Merge pull request #6064 from matrix-org/rav/saml_config_cleanup

Make the sample saml config closer to our standards

Merge pull request #6064 from matrix-org/rav/saml_config_cleanup
78e8ec36 · Richard van der Hoff · GitHub · e08ea434 · b789c7eb · 78e8ec36
Unverified Commit 78e8ec36 authored 5 years ago by Richard van der Hoff Committed by GitHub 5 years ago
--- a/changelog.d/6064.misc
+++ b/changelog.d/6064.misc
+Clean up the sample config for SAML authentication.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1104,12 +1104,13 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 # Enable SAML2 for registration and login. Uses pysaml2.
 #
-# `sp_config` is the configuration for the pysaml2 Service Provider.
+# At least one of `sp_config` or `config_path` must be set in this section to
-# See pysaml2 docs for format of config.
+# enable SAML login.
 #
-# Default values will be used for the 'entityid' and 'service' settings,
+# (You will probably also want to set the following options to `false` to
-# so it is not normally necessary to specify them unless you need to
+# disable the regular login/registration flows:
-# override them.
+#   * enable_registration
+#   * password_config.enabled
 #
 # Once SAML support is enabled, a metadata file will be exposed at
 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@@ -1117,52 +1118,59 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 # the IdP to use an ACS location of
 # https://<server>:<port>/_matrix/saml2/authn_response.
 #
-#saml2_config:
+saml2_config:
-#  sp_config:
+  # `sp_config` is the configuration for the pysaml2 Service Provider.
-#    # point this to the IdP's metadata. You can use either a local file or
+  # See pysaml2 docs for format of config.
-#    # (preferably) a URL.
+  #
-#    metadata:
+  # Default values will be used for the 'entityid' and 'service' settings,
-#      #local: ["saml2/idp.xml"]
+  # so it is not normally necessary to specify them unless you need to
-#      remote:
+  # override them.
-#        - url: https://our_idp/metadata.xml
+  #
-#
+  #sp_config:
-#    # By default, the user has to go to our login page first. If you'd like to
+  #  # point this to the IdP's metadata. You can use either a local file or
-#    # allow IdP-initiated login, set 'allow_unsolicited: True' in a
+  #  # (preferably) a URL.
-#    # 'service.sp' section:
+  #  metadata:
-#    #
+  #    #local: ["saml2/idp.xml"]
-#    #service:
+  #    remote:
-#    #  sp:
+  #      - url: https://our_idp/metadata.xml
-#    #    allow_unsolicited: True
+  #
-#
+  #    # By default, the user has to go to our login page first. If you'd like
-#    # The examples below are just used to generate our metadata xml, and you
+  #    # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
-#    # may well not need it, depending on your setup. Alternatively you
+  #    # 'service.sp' section:
-#    # may need a whole lot more detail - see the pysaml2 docs!
+  #    #
-#
+  #    #service:
-#    description: ["My awesome SP", "en"]
+  #    #  sp:
-#    name: ["Test SP", "en"]
+  #    #    allow_unsolicited: true
-#
+  #
-#    organization:
+  #    # The examples below are just used to generate our metadata xml, and you
-#      name: Example com
+  #    # may well not need them, depending on your setup. Alternatively you
-#      display_name:
+  #    # may need a whole lot more detail - see the pysaml2 docs!
-#        - ["Example co", "en"]
+  #
-#      url: "http://example.com"
+  #    description: ["My awesome SP", "en"]
-#
+  #    name: ["Test SP", "en"]
-#    contact_person:
+  #
-#      - given_name: Bob
+  #    organization:
-#        sur_name: "the Sysadmin"
+  #      name: Example com
-#        email_address": ["admin@example.com"]
+  #      display_name:
-#        contact_type": technical
+  #        - ["Example co", "en"]
-#
+  #      url: "http://example.com"
-#  # Instead of putting the config inline as above, you can specify a
+  #
-#  # separate pysaml2 configuration file:
+  #    contact_person:
-#  #
+  #      - given_name: Bob
-#  config_path: "CONFDIR/sp_conf.py"
+  #        sur_name: "the Sysadmin"
-#
+  #        email_address": ["admin@example.com"]
-#  # the lifetime of a SAML session. This defines how long a user has to
+  #        contact_type": technical
-#  # complete the authentication process, if allow_unsolicited is unset.
-#  # The default is 5 minutes.
+  # Instead of putting the config inline as above, you can specify a
-#  #
+  # separate pysaml2 configuration file:
-#  # saml_session_lifetime: 5m
+  #
+  #config_path: "CONFDIR/sp_conf.py"
+  # the lifetime of a SAML session. This defines how long a user has to
+  # complete the authentication process, if allow_unsolicited is unset.
+  # The default is 5 minutes.
+  #
+  #saml_session_lifetime: 5m

--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -26,6 +26,9 @@ class SAML2Config(Config):
        if not saml2_config or not saml2_config.get("enabled", True):
            return
+        if not saml2_config.get("sp_config") and not saml2_config.get("config_path"):
+            return
        try:
            check_requirements("saml2")
        except DependencyException as e:
@@ -76,12 +79,13 @@ class SAML2Config(Config):
        return """\
        # Enable SAML2 for registration and login. Uses pysaml2.
        #
-        # `sp_config` is the configuration for the pysaml2 Service Provider.
+        # At least one of `sp_config` or `config_path` must be set in this section to
-        # See pysaml2 docs for format of config.
+        # enable SAML login.
        #
-        # Default values will be used for the 'entityid' and 'service' settings,
+        # (You will probably also want to set the following options to `false` to
-        # so it is not normally necessary to specify them unless you need to
+        # disable the regular login/registration flows:
-        # override them.
+        #   * enable_registration
+        #   * password_config.enabled
        #
        # Once SAML support is enabled, a metadata file will be exposed at
        # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
@@ -89,52 +93,59 @@ class SAML2Config(Config):
        # the IdP to use an ACS location of
        # https://<server>:<port>/_matrix/saml2/authn_response.
        #
-        #saml2_config:
+        saml2_config:
-        #  sp_config:
+          # `sp_config` is the configuration for the pysaml2 Service Provider.
-        #    # point this to the IdP's metadata. You can use either a local file or
+          # See pysaml2 docs for format of config.
-        #    # (preferably) a URL.
+          #
-        #    metadata:
+          # Default values will be used for the 'entityid' and 'service' settings,
-        #      #local: ["saml2/idp.xml"]
+          # so it is not normally necessary to specify them unless you need to
-        #      remote:
+          # override them.
-        #        - url: https://our_idp/metadata.xml
+          #
-        #
+          #sp_config:
-        #    # By default, the user has to go to our login page first. If you'd like to
+          #  # point this to the IdP's metadata. You can use either a local file or
-        #    # allow IdP-initiated login, set 'allow_unsolicited: True' in a
+          #  # (preferably) a URL.
-        #    # 'service.sp' section:
+          #  metadata:
-        #    #
+          #    #local: ["saml2/idp.xml"]
-        #    #service:
+          #    remote:
-        #    #  sp:
+          #      - url: https://our_idp/metadata.xml
-        #    #    allow_unsolicited: True
+          #
-        #
+          #    # By default, the user has to go to our login page first. If you'd like
-        #    # The examples below are just used to generate our metadata xml, and you
+          #    # to allow IdP-initiated login, set 'allow_unsolicited: True' in a
-        #    # may well not need it, depending on your setup. Alternatively you
+          #    # 'service.sp' section:
-        #    # may need a whole lot more detail - see the pysaml2 docs!
+          #    #
-        #
+          #    #service:
-        #    description: ["My awesome SP", "en"]
+          #    #  sp:
-        #    name: ["Test SP", "en"]
+          #    #    allow_unsolicited: true
-        #
+          #
-        #    organization:
+          #    # The examples below are just used to generate our metadata xml, and you
-        #      name: Example com
+          #    # may well not need them, depending on your setup. Alternatively you
-        #      display_name:
+          #    # may need a whole lot more detail - see the pysaml2 docs!
-        #        - ["Example co", "en"]
+          #
-        #      url: "http://example.com"
+          #    description: ["My awesome SP", "en"]
-        #
+          #    name: ["Test SP", "en"]
-        #    contact_person:
+          #
-        #      - given_name: Bob
+          #    organization:
-        #        sur_name: "the Sysadmin"
+          #      name: Example com
-        #        email_address": ["admin@example.com"]
+          #      display_name:
-        #        contact_type": technical
+          #        - ["Example co", "en"]
-        #
+          #      url: "http://example.com"
-        #  # Instead of putting the config inline as above, you can specify a
+          #
-        #  # separate pysaml2 configuration file:
+          #    contact_person:
-        #  #
+          #      - given_name: Bob
-        #  config_path: "%(config_dir_path)s/sp_conf.py"
+          #        sur_name: "the Sysadmin"
-        #
+          #        email_address": ["admin@example.com"]
-        #  # the lifetime of a SAML session. This defines how long a user has to
+          #        contact_type": technical
-        #  # complete the authentication process, if allow_unsolicited is unset.
-        #  # The default is 5 minutes.
+          # Instead of putting the config inline as above, you can specify a
-        #  #
+          # separate pysaml2 configuration file:
-        #  # saml_session_lifetime: 5m
+          #
+          #config_path: "%(config_dir_path)s/sp_conf.py"
+          # the lifetime of a SAML session. This defines how long a user has to
+          # complete the authentication process, if allow_unsolicited is unset.
+          # The default is 5 minutes.
+          #
+          #saml_session_lifetime: 5m
        """ % {
            "config_dir_path": config_dir_path
        }