/synapse/config/cas.py b/synapse/config/cas.py index 9152c06bd6fe..c4e63e74118c 100644 --- a/synapse/config/cas.py +++ b/synapse/config/cas.py @@ -47,6 +47,10 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None: required_attributes ) + self.idp_name = cas_config.get("idp_name", "CAS") + self.idp_icon = cas_config.get("idp_icon") + self.idp_brand = cas_config.get("idp_brand") + else: self.cas_server_url = None self.cas_service_url = None diff --git a/synapse/config/saml2.py b/synapse/config/saml2.py index 49ca663dde2d..c69e24cf2603 100644 --- a/synapse/config/saml2.py +++ b/synapse/config/saml2.py @@ -89,8 +89,14 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None: "grandfathered_mxid_source_attribute", "uid" ) + # refers to a SAML IdP entity ID self.saml2_idp_entityid = saml2_config.get("idp_entityid", None) + # IdP properties for Matrix clients + self.idp_name = saml2_config.get("idp_name", "SAML") + self.idp_icon = saml2_config.get("idp_icon") + self.idp_brand = saml2_config.get("idp_brand") + # user_mapping_provider may be None if the key is present but has no value ump_dict = saml2_config.get("user_mapping_provider") or {} diff --git a/synapse/handlers/cas.py b/synapse/handlers/cas.py index fc467bc7c13e..5c71637038b6 100644 --- a/synapse/handlers/cas.py +++ b/synapse/handlers/cas.py @@ -76,12 +76,13 @@ def __init__(self, hs: "HomeServer"): self.idp_id = "cas" # user-facing name of this auth provider - self.idp_name = "CAS" + self.idp_name = hs.config.cas.idp_name - # we do not currently support brands/icons for CAS auth, but this is required by - # the SsoIdentityProvider protocol type. - self.idp_icon = None - self.idp_brand = None + # MXC URI for icon for this auth provider + self.idp_icon = hs.config.cas.idp_icon + + # optional brand identifier for this auth provider + self.idp_brand = hs.config.cas.idp_brand self._sso_handler = hs.get_sso_handler() diff --git a/synapse/handlers/saml.py b/synapse/handlers/saml.py index 6083c9f4b5ca..d00035c332bf 100644 --- a/synapse/handlers/saml.py +++ b/synapse/handlers/saml.py @@ -74,12 +74,13 @@ def __init__(self, hs: "HomeServer"): self.idp_id = "saml" # user-facing name of this auth provider - self.idp_name = "SAML" + self.idp_name = hs.config.saml2.idp_name - # we do not currently support icons/brands for SAML auth, but this is required by - # the SsoIdentityProvider protocol type. - self.idp_icon = None - self.idp_brand = None + # MXC URI for icon for this auth provider + self.idp_icon = hs.config.saml2.idp_icon + + # optional brand identifier for this auth provider + self.idp_brand = hs.config.saml2.idp_brand # a map from saml session id to Saml2SessionData object self._outstanding_requests_dict: Dict[str, Saml2SessionData] = {} From 8829198719adeed096a0a0978c61eea62c3d358c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20Rodr=C3=ADguez?= Date: Wed, 9 Aug 2023 17:54:35 -0400 Subject: [PATCH 2/5] Update docs for SAML and CAS --- .../configuration/config_documentation.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 2987c9332d14..5f5af22bc083 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3025,6 +3025,16 @@ enable SAML login. You can either put your entire pysaml config inline using the option, or you can specify a path to a psyaml config file with the sub-option `config_path`. This setting has the following sub-options: +* `idp_name`: A user-facing name for this identity provider, which is used to + offer the user a choice of login mechanisms. +* `idp_icon`: An optional icon for this identity provider, which is presented + by clients and Synapse's own IdP picker page. If given, must be an + MXC URI of the format mxc:///. (An easy way to + obtain such an MXC URI is to upload an image to an (unencrypted) room + and then copy the "url" from the source of the event.) +* `idp_brand`: An optional brand for this identity provider, allowing clients + to style the login flow according to the identity provider in question. + See the [spec](https://spec.matrix.org/latest/) for possible options here. * `sp_config`: the configuration for the pysaml2 Service Provider. See pysaml2 docs for format of config. Default values will be used for the `entityid` and `service` settings, so it is not normally necessary to specify them unless you need to @@ -3391,6 +3401,16 @@ Enable Central Authentication Service (CAS) for registration and login. Has the following sub-options: * `enabled`: Set this to true to enable authorization against a CAS server. Defaults to false. +* `idp_name`: A user-facing name for this identity provider, which is used to + offer the user a choice of login mechanisms. +* `idp_icon`: An optional icon for this identity provider, which is presented + by clients and Synapse's own IdP picker page. If given, must be an + MXC URI of the format mxc:///. (An easy way to + obtain such an MXC URI is to upload an image to an (unencrypted) room + and then copy the "url" from the source of the event.) +* `idp_brand`: An optional brand for this identity provider, allowing clients + to style the login flow according to the identity provider in question. + See the [spec](https://spec.matrix.org/latest/) for possible options here. * `server_url`: The URL of the CAS authorization endpoint. * `displayname_attribute`: The attribute of the CAS response to use as the display name. If no name is given here, no displayname will be set. From 14b27a0dc4ea67888ea053360a40727110665b80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20Rodr=C3=ADguez?= Date: Wed, 9 Aug 2023 18:20:40 -0400 Subject: [PATCH 3/5] Add changelog entry for PR #16094 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Rodríguez --- changelog.d/16094.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/16094.feature diff --git a/changelog.d/16094.feature b/changelog.d/16094.feature new file mode 100644 index 000000000000..fc5d94e44592 --- /dev/null +++ b/changelog.d/16094.feature @@ -0,0 +1 @@ +SSO: Allow customizing the IdP display name and icon (and brand) for SAML and CAS, and not just OIDC. \ No newline at end of file From d224deef667cd486ed93e98376a1ef7af173bb72 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Fri, 11 Aug 2023 15:29:33 -0400 Subject: [PATCH 4/5] Properly render mxc URLs. --- docs/usage/configuration/config_documentation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 5f5af22bc083..c30579e99b34 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -3029,7 +3029,7 @@ This setting has the following sub-options: offer the user a choice of login mechanisms. * `idp_icon`: An optional icon for this identity provider, which is presented by clients and Synapse's own IdP picker page. If given, must be an - MXC URI of the format mxc:///. (An easy way to + MXC URI of the format `mxc:///`. (An easy way to obtain such an MXC URI is to upload an image to an (unencrypted) room and then copy the "url" from the source of the event.) * `idp_brand`: An optional brand for this identity provider, allowing clients @@ -3186,7 +3186,7 @@ Options for each entry include: * `idp_icon`: An optional icon for this identity provider, which is presented by clients and Synapse's own IdP picker page. If given, must be an - MXC URI of the format mxc:///. (An easy way to + MXC URI of the format `mxc:///`. (An easy way to obtain such an MXC URI is to upload an image to an (unencrypted) room and then copy the "url" from the source of the event.) @@ -3405,7 +3405,7 @@ Has the following sub-options: offer the user a choice of login mechanisms. * `idp_icon`: An optional icon for this identity provider, which is presented by clients and Synapse's own IdP picker page. If given, must be an - MXC URI of the format mxc:///. (An easy way to + MXC URI of the format `mxc:///`. (An easy way to obtain such an MXC URI is to upload an image to an (unencrypted) room and then copy the "url" from the source of the event.) * `idp_brand`: An optional brand for this identity provider, allowing clients From 36f313a3267111035063c80d807790f40e256159 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Fri, 11 Aug 2023 15:32:34 -0400 Subject: [PATCH 5/5] Clarify changelog. --- changelog.d/16094.feature | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/16094.feature b/changelog.d/16094.feature index fc5d94e44592..3be71badb982 100644 --- a/changelog.d/16094.feature +++ b/changelog.d/16094.feature @@ -1 +1 @@ -SSO: Allow customizing the IdP display name and icon (and brand) for SAML and CAS, and not just OIDC. \ No newline at end of file +Allow customising the IdP display name, icon, and brand for SAML and CAS providers (in addition to OIDC provider).