Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Remove deprecated SAML2 callback URL since it does not work. #9434

Merged
merged 3 commits into from
Feb 18, 2021
Merged

Remove deprecated SAML2 callback URL since it does not work. #9434

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6f1e3f3
Remove deprecated SAML2 callback URL since it does not work.
clokep Feb 18, 2021
64077af
Merge in changes from Rich's branch.
clokep Feb 18, 2021
ae720ef
Add a note to the release notes & newsfragment.
clokep Feb 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions UPGRADE.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,20 +88,21 @@ for example:
Upgrading to v1.27.0
====================

Changes to callback URI for OAuth2 / OpenID Connect
---------------------------------------------------
Changes to callback URI for OAuth2 / OpenID Connect and SAML2
-------------------------------------------------------------

This version changes the URI used for callbacks from OAuth2 identity providers. If
your server is configured for single sign-on via an OpenID Connect or OAuth2 identity
provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback``
to the list of permitted "redirect URIs" at the identity provider.
This version changes the URI used for callbacks from OAuth2 and SAML2 identity providers:

See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID
Connect.
* If your server is configured for single sign-on via an OpenID Connect or OAuth2 identity
provider, you will need to add ``[synapse public baseurl]/_synapse/client/oidc/callback``
to the list of permitted "redirect URIs" at the identity provider.

(Note: a similar change is being made for SAML2; in this case the old URI
``[synapse public baseurl]/_matrix/saml2`` is being deprecated, but will continue to
work, so no immediate changes are required for existing installations.)
See `docs/openid.md <docs/openid.md>`_ for more information on setting up OpenID
Connect.

* If your server is configured for single sign-on via a SAML2 identity provider, you will
need to add ``[synapse public baseurl]/_synapse/client/saml2/authn_response`` as a permitted
"ACS location" (also known as "allowed callback URLs") at the identity provider.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are they known as "callback URLs" on any real SAML2 provider? I'm not sure that's a SAML2 term.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

XML: why call it something obvious when you can call it an "Assertion Consumer Service"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auth0 calls them that:

image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair enough!


Changes to HTML templates
-------------------------
Expand Down
6 changes: 1 addition & 5 deletions synapse/rest/synapse/client/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,7 @@ def build_synapse_client_resource_tree(hs: "HomeServer") -> Mapping[str, Resourc
if hs.config.saml2_enabled:
from synapse.rest.synapse.client.saml2 import SAML2Resource

res = SAML2Resource(hs)
resources["/_synapse/client/saml2"] = res

# This is also mounted under '/_matrix' for backwards-compatibility.
resources["/_matrix/saml2"] = res
resources["/_synapse/client/saml2"] = SAML2Resource(hs)

return resources

Expand Down