Setting up Delegated Authentication With the Installer

On

Delegated ElementAuthentication

~~Enterprise~~

At present, we support delegating the authentication of users to the following provider interfaces:

~~Depending~~LDAP

SAML

~~your~~

OIDC

~~provider,~~

~~copy~~

~~the~~

Note: ~~sample~~We ~~file~~are rapidly working to expand and improve this documentation. For now, we are providing screenshots of working configurations, but in the ~~installer~~future, ~~root~~we ~~directory~~will ~~from~~better config-sample/synapse/ to ~/.element-onpremise-config/synapse

cp -r config-sample/synapse ~/.element-onpremise-config/synapse

~~Edit~~explain the ~~file~~options ~~for~~as ~~the~~well. ~~provider~~If you ~~are~~do ~~setting~~not ~~up. You have at least 3 parameters to edit :~~
- ~~The IdP metadata url~~
- ~~The name and description of your synapse server, which~~see your provider ~~would~~listed ~~display~~below, please file a support ticket or reach out to ~~inform~~your ~~the~~Element ~~users~~representative and we will work to ~~which~~get ~~app~~you ~~they are logging in~~

~~Disable the local synapse user database~~connected and ~~password~~our ~~workflows~~documentation ~~by creating a file~~ ~/.element-onpremise-config/synapse/disable-local.yml ~~and putting the following in it:~~
```
password_config:
   localdb_enabled: false
   enabled: false
```

~~Disable local user workflows in element by creating a file~~ ~/.element-onpremise-config/element/delegatedauth.json ~~and putting the following in it:~~

{
  "setting_defaults": {
     "UIFeature.identityServer": false,
     "UIFeature.passwordReset": false,
     "UIFeature.registration": false,
     "UIFeature.deactivate": false,
     "UIFeature.thirdPartyId": false
   }
}

~~Run the installer to configure SAML provisioning~~

On the provider

~~Here we cover Azure ADFS and Keycloak.~~updated.

~~Other SAML providers can be configured for use~~

LDAP with ElementWindows Enterprise.AD

~~Please~~ ~~contact Element for further information in the event that you are not using one of the above providers.~~

Azure

~~ADFS~~

SAML

~~With~~

~~account with enough rights, go to :~~

~~Enterprise Applications Portal~~

~~Click on~~ New Application

~~Click on~~ Create your own application ~~on the top left corner~~

~~Choose a name for it, and select~~ Integrate any other application you don't find in the gallery

~~Click on "Create"~~

~~Select~~ Set up single sign on

~~Select~~ SAML

Edit on Basic SAML Configuration

In Identifier~~, add the following URL :~~ https://<synapse fqdn>/_synapse/client/saml2/metadata.xml

~~Remove the default URL~~

In Reply URL~~, add the following URL :~~ https://<synapse fqdn>/_synapse/client/saml2/authn_response

~~Click on~~ Save

Edit on Attributes & Claims

~~Remove all defaults additional claims~~

~~Click on~~ Add new claim ~~to add the following claims. The UID will be used as the MXID, the value here is mostly a suggestion :~~
- ~~Name:~~ uid~~, Transformation :~~ ExtractMailPrefix~~, Parameter 1 :~~ user.userprincipalname
- ~~Name:~~ email~~, Source attribute :~~ user.mail
- ~~Name:~~ displayName~~, Source attribute :~~ user.displayname

~~Click on~~ Save

In Users and Groups~~, add groups and users which may have access to element~~

~~Configure the IdP Metadate URL~~
- ~~Go back to the Overview Page for your new Enterprise application.~~
- ~~Go to the section SAML Certificates.~~
- ~~Copy the App Federation Metadata URL~~
- ~~Put this URL into the url: "" field of the saml-azure-adfs.yml.~~
- ~~Restart the Installer.~~

Keycloak

In Configure > Clients~~, add a new client. Enter~~ https://<synapse fqdn>/_synapse/client/saml2/metadata.xml ~~as its Client ID~~

In Mappers~~, add the 3 following mappers :~~
- ~~Name:~~ uid ~~: User attribute :~~ username
- ~~Name:~~ email~~, User attribute :~~ email
- ~~Name:~~ displayName~~, Javascript mapper :~~ user.FirstName + " " + user.lastName