Skip to main content

Setting up Delegated Authentication With the Installer

Delegated Authentication

At present, we support delegating the authentication of users to the following provider interfaces:

  • LDAP
  • SAML
  • OIDC
  • CAS

When enabling Delegated Auth, you can still allow local users managed by Element to connect to the instance

Screenshot 2023-05-04 at 09.23.54.png

When Allow Local Users Login is Enabled, you can both connect to your instance using your IDP and the local database.

Screenshot 2023-05-04 at 14.30.04.png

Different options are offered by the installer and you can combine two or more options on the same instance like enabling SAML and OIDC delegated authentication.

Setting up Delegated Authentication with LDAP on Windows AD

Setting up Delegated Authentication with OpenID on Microsoft Azure

Setting up Delegated Authentication with OpenID on Microsoft AD FS

Setting up Delegated Authentication with SAML on Microsoft Azure

Note: We are rapidly working to expand and improve this documentation. For now, we are providing screenshots of working configurations, but in the future, we will better explain the options as well. If you do not see your provider listed below, please file a support ticket or reach out to your Element representative and we will work to get you connected and our documentation updated.


Redirection loop on SSO

Synapse needs to have the X-Forwarded-For and X-Forwarded-Proto headers set by the reverse proxy doing the TLS termination. If you are using a Kubernetes installation with your own reverse proxy terminating TLS, please make sure that the appropriate headers are set.