Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complete the SAML2 implementation #5422

Merged
merged 15 commits into from Jul 2, 2019

Conversation

@richvdh
Copy link
Member

commented Jun 10, 2019

This PR builds heavily on #5316, to fix #5130 by providing the 'client' part of the SAML flow by redirecting to the SAML identity provider.

galexrt and others added some commits Jun 2, 2019

SAML2 Improvements and redirect stuff
Signed-off-by: Alexander Trost <galexrt@googlemail.com>
Code cleanups and simplifications.
Also: share the saml client between redirect and response handlers.
Merge tag 'v1.0.0rc3' into rav/saml2_client
Synapse 1.0.0rc3 (2019-06-10)
=============================

Security: Fix authentication bug introduced in 1.0.0rc1. Please upgrade to rc3 immediately

@richvdh richvdh changed the base branch from master to develop Jun 10, 2019

@richvdh richvdh referenced this pull request Jun 10, 2019

Closed

SAML2 Improvements and redirect stuff #5316

2 of 6 tasks complete

@richvdh richvdh added this to In progress in Homeserver Task Board via automation Jun 13, 2019

@ineiti

This comment has been minimized.

Copy link

commented Jun 13, 2019

Can you give an example on how to activate sso in the configuration file?

@ara4n

This comment has been minimized.

Copy link
Member

commented Jun 20, 2019

(ftr i'm aware of at least 4 parties who are anxious for this to merge :)

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jun 20, 2019

@ineiti I'm currently writing up a blog post about how I got it to work with Keycloak at least. I'll keep you updated in this comment.

@ineiti

This comment has been minimized.

Copy link

commented Jun 20, 2019

@galexrt - I did my own SSO integration with CAS - I had to write the server-side anyway. It works fine with the web-interface.

Unfortunately the apps don't work, as our service provides a passwordless login, and it depends on the storageDB that is in the browser. And the apps use an own instance of the browser that doesn't have access to the storageDB :( I looked quickly into it, but it seemed more than half a day's work.

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jun 21, 2019

Unfortunately the apps don't work [...]

@ineiti Are you talking about the Riot Web, Android and so on Apps?
The login through SSO worked fine for me with my original PR (haven't tried with this one yet, but it has the "same" changes in it), see #2257 (comment) for how it looks. It looked the same on my Android phone using the Riot Android app.

From the Matrix API spec it seems the apps need to implement the m.login.sso and then use the returned token for the m.login.token login, which is fine I guess:

If the homeserver advertises m.login.sso as a viable flow, and the client supports it, the client should redirect the user to the /redirect endpoint for Single Sign-On. After authentication is complete, the client will need to submit a /login request matching m.login.token.

@ineiti

This comment has been minimized.

Copy link

commented Jun 24, 2019

@galexrt

@ineiti Are you talking about the Riot Web, Android and so on Apps?

The Riot web app works fine! But the android and desktop app do not.

Most often, SSO services ask the user about a login-name and a password. This works fine with the current android and desktop app.

However, our SSO solution doesn't ask for a login-name and a password, but depends on a private key that is stored in the storageDB of the browser. And this is a problem, because the android and desktop app don't use the same browser as the user, and so the SSO page they show doesn't have access to the private key that is stored in the storageDB of the browser.

So the android and desktop app would have to call the default browser of the user, and then be redirected from there back to the app. Probably not impossible, but if somebody gives me some pointers, I'd be more than happy to give it a try.

Unfortunately matrix-react-sdk doesn't allow me to open an issue, but I guess that I would have to change the method here:

https://github.com/matrix-org/matrix-react-sdk/blob/3836a3e2e293e29b3d9635fcb9c530e21fcc79b2/src/components/structures/auth/Login.js#L544

@jryans

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

Unfortunately matrix-react-sdk doesn't allow me to open an issue, but I guess that I would have to change the method here:

https://github.com/matrix-org/matrix-react-sdk/blob/3836a3e2e293e29b3d9635fcb9c530e21fcc79b2/src/components/structures/auth/Login.js#L544

React SDK issues are currently tracked in the Riot Web repo.

@csett86

This comment has been minimized.

Copy link

commented Jun 24, 2019

@richvdh

Can I do anything to move this forward? Testing anything special?

@richvdh

This comment has been minimized.

Copy link
Member Author

commented Jun 24, 2019

a time machine would help :/

@csett86

This comment has been minimized.

Copy link

commented Jun 24, 2019

Test results: This pull request worked fine with phpsimplesaml 1.17.2 and current riot-web and riot-ios.

Only problem I had: Initially synapse always complained that the authn response was unsolicited, although it had the correct InResponseTo ID set. So I had to allow unsolicited responses in the sp_config:

  service:
      sp:
          allow_unsolicited: True
@kyrisu

This comment has been minimized.

Copy link

commented Jun 25, 2019

Could anyone post a valid SAML response? I'm particularly interested in AttributeStatement section.
I have:

<saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">some_unique_user_id_from_my_system</saml:AttributeValue>
</saml:Attribute>

but synapse is still complaining about uid not in SAML2 response.

Update:
Made it work by setting

sp_config:
    allow_unknown_attributes: true

but I'm open for a better solution.

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

@kyrias You need to use the attribute_map_dir param and create a attribute map to map the uid attribute to actually be the uid attribute.
Example:

MAP = {
    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    "fro": {
        'uid': 'uid',
    },
    "to": {
        'uid': 'uid',
    }
}

I'll have the blog post with such details hopefully after the upcoming weekend.

@csett86

This comment has been minimized.

Copy link

commented Jun 26, 2019

@kyrisu

What works for me is the following, the oid format:

     <saml:AttributeStatement>
       <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">eva</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">eva@example.org</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">Eva</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
         <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
         <saml:AttributeValue xsi:type="xs:string">examle</saml:AttributeValue>
       </saml:Attribute>
     </saml:AttributeStatement>
@codecov

This comment has been minimized.

Copy link

commented Jun 26, 2019

Codecov Report

Merging #5422 into develop will decrease coverage by 1.14%.
The diff coverage is 31.7%.

@@             Coverage Diff             @@
##           develop    #5422      +/-   ##
===========================================
- Coverage    63.19%   62.05%   -1.15%     
===========================================
  Files          328      326       -2     
  Lines        35925    35699     -226     
  Branches      5908     5856      -52     
===========================================
- Hits         22703    22153     -550     
- Misses       11596    11968     +372     
+ Partials      1626     1578      -48
@codecov

This comment has been minimized.

Copy link

commented Jun 26, 2019

Codecov Report

Merging #5422 into develop will increase coverage by 0.02%.
The diff coverage is 34.28%.

@@             Coverage Diff             @@
##           develop    #5422      +/-   ##
===========================================
+ Coverage    63.15%   63.17%   +0.02%     
===========================================
  Files          328      328              
  Lines        35901    35929      +28     
  Branches      5914     5916       +2     
===========================================
+ Hits         22672    22697      +25     
- Misses       11604    11607       +3     
  Partials      1625     1625

richvdh added some commits Jun 26, 2019

Add support for tracking SAML2 sessions.
This allows us to correctly handle `allow_unsolicited: False`.

@richvdh richvdh marked this pull request as ready for review Jun 26, 2019

@richvdh

This comment has been minimized.

Copy link
Member Author

commented Jun 26, 2019

Thanks to all of you for bearing with me, and for starting to test this: it has been very helpful.

I've now updated this PR so that it correctly tracks received login requests, so you shouldn't need to set allow_unsolicited unless you actually want to allow IdP-initiated requests.

I think this is now ready to ship.

@richvdh richvdh requested a review from matrix-org/synapse-core Jun 26, 2019

@csett86

This comment has been minimized.

Copy link

commented Jun 27, 2019

Retested with phpsimplesaml 1.17.2 and current riot-web 1.2.2, session handling works as expected. Thank you, @richvdh!

@menturion

This comment has been minimized.

Copy link

commented Jun 27, 2019

@csett86

It would be great if you could provide a blog post or a Gist of how to set up Matrix Synapse SAML with phpsimplesaml 1.17.2.

I think that this would be very helpful for many people.

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2019

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

@erikjohnston
Copy link
Member

left a comment

Looks good apart from some of the exceptions.

Show resolved Hide resolved synapse/handlers/saml_handler.py
outstanding=self._outstanding_requests_dict,
)
except Exception as e:
logger.warning("Exception parsing SAML2 response", exc_info=1)

This comment has been minimized.

Copy link
@erikjohnston

erikjohnston Jul 1, 2019

Member

Logging a stack trace as a warning seems a bit odd, since it won't go to sentry.

This comment has been minimized.

Copy link
@richvdh
raise CodeMessageException(400, "SAML2 response was not signed")

if "uid" not in saml2_auth.ava:
raise CodeMessageException(400, "uid not in SAML2 response")

This comment has been minimized.

Copy link
@erikjohnston

erikjohnston Jul 1, 2019

Member

Why CodeMessageException and not SynapseError? It looks like CodeMessageException will still log a stack trace for json requests?

This comment has been minimized.

Copy link
@richvdh

richvdh Jul 1, 2019

Author Member

no idea. some crank wrote this back in 2018. (#4267)

richvdh added some commits Jul 1, 2019

@richvdh richvdh requested a review from erikjohnston Jul 1, 2019

oldsmobile

@richvdh richvdh merged commit 6eecb6e into develop Jul 2, 2019

19 checks passed

buildkite/synapse Build #2490 passed (22 minutes, 24 seconds)
Details
buildkite/synapse/check-sample-config Passed (1 minute, 42 seconds)
Details
buildkite/synapse/check-style Passed (1 minute, 39 seconds)
Details
buildkite/synapse/isort Passed (15 seconds)
Details
buildkite/synapse/newspaper-newsfile Passed (44 seconds)
Details
buildkite/synapse/packaging Passed (16 seconds)
Details
buildkite/synapse/pipeline Passed (2 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-postgres-9-dot-5 Passed (19 minutes, 48 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-sqlite Passed (5 minutes, 38 seconds)
Details
buildkite/synapse/python-3-dot-5-slash-sqlite-slash-old-deps Passed (7 minutes, 21 seconds)
Details
buildkite/synapse/python-3-dot-6-slash-sqlite Passed (5 minutes, 25 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-11 Passed (17 minutes, 51 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-postgres-9-dot-5 Passed (18 minutes, 15 seconds)
Details
buildkite/synapse/python-3-dot-7-slash-sqlite Passed (6 minutes, 2 seconds)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-postgres-9-dot-6-slash-monolith Passed (9 minutes, 8 seconds)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-postgres-9-dot-6-slash-workers Soft failed (exit status 1)
Details
buildkite/synapse/sytest-python-3-dot-5-slash-sqlite-slash-monolith Passed (7 minutes, 43 seconds)
Details
codecov/patch 34.28% of diff hit (target 0%)
Details
codecov/project 63.17% (target 0%)
Details

Homeserver Task Board automation moved this from In progress to Done Jul 2, 2019

@menturion

This comment has been minimized.

Copy link

commented Jul 2, 2019

How can one update to a Release Candidate (e.g. Synapse 1.1.0rc1 -> SAML support) through pip?
"pip install -U matrix-synapse" prompts "Requirement already satisfied, skipping upgrade".
Is it possible to select a certain channel?

@richvdh

This comment has been minimized.

Copy link
Member Author

commented Jul 2, 2019

@menturion: pip install --pre -U matrix-synapse, I believe. Beware that there are a couple of regressions in rc1 though. I suggest waiting for rc2.

@menturion

This comment has been minimized.

Copy link

commented Jul 2, 2019

@richvdh

Many thanks(!), this worked.

@volvicoasis

This comment has been minimized.

Copy link

commented Jul 3, 2019

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

Hey thanks for your dev on synapse, just finish implementing it with your blog, but still facing on this :
saml2.client_base - 720 - ERROR - POST-180 - XML parse error: Failed to verify signature

or with riot :
Unable to parse SAML2 response: Failed to verify signature

Just a question, how do you extract pem from your keycloak ?

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2019

@volvicoasis Please use the comment section of the blog post instead of the PR for such questions. Thanks!


I have gone ahead and updated the post with instructions on how to extract the key and cert from the Keycloak Client, and fixed some issues around the Encrypt Assertions option configuration.

hawkowl added a commit that referenced this pull request Jul 5, 2019

Merge tag 'v1.1.0' into shhs
Synapse 1.1.0 (2019-07-04)
==========================

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

This release also deprecates the use of environment variables to configure the
docker image. See the [docker README](https://github.com/matrix-org/synapse/blob/release-v1.1.0/docker/README.md#legacy-dynamic-configuration-file-support)
for more details.

No changes since 1.1.0rc2.

Synapse 1.1.0rc2 (2019-07-03)
=============================

Bugfixes
--------

- Fix regression in 1.1rc1 where OPTIONS requests to the media repo would fail. ([\#5593](#5593))
- Removed the `SYNAPSE_SMTP_*` docker container environment variables. Using these environment variables prevented the docker container from starting in Synapse v1.0, even though they didn't actually allow any functionality anyway. ([\#5596](#5596))
- Fix a number of "Starting txn from sentinel context" warnings. ([\#5605](#5605))

Internal Changes
----------------

- Update github templates. ([\#5552](#5552))

Synapse 1.1.0rc1 (2019-07-02)
=============================

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4.
See the [upgrade notes](UPGRADE.rst#upgrading-to-v110) for more details.

Features
--------

- Added possibilty to disable local password authentication. Contributed by Daniel Hoffend. ([\#5092](#5092))
- Add monthly active users to phonehome stats. ([\#5252](#5252))
- Allow expired user to trigger renewal email sending manually. ([\#5363](#5363))
- Statistics on forward extremities per room are now exposed via Prometheus. ([\#5384](#5384), [\#5458](#5458), [\#5461](#5461))
- Add --no-daemonize option to run synapse in the foreground, per issue #4130. Contributed by Soham Gumaste. ([\#5412](#5412), [\#5587](#5587))
- Fully support SAML2 authentication. Contributed by [Alexander Trost](https://github.com/galexrt) - thank you! ([\#5422](#5422))
- Allow server admins to define implementations of extra rules for allowing or denying incoming events. ([\#5440](#5440), [\#5474](#5474), [\#5477](#5477))
- Add support for handling pagination APIs on client reader worker. ([\#5505](#5505), [\#5513](#5513), [\#5531](#5531))
- Improve help and cmdline option names for --generate-config options. ([\#5512](#5512))
- Allow configuration of the path used for ACME account keys. ([\#5516](#5516), [\#5521](#5521), [\#5522](#5522))
- Add --data-dir and --open-private-ports options. ([\#5524](#5524))
- Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests. ([\#5534](#5534))
- The minimum TLS version used for outgoing federation requests can now be set with `federation_client_minimum_tls_version`. ([\#5550](#5550))
- Optimise devices changed query to not pull unnecessary rows from the database, reducing database load. ([\#5559](#5559))
- Add new metrics for number of forward extremities being persisted and number of state groups involved in resolution. ([\#5476](#5476))

Bugfixes
--------

- Fix bug processing incoming events over federation if call to `/get_missing_events` fails. ([\#5042](#5042))
- Prevent more than one room upgrade happening simultaneously on the same room. ([\#5051](#5051))
- Fix a bug where running synapse_port_db would cause the account validity feature to fail because it didn't set the type of the email_sent column to boolean. ([\#5325](#5325))
- Warn about disabling email-based password resets when a reset occurs, and remove warning when someone attempts a phone-based reset. ([\#5387](#5387))
- Fix email notifications for unnamed rooms with multiple people. ([\#5388](#5388))
- Fix exceptions in federation reader worker caused by attempting to renew attestations, which should only happen on master worker. ([\#5389](#5389))
- Fix handling of failures fetching remote content to not log failures as exceptions. ([\#5390](#5390))
- Fix a bug where deactivated users could receive renewal emails if the account validity feature is on. ([\#5394](#5394))
- Fix missing invite state after exchanging 3PID invites over federaton. ([\#5464](#5464))
- Fix intermittent exceptions on Apple hardware. Also fix bug that caused database activity times to be under-reported in log lines. ([\#5498](#5498))
- Fix logging error when a tampered event is detected. ([\#5500](#5500))
- Fix bug where clients could tight loop calling `/sync` for a period. ([\#5507](#5507))
- Fix bug with `jinja2` preventing Synapse from starting. Users who had this problem should now simply need to run `pip install matrix-synapse`. ([\#5514](#5514))
- Fix a regression where homeservers on private IP addresses were incorrectly blacklisted. ([\#5523](#5523))
- Fixed m.login.jwt using unregistred user_id and added pyjwt>=1.6.4 as jwt conditional dependencies. Contributed by Pau Rodriguez-Estivill. ([\#5555](#5555), [\#5586](#5586))
- Fix a bug that would cause invited users to receive several emails for a single 3PID invite in case the inviter is rate limited. ([\#5576](#5576))

Updates to the Docker image
---------------------------
- Add ability to change Docker containers [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) with the `TZ` variable. ([\#5383](#5383))
- Update docker image to use Python 3.7. ([\#5546](#5546))
- Deprecate the use of environment variables for configuration, and make the use of a static configuration the default. ([\#5561](#5561), [\#5562](#5562), [\#5566](#5566), [\#5567](#5567))
- Increase default log level for docker image to INFO. It can still be changed by editing the generated log.config file. ([\#5547](#5547))
- Send synapse logs to the docker logging system, by default. ([\#5565](#5565))
- Open the non-TLS port by default. ([\#5568](#5568))
- Fix failure to start under docker with SAML support enabled. ([\#5490](#5490))
- Use a sensible location for data files when generating a config file. ([\#5563](#5563))

Deprecations and Removals
-------------------------

- Python 2.7 is no longer a supported platform. Synapse now requires Python 3.5+ to run. ([\#5425](#5425))
- PostgreSQL 9.4 is no longer supported. Synapse requires Postgres 9.5+ or above for Postgres support. ([\#5448](#5448))
- Remove support for cpu_affinity setting. ([\#5525](#5525))

Improved Documentation
----------------------
- Improve README section on performance troubleshooting. ([\#4276](#4276))
- Add information about how to install and run `black` on the codebase to code_style.rst. ([\#5537](#5537))
- Improve install docs on choosing server_name. ([\#5558](#5558))

Internal Changes
----------------

- Add logging to 3pid invite signature verification. ([\#5015](#5015))
- Update example haproxy config to a more compatible setup. ([\#5313](#5313))
- Track deactivated accounts in the database. ([\#5378](#5378), [\#5465](#5465), [\#5493](#5493))
- Clean up code for sending federation EDUs. ([\#5381](#5381))
- Add a sponsor button to the repo. ([\#5382](#5382), [\#5386](#5386))
- Don't log non-200 responses from federation queries as exceptions. ([\#5383](#5383))
- Update Python syntax in contrib/ to Python 3. ([\#5446](#5446))
- Update federation_client dev script to support `.well-known` and work with python3. ([\#5447](#5447))
- SyTest has been moved to Buildkite. ([\#5459](#5459))
- Demo script now uses python3. ([\#5460](#5460))
- Synapse can now handle RestServlets that return coroutines. ([\#5475](#5475), [\#5585](#5585))
- The demo servers talk to each other again. ([\#5478](#5478))
- Add an EXPERIMENTAL config option to try and periodically clean up extremities by sending dummy events. ([\#5480](#5480))
- Synapse's codebase is now formatted by `black`. ([\#5482](#5482))
- Some cleanups and sanity-checking in the CPU and database metrics. ([\#5499](#5499))
- Improve email notification logging. ([\#5502](#5502))
- Fix "Unexpected entry in 'full_schemas'" log warning. ([\#5509](#5509))
- Improve logging when generating config files. ([\#5510](#5510))
- Refactor and clean up Config parser for maintainability. ([\#5511](#5511))
- Make the config clearer in that email.template_dir is relative to the Synapse's root directory, not the `synapse/` folder within it. ([\#5543](#5543))
- Update v1.0.0 release changelog to include more information about changes to password resets. ([\#5545](#5545))
- Remove non-functioning check_event_hash.py dev script. ([\#5548](#5548))
- Synapse will now only allow TLS v1.2 connections when serving federation, if it terminates TLS. As Synapse's allowed ciphers were only able to be used in TLSv1.2 before, this does not change behaviour. ([\#5550](#5550))
- Logging when running GC collection on generation 0 is now at the DEBUG level, not INFO. ([\#5557](#5557))
- Reduce the amount of stuff we send in the docker context. ([\#5564](#5564))
- Point the reverse links in the Purge History contrib scripts at the intended location. ([\#5570](#5570))

@richvdh richvdh deleted the rav/saml2_client branch Jul 8, 2019

@volvicoasis

This comment has been minimized.

Copy link

commented Jul 11, 2019

@galexrt Thank you for your update, just to provide my research to synapse community, you must use alpine3.9 when you build synapse in a container.
=> my test below :
I use debug mode on sp_config, extract saml response and check it with xmlsec1 binary and it's a failed...
Here you can see this bug on alpine https://bugs.alpinelinux.org/issues/9110

``bash-4.4# xmlsec1 --verify --id-attr:ID "urn:oasis:names:tc:SAML:2.0:protocol:Response" test.xml
func=xmlSecCryptoDLLibraryCreate:file=dl.c:line=130:obj=unknown:subj=lt_dlopenext:error=7:io function failed:name="libxmlsec1-openssl"; errno=2
func=xmlSecCryptoDLGetLibraryFunctions:file=dl.c:line=436:obj=unknown:subj=xmlSecCryptoDLLibraryCreate:error=1:xmlsec library function failed:crypto=openssl
func=xmlSecCryptoDLLoadLibrary:file=dl.c:line=393:obj=unknown:subj=xmlSecCryptoDLGetLibraryFunctions:error=1:xmlsec library function failed:
Error: unable to load xmlsec-openssl library. Make sure that you have
this it installed, check shared libraries path (LD_LIBRARY_PATH)
envornment variable or use "--crypto" option to specify different
crypto engine.
Error: initialization failed
Usage: xmlsec [] []

xmlsec is a command line tool for signing, verifying, encrypting and
decrypting XML documents. The allowed values are:
--help display this help information and exit
--help-all display help information for all commands/options and exit
--help- display help information for command and exit
--version print version information and exit
--keys keys XML file manipulation
--sign sign data and output XML document
--verify verify signed document
--sign-tmpl create and sign dynamicaly generated signature template
--encrypt encrypt data and output XML document
--decrypt decrypt data from XML document

Report bugs to http://www.aleksey.com/xmlsec/bugs.html

Written by Aleksey Sanin aleksey@aleksey.com.

Copyright (C) 2002-2016 Aleksey Sanin aleksey@aleksey.com. All Rights Reserved..
This is free software: see the source for copying information.

func=xmlSecCryptoShutdown:file=app.c:line=65:obj=unknown:subj=unknown:error=9:feature is not implemented:details=cryptoShutdown
Error: xmlSecCryptoShutdown failed
Error: xmlsec crypto shutdown failed.
``

Voila, again thank you.

@menturion

This comment has been minimized.

Copy link

commented Jul 12, 2019

Is there a documentation of how to configure it inline?
I am getting a bunch of errors on homeserver startup when trying to configure a remote SP URL inline.

@eorlovsky

This comment has been minimized.

Copy link

commented Jul 17, 2019

For people using Keycloak, I have published this blog post as a rough writeup of the steps: https://edenmal.moe/post/2019/Matrix-Synapse-SAML2-Login/

@galexrt Hi Alex, the link below is down. Could you please republish it. Thanks

@galexrt

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2019

@eorlovsky Fixed. It is back online again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.