Skip to main content

Setting up Delegated Authentication With the Installer

Delegated Authentication

At present, we support delegating the authentication of users to the following provider interfaces:

  • LDAP
  • SAML
  • OIDC
  • CAS

When enabling Delegated Auth, you can still allow local users managed by Element to connect to the instance

Screenshot 2023-05-04 at 09.23.54.png

When Allow Local Users Login is Enabled, you can both connect to your instance using your IDP and the local database.

Screenshot 2023-05-04 at 14.30.04.png

Note: We are rapidly working to expand and improve this documentation. For now, we are providing screenshots of working configurations, but in the future, we will better explain the options as well. If you do not see your provider listed below, please file a support ticket or reach out to your Element representative and we will work to get you connected and our documentation updated.

LDAP with Windows AD

  • Base: the distinguished name of the root level Org Unit in your LDAP directory.

    The distinguished name can be displayed by selecting View/Advanced Features in the Active Directory console and then, right-clicking on the object, selecting Properties/Attributes Editor.

Screenshot 2023-05-04 at 17.31.24.png

  • Base Dn: the distinguished name of the LDAP account with read access.
  • Filter: an LDAP filter to filter out objects under the LDAP Base DN.
  • Uri: the URI of your LDAP server.
  • LDAP Bind Password: the password of the LDAP account with read access.

screencapture-3-76-146-148-8443-synapse-2023-05-04-17_33_17 copy.png

SAML

saml-olivier.png

OpenID with Microsoft Azure

Microsoft Azure Active Directory
  • You need to create an App registration.
  • You have to select Redirect URI (optional) and set it to https://matrix.your-domain.com/_synapse/client/oidc/callback

Screenshot 2023-05-03 at 16.30.06.png

For the bridge to be able to operate correctly, navigate to API permissions, add Microsoft Graph APIs, choose Delegated Permissions and add

  • openid
  • profile

Remember to grant the admin consent for those.

To setup the installer, you'll need

  • the Application (client) ID
  • the Directory (tenant) ID
  • a secret generated from Certificates & secrets on the app.

In the installer, select:

  • Allow Existing Users: if checked, it allows a user logging in via OIDC to match a pre-existing account instead of failing. This could be used if switching from password logins to OIDC.
  • Authorization Endpoint: the oauth2 authorization endpoint. Required if provider discovery is disabled.

    https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize

  • Backchannel Logout Enabled: Synapse supports receiving OpenID Connect Back-Channel Logout notifications. This lets the OpenID Connect Provider notify Synapse when a user logs out, so that Synapse can end that user session. This property has to bet set to https://your-domain/_synapse/client/oidc/backchannel_logoutin your identity provider

Screenshot 2023-05-02 at 15.39.56.png

  • Client Auth Method: auth method to use when exchanging the token. Set it to Client Secret Post or any method supported by your Idp
  • Client ID: your Application (client) ID
  • Discover: enable/disable the use of the OIDC discovery mechanism to discover endpoints
  • Idp Brand: an optional brand for this identity provider, allowing clients to style the login flow according to the identity provider in question
  • Idp ID: a string identifying your identity provider in your configuration
  • Idp Name: A user-facing name for this identity provider, which is used to offer the user a choice of login mechanisms in the Element UI. In the screenshot bellow, Idp Name is set to Azure AD

Screenshot 2023-05-04 at 10.45.23.png

  • Issuer: the OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints

    https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0

  • Token Endpoint: the oauth2 authorization endpoint. Required if provider discovery is disabled.
  • Client Secret: your secret value defined under "Certificates and secrets"

Screenshot 2023-05-03 at 15.20.20.png

  • Scopes: add every scope on a different line
    • The openid scope is required which translates to the Sign you in permission in the consent UI
    • You might also include other scopes in this request for requesting consent.

Screenshot 2023-05-03 at 17.27.00.png

  • User Mapping Provider: Configuration for how attributes returned from a OIDC provider are mapped onto a matrix user.

    Screenshot 2023-05-11 at 11.06.39.png

    • Localpart Template: Jinja2 template for the localpart of the MXID. Set it to {{ user.preferred_username.split('@')[0] }} for Azure AD
    • Display Name Template: Jinja2 template for the display name to set on first login. If unset, no displayname will be set. Set it to {{ user.name }}for Azure AD

    Other configurations are documented here.

    OpenID with Microsoft ADFS on-prem

    Installing Microsoft ADFS

    Before starting the installation, make sure:

    • your Windows computer name is correct since you won't be able to change it after having installed AD FS
    • you configured your server with a static IP address
    • your server joined a domain and your domain is defined under Server Manager > Local server
    • you can resolve your server FQDN like computername.my-domain.com

    WithoutYou thesecan pre-requisitesfind satisfied,a thechecklist certificate issued won't be validhere.

    Steps to follow:

    • Install AD CS (Certificate Server) to issue valid certificates for AD FS. AD CS provides a platform for issuing and managing public key infrastructure [PKI] certificates.
    • Install AD FS (Federation Server)
    Install AD CS

    You need to install the AD CS Server Role.

    • Follow this guide.
      You
    • then
    need to obtain
    Obtain and configureConfigure an SSL Certificate for AD FS.
    FS

    Before installing AD FS, you are required to generate a certificate for your federation service. The SSL certificate is used for securing communications between federation servers and clients.

    • Follow this guide.

    • Additionally, this guide provides more details on how to create a certificate template.

      Install AD FS

    You need to install the AD FS Role Service.

    Configure the federation service

    AD FS is installed but not configured.

    • Click on Configure the federation service on this server under Post-deployment configurationin the Server Manager.
    • Ensure Create the first federation server in a federation server farm and is selected Screenshot 2023-06-22 at 15.55.57.png
    • Click Next Screenshot 2023-06-22 at 15.57.41.png
    • Select the SSL Certificate and set a Federation Service Display Name Screenshot 2023-06-22 at 15.59.27.png
    • On the Specify Service Account page, you can either Create a Group Managed Service Account (gMSA) or Specify an existing Service or gMSA Account. Screenshot 2023-06-22 at 16.04.13.png
    • Choose your database Screenshot 2023-06-22 at 16.05.50.png
    • Review Options , check prerequisites are completed and click on Configure
    • Restart the server
    Add AD FS as an OpenID Connect identity provider

    To enable sign-in for users with an AD FS account, create an Application Group in your AD FS.
    To create an Application Group, follow theses steps:

    • In Server Manager, select Tools, and then select AD FS Management
    • In AD FS Management, right-click on Application Groups and select Add Application Group
    • On the Application Group Wizard Welcome screen
      • Enter the Name of your application
      • Under Standalone applications section, select Server application and click Next Screenshot 2023-06-22 at 16.39.52.png
    • Enter https://<matrix domain>/_synapse/client/oidc/callback in Redirect URI: field, click Add, save the Client Identifier somewhere, you will need it when setting up Element and click Next (e.g. https://matrix.domain.com/_synapse/client/oidc/callback) Screenshot 2023-06-22 at 16.45.44.png