Skip to main content

Synapse Section: Delegated Auth

LDAP on Windows AD
  • Base.
    The distinguished name of the root level Org Unit in your LDAP directory.
    • The distinguished name can be displayed by selecting View / Advanced Features in the Active Directory console and then, right-clicking on the object, selecting Properties / Attributes Editor.
  • Bind DN.
    The distinguished name of the LDAP account with read access.
  • Filter.
    A LDAP filter to filter out objects under the LDAP Base DN.
  • URI.
    The URI of your LDAP server ldap://dc.example.com.
    • This is often your Domain Controller, can also pass in ldaps:// for SSL connectivity.
    • The following are the typical ports for Windows AD LDAP servers:
      • ldap://ServerName:389
      • ldaps://ServerName:636
  • LDAP Bind Password.
    The password of the AD account with read access.
  • LDAP Attributes.
    • Mail.
      mail
    • Name.
      cn
    • UID.
      sAMAccountName
OpenID on Microsoft Azure

Before configuring within the installer, you have to configure Microsoft Azure Active Directory.


Set up Microsoft Azure Active Directory


  • You need to create an App registration.

  • You have to select Redirect URI (optional) and set it to the following, where matrix is the subdomain of Synapse and example.com is your base domain as configured on the Domains section:

    https://matrix.example.com/_synapse/client/oidc/callback

Screenshot 2023-05-03 at 16.30.06.png


For the bridge to be able to operate correctly, navigate to API permissions, add Microsoft Graph APIs, choose Delegated Permissions and add:

  • openid

  • profile

  • email


Remember to grant the admin consent for those.


To setup the installer, you'll need:

  • The Application (client) ID

  • The Directory (tenant) ID

  • A secret generated from Certificates & Secrets on the app.


Configure the installer


  • IdP Name.
    A user-facing name for this identity provider, which is used to offer the user a choice of login mechanisms in the Element UI.
  • IdP ID.
    A string identifying your identity provider in your configuration, this will be auto-generated for you (but can be changed).
  • IdP Brand.
    An optional brand for this identity provider, allowing clients to style the login flow according to the identity provider in question.
  • Issuer.
    The OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints. Use https://login.microsoftonline.com/DIRECTORY_TENNANT_ID/v2.0 replacing DIRECTORY_TENNANT_ID.
  • Client Auth Method.
    Auth method to use when exchanging the token. Set it to Client Secret Post or any method supported by your IdP.
  • Client ID.
    Set this to your Application (client) ID.
  • Client Secret.
    Set this to the secret value defined under "Certificates and secrets".
  • Scopes.
    By default openid, profile and email are added, you shouldn't need to modify these.
  • User Mapping Provider.
    Configuration for how attributes returned from a OIDC provider are mapped onto a matrix user.
    • Localpart Template.
      Jinja2 template for the localpart of the MXID.
      Set it to {{ user.preferred_username.split('@')[0] }}.
    • Display Name Template.
      Jinja2 template for the display name to set on first login.
      If unset, no displayname will be set. Set it to {{ user.name }}.
  • Discover.
    Enable / Disable the use of the OIDC discovery mechanism to discover endpoints.
  • Backchannel Logout Enabled.
    Synapse supports receiving OpenID Connect Back-Channel Logout notifications. This lets the OpenID Connect Provider notify Synapse when a user logs out, so that Synapse can end that user session. This property has to bet set to https://matrix.example.com/_synapse/client/oidc/backchannel_logoutin your identity provider, where matrix is the subdomain of Synapse and example.com is your base domain as configured on the Domains section.
OpenID on Microsoft AD FS

Contents

SAML on Microsoft Azure

Before setting up the installer, you have to configure Microsoft Entra ID.


Set up Microsoft Entra ID


With an account with enough rights, go to : Enterprise Applications


  1. Click on New Application
  2. Click on Create your own application on the top left corner
  3. Choose a name for it, and select Integrate any other application you don't find in the gallery
  4. Click on "Create"
  5. Select Set up single sign on
  6. Select SAML
  7. Edit on Basic SAML Configuration
  8. In Identifier , add the following URL : https://synapse_fqdn/_synapse/client/saml2/metadata.xml
  9. Remove the default URL
  10. In Reply URL , add the following URL : https://synapse_fqdn/_synapse/client/saml2/authn_response
  11. Click on Save


  1. Make a note of the App Federation Metadata Url under SAML Certificates as this will be required in a later step.
  2. Edit on Attributes & Claims
  3. Remove all defaults for additional claims
  4. Click on Add new claim to add the following (suggested) claims (the UID will be used as the MXID):
    • Name: uid , Transformation : ExtractMailPrefix , Parameter 1 : user.userprincipalname
    • Name: email , Source attribute : user.mail
    • Name: displayName , Source attribute : user.displayname
  5. Click on Save


  1. In the application overview screen select Users and Groups and add groups and users which may have access to element

Configure the installer


Add a SAML provider in the 'Synapse' configuration after enabling Delegated Auth and set the following (suggested) fields in the installer:


  • Allow Unknown Attributes.
    Checked
  • Attribute Map.
    Select URN:Oasis:Names:TC:SAML:2.0:Attrname Format:Basic as the Identifier
  • Mapping.
    Set the following mappings:
    • From: Primary Email To: email
    • From: First Name To: firstname
    • From: Last Name To: lastname
  • Entity.
    • Description.
    • Entity ID. (From Azure)
    • Name.
  • User Mapping Provider.
    Set the following:
    • MXID Mapping: Dotreplace
    • MXID Source Attribute: uid
  • Metadata URL.
    Add the App Federation Metadata URL from Azure.
Back to top