Matrix/synapse
Matrix/synapse
1
0
Fork 0
mirror of https://github.com/element-hq/synapse synced 2024-08-19 05:40:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

deploy: cc3a52b33d

Browse source
This commit is contained in:
clokep 2022-10-31 17:08:23 +00:00
parent ff6d08fe71
commit 17eb445323
5 changed files with 42 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
develop/openid.html
View file

@ -188,6 +188,10 @@ maintainer.</p>
setting in your configuration file. setting in your configuration file.
See the <a href="usage/configuration/config_documentation.html#oidc_providers">configuration manual</a> for some sample settings, as well as See the <a href="usage/configuration/config_documentation.html#oidc_providers">configuration manual</a> for some sample settings, as well as
the text below for example configurations for specific providers.</p> the text below for example configurations for specific providers.</p>
<h2 id="oidc-back-channel-logout"><a class="header" href="#oidc-back-channel-logout">OIDC Back-Channel Logout</a></h2>
<p>Synapse supports receiving <a href="https://openid.net/specs/openid-connect-backchannel-1_0.html">OpenID Connect Back-Channel Logout</a> notifications.</p>
<p>This lets the OpenID Connect Provider notify Synapse when a user logs out, so that Synapse can end that user session.
This feature can be enabled by setting the <code>backchannel_logout_enabled</code> property to <code>true</code> in the provider configuration, and setting the following URL as destination for Back-Channel Logout notifications in your OpenID Connect Provider: <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></p>
<h2 id="sample-configs"><a class="header" href="#sample-configs">Sample configs</a></h2> <h2 id="sample-configs"><a class="header" href="#sample-configs">Sample configs</a></h2>
<p>Here are a few configs for providers that should work with Synapse.</p> <p>Here are a few configs for providers that should work with Synapse.</p>
<h3 id="microsoft-azure-active-directory"><a class="header" href="#microsoft-azure-active-directory">Microsoft Azure Active Directory</a></h3> <h3 id="microsoft-azure-active-directory"><a class="header" href="#microsoft-azure-active-directory">Microsoft Azure Active Directory</a></h3>
@ -245,6 +249,8 @@ to install Dex.</p>
</code></pre> </code></pre>
<h3 id="keycloak"><a class="header" href="#keycloak">Keycloak</a></h3> <h3 id="keycloak"><a class="header" href="#keycloak">Keycloak</a></h3>
<p><a href="https://www.keycloak.org/docs/latest/server_admin/#sso-protocols">Keycloak</a> is an opensource IdP maintained by Red Hat.</p> <p><a href="https://www.keycloak.org/docs/latest/server_admin/#sso-protocols">Keycloak</a> is an opensource IdP maintained by Red Hat.</p>
<p>Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
This can be optionally enabled by setting <code>backchannel_logout_enabled</code> to <code>true</code> in the Synapse configuration, and by setting the &quot;Backchannel Logout URL&quot; in Keycloak.</p>
<p>Follow the <a href="https://www.keycloak.org/getting-started">Getting Started Guide</a> to install Keycloak and set up a realm.</p> <p>Follow the <a href="https://www.keycloak.org/getting-started">Getting Started Guide</a> to install Keycloak and set up a realm.</p>
<ol> <ol>
<li> <li>
@ -268,6 +274,8 @@ to install Dex.</p>
<tr><td>Client Protocol</td><td><code>openid-connect</code></td></tr> <tr><td>Client Protocol</td><td><code>openid-connect</code></td></tr>
<tr><td>Access Type</td><td><code>confidential</code></td></tr> <tr><td>Access Type</td><td><code>confidential</code></td></tr>
<tr><td>Valid Redirect URIs</td><td><code>[synapse public baseurl]/_synapse/client/oidc/callback</code></td></tr> <tr><td>Valid Redirect URIs</td><td><code>[synapse public baseurl]/_synapse/client/oidc/callback</code></td></tr>
<tr><td>Backchannel Logout URL (optional)</td><td> <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></td></tr>
<tr><td>Backchannel Logout Session Required (optional)</td><td> <code>On</code></td></tr>
</tbody></table> </tbody></table>
<ol start="5"> <ol start="5">
<li>Click <code>Save</code></li> <li>Click <code>Save</code></li>
@ -291,6 +299,7 @@ to install Dex.</p>
config: config:
localpart_template: &quot;{{ user.preferred_username }}&quot; localpart_template: &quot;{{ user.preferred_username }}&quot;
display_name_template: &quot;{{ user.name }}&quot; display_name_template: &quot;{{ user.name }}&quot;
backchannel_logout_enabled: true # Optional
</code></pre> </code></pre>
<h3 id="auth0"><a class="header" href="#auth0">Auth0</a></h3> <h3 id="auth0"><a class="header" href="#auth0">Auth0</a></h3>
<p><a href="https://auth0.com/">Auth0</a> is a hosted SaaS IdP solution.</p> <p><a href="https://auth0.com/">Auth0</a> is a hosted SaaS IdP solution.</p>

20
develop/print.html
View file

@ -5817,6 +5817,17 @@ without modifications.</p>
which is set to the claims returned by the UserInfo Endpoint and/or which is set to the claims returned by the UserInfo Endpoint and/or
in the ID Token.</p> in the ID Token.</p>
</li> </li>
<li>
<p><code>backchannel_logout_enabled</code>: set to <code>true</code> to process OIDC Back-Channel Logout notifications.
Those notifications are expected to be received on <code>/_synapse/client/oidc/backchannel_logout</code>.
Defaults to <code>false</code>.</p>
</li>
<li>
<p><code>backchannel_logout_ignore_sub</code>: by default, the OIDC Back-Channel Logout feature checks that the
<code>sub</code> claim matches the subject claim received during login. This check can be disabled by setting
this to <code>true</code>. Defaults to <code>false</code>.</p>
<p>You might want to disable this if the <code>subject_claim</code> returned by the mapping provider is not <code>sub</code>.</p>
</li>
</ul> </ul>
<p>It is possible to configure Synapse to only allow logins if certain attributes <p>It is possible to configure Synapse to only allow logins if certain attributes
match particular values in the OIDC userinfo. The requirements can be listed under match particular values in the OIDC userinfo. The requirements can be listed under
@ -7225,6 +7236,10 @@ maintainer.</p>
setting in your configuration file. setting in your configuration file.
See the <a href="usage/configuration/config_documentation.html#oidc_providers">configuration manual</a> for some sample settings, as well as See the <a href="usage/configuration/config_documentation.html#oidc_providers">configuration manual</a> for some sample settings, as well as
the text below for example configurations for specific providers.</p> the text below for example configurations for specific providers.</p>
<h2 id="oidc-back-channel-logout"><a class="header" href="#oidc-back-channel-logout">OIDC Back-Channel Logout</a></h2>
<p>Synapse supports receiving <a href="https://openid.net/specs/openid-connect-backchannel-1_0.html">OpenID Connect Back-Channel Logout</a> notifications.</p>
<p>This lets the OpenID Connect Provider notify Synapse when a user logs out, so that Synapse can end that user session.
This feature can be enabled by setting the <code>backchannel_logout_enabled</code> property to <code>true</code> in the provider configuration, and setting the following URL as destination for Back-Channel Logout notifications in your OpenID Connect Provider: <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></p>
<h2 id="sample-configs"><a class="header" href="#sample-configs">Sample configs</a></h2> <h2 id="sample-configs"><a class="header" href="#sample-configs">Sample configs</a></h2>
<p>Here are a few configs for providers that should work with Synapse.</p> <p>Here are a few configs for providers that should work with Synapse.</p>
<h3 id="microsoft-azure-active-directory"><a class="header" href="#microsoft-azure-active-directory">Microsoft Azure Active Directory</a></h3> <h3 id="microsoft-azure-active-directory"><a class="header" href="#microsoft-azure-active-directory">Microsoft Azure Active Directory</a></h3>
@ -7282,6 +7297,8 @@ to install Dex.</p>
</code></pre> </code></pre>
<h3 id="keycloak"><a class="header" href="#keycloak">Keycloak</a></h3> <h3 id="keycloak"><a class="header" href="#keycloak">Keycloak</a></h3>
<p><a href="https://www.keycloak.org/docs/latest/server_admin/#sso-protocols">Keycloak</a> is an opensource IdP maintained by Red Hat.</p> <p><a href="https://www.keycloak.org/docs/latest/server_admin/#sso-protocols">Keycloak</a> is an opensource IdP maintained by Red Hat.</p>
<p>Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
This can be optionally enabled by setting <code>backchannel_logout_enabled</code> to <code>true</code> in the Synapse configuration, and by setting the &quot;Backchannel Logout URL&quot; in Keycloak.</p>
<p>Follow the <a href="https://www.keycloak.org/getting-started">Getting Started Guide</a> to install Keycloak and set up a realm.</p> <p>Follow the <a href="https://www.keycloak.org/getting-started">Getting Started Guide</a> to install Keycloak and set up a realm.</p>
<ol> <ol>
<li> <li>
@ -7305,6 +7322,8 @@ to install Dex.</p>
<tr><td>Client Protocol</td><td><code>openid-connect</code></td></tr> <tr><td>Client Protocol</td><td><code>openid-connect</code></td></tr>
<tr><td>Access Type</td><td><code>confidential</code></td></tr> <tr><td>Access Type</td><td><code>confidential</code></td></tr>
<tr><td>Valid Redirect URIs</td><td><code>[synapse public baseurl]/_synapse/client/oidc/callback</code></td></tr> <tr><td>Valid Redirect URIs</td><td><code>[synapse public baseurl]/_synapse/client/oidc/callback</code></td></tr>
<tr><td>Backchannel Logout URL (optional)</td><td> <code>[synapse public baseurl]/_synapse/client/oidc/backchannel_logout</code></td></tr>
<tr><td>Backchannel Logout Session Required (optional)</td><td> <code>On</code></td></tr>
</tbody></table> </tbody></table>
<ol start="5"> <ol start="5">
<li>Click <code>Save</code></li> <li>Click <code>Save</code></li>
@ -7328,6 +7347,7 @@ to install Dex.</p>
config: config:
localpart_template: &quot;{{ user.preferred_username }}&quot; localpart_template: &quot;{{ user.preferred_username }}&quot;
display_name_template: &quot;{{ user.name }}&quot; display_name_template: &quot;{{ user.name }}&quot;
backchannel_logout_enabled: true # Optional
</code></pre> </code></pre>
<h3 id="auth0"><a class="header" href="#auth0">Auth0</a></h3> <h3 id="auth0"><a class="header" href="#auth0">Auth0</a></h3>
<p><a href="https://auth0.com/">Auth0</a> is a hosted SaaS IdP solution.</p> <p><a href="https://auth0.com/">Auth0</a> is a hosted SaaS IdP solution.</p>

2
develop/searchindex.js
View file

File diff suppressed because one or more lines are too long

2
develop/searchindex.json
View file

File diff suppressed because one or more lines are too long

11
develop/usage/configuration/config_documentation.html
View file

@ -2667,6 +2667,17 @@ without modifications.</p>
which is set to the claims returned by the UserInfo Endpoint and/or which is set to the claims returned by the UserInfo Endpoint and/or
in the ID Token.</p> in the ID Token.</p>
</li> </li>
<li>
<p><code>backchannel_logout_enabled</code>: set to <code>true</code> to process OIDC Back-Channel Logout notifications.
Those notifications are expected to be received on <code>/_synapse/client/oidc/backchannel_logout</code>.
Defaults to <code>false</code>.</p>
</li>
<li>
<p><code>backchannel_logout_ignore_sub</code>: by default, the OIDC Back-Channel Logout feature checks that the
<code>sub</code> claim matches the subject claim received during login. This check can be disabled by setting
this to <code>true</code>. Defaults to <code>false</code>.</p>
<p>You might want to disable this if the <code>subject_claim</code> returned by the mapping provider is not <code>sub</code>.</p>
</li>
</ul> </ul>
<p>It is possible to configure Synapse to only allow logins if certain attributes <p>It is possible to configure Synapse to only allow logins if certain attributes
match particular values in the OIDC userinfo. The requirements can be listed under match particular values in the OIDC userinfo. The requirements can be listed under