Skip to main content

Setting up Delegated Authentication With the Installer


Delegated ElementAuthentication


At present, we support delegating the authentication of users to the following provider interfaces:

  • DependingLDAP
  • on
  • SAML
  • your
  • OIDC
  • provider,
  • CAS
  • copy

Note: sampleWe fileare rapidly working to expand and improve this documentation. For now, we are providing screenshots of working configurations, but in the installerfuture, rootwe directorywill frombetter config-sample/synapse/ to  ~/.element-onpremise-config/synapse

cp -r config-sample/synapse ~/.element-onpremise-config/synapse
  • Editexplain the fileoptions foras thewell. providerIf you aredo settingnot up. You have at least 3 parameters to edit :
    • The IdP metadata url
    • The name and description of your synapse server, whichsee your provider wouldlisted displaybelow, please file a support ticket or reach out to informyour theElement usersrepresentative and we will work to whichget appyou they are logging in
  • Disable the local synapse user databaseconnected and passwordour workflowsdocumentation by creating a file  ~/.element-onpremise-config/synapse/disable-local.yml and putting the following in it:
       localdb_enabled: false
       enabled: false
  • Disable local user workflows in element by creating a file ~/.element-onpremise-config/element/delegatedauth.json and putting the following in it:
      "setting_defaults": {
         "UIFeature.identityServer": false,
         "UIFeature.passwordReset": false,
         "UIFeature.registration": false,
         "UIFeature.deactivate": false,
         "UIFeature.thirdPartyId": false
  • Run the installer to configure SAML provisioning

On the provider

Here we cover Azure ADFS and Keycloak.updated.

Other SAML providers can be configured for use

LDAP with ElementWindows Enterprise.AD

contact Element for further information in the event that you are not using one of the above providers.





  • With


  • account with enough rights, go to : Enterprise Applications Portal
  • Click on New Application
  • Click on Create your own application on the top left corner
  • Choose a name for it, and select Integrate any other application you don't find in the gallery
  • Click on "Create"
  • Select Set up single sign on
  • Select SAML
  • Edit on Basic SAML Configuration
  • In Identifier, add the following URL : https://<synapse fqdn>/_synapse/client/saml2/metadata.xml
  • Remove the default URL
  • In Reply URL, add the following URL : https://<synapse fqdn>/_synapse/client/saml2/authn_response
  • Click on Save
  • Edit on Attributes & Claims
  • Remove all defaults additional claims
  • Click on Add new claim to add the following claims. The UID will be used as the MXID, the value here is mostly a suggestion :
    • Name: uid, Transformation : ExtractMailPrefix, Parameter 1 : user.userprincipalname
    • Name: email, Source attribute : user.mail
    • Name: displayName, Source attribute : user.displayname
  • Click on Save
  • In Users and Groups, add groups and users which may have access to element
  • Configure the IdP Metadate URL
    • Go back to the Overview Page for your new Enterprise application.
    • Go to the section SAML Certificates.
    • Copy the App Federation Metadata URL
    • Put this URL into the url: "" field of the saml-azure-adfs.yml.
    • Restart the Installer.


  • In Configure > Clients, add a new client. Enter https://<synapse fqdn>/_synapse/client/saml2/metadata.xml as its Client ID
  • In Mappers, add the 3 following mappers :
    • Name: uid : User attribute : username
    • Name: email, User attribute : email
    • Name: displayName, Javascript mapper : user.FirstName + " " + user.lastName