Skip to main content

Setting up Delegated Authentication With the Installer

On Element Enterprise

  • Depending on your provider, copy the sample file in the installer root directory from config-sample/synapse/ to ~/.element-onpremise-config/synapse
cp -r config-sample/synapse ~/.element-onpremise-config/synapse
  • Edit the file for the provider you are setting up. You have at least 3 parameters to edit :
    • The IdP metadata url
    • The name and description of your synapse server, which your provider would display to inform the users to which app they are logging in
  • Disable the local synapse user database and password workflows by creating a file ~/.element-onpremise-config/synapse/disable-local.yml and putting the following in it:
       localdb_enabled: false
       enabled: false
  • Disable local user workflows in element by creating a file ~/.element-onpremise-config/element/delegatedauth.json and putting the following in it:
      "setting_defaults": {
         "UIFeature.identityServer": false,
         "UIFeature.passwordReset": false,
         "UIFeature.registration": false,
         "UIFeature.deactivate": false,
         "UIFeature.thirdPartyId": false
  • Run the installer to configure SAML provisioning

On the provider

Here we cover Azure ADFS and Keycloak.

Other SAML providers can be configured for use with Element Enterprise. Please contact Element for further information in the event that you are not using one of the above providers.

Azure ADFS

  • With an account with enough rights, go to : Enterprise Applications Portal
  • Click on New Application
  • Click on Create your own application on the top left corner
  • Choose a name for it, and select Integrate any other application you don't find in the gallery
  • Click on "Create"
  • Select Set up single sign on
  • Select SAML
  • Edit on Basic SAML Configuration
  • In Identifier, add the following URL : https://<synapse fqdn>/_synapse/client/saml2/metadata.xml
  • Remove the default URL
  • In Reply URL, add the following URL : https://<synapse fqdn>/_synapse/client/saml2/authn_response
  • Click on Save
  • Edit on Attributes & Claims
  • Remove all defaults additional claims
  • Click on Add new claim to add the following claims. The UID will be used as the MXID, the value here is mostly a suggestion :
    • Name: uid, Transformation : ExtractMailPrefix, Parameter 1 : user.userprincipalname
    • Name: email, Source attribute : user.mail
    • Name: displayName, Source attribute : user.displayname
  • Click on Save
  • In Users and Groups, add groups and users which may have access to element
  • Configure the IdP Metadate URL
    • Go back to the Overview Page for your new Enterprise application.
    • Go to the section SAML Certificates.
    • Copy the App Federation Metadata URL
    • Put this URL into the url: "" field of the saml-azure-adfs.yml.
    • Restart the Installer.


  • In Configure > Clients, add a new client. Enter https://<synapse fqdn>/_synapse/client/saml2/metadata.xml as its Client ID
  • In Mappers, add the 3 following mappers :
    • Name: uid : User attribute : username
    • Name: email, User attribute : email
    • Name: displayName, Javascript mapper : user.FirstName + " " + user.lastName