Setting up Delegated Authentication with SAML on Microsoft Azure (WIP)
Before setting up the installer, you have to configure Microsoft Entra ID.
Set up Microsoft AzureEntra Active DirectoryID
With an account with enough rights, go to : Enterprise Applications
Portal
- Click on
New Application
- Click on
Create your own application
on the top left corner - Choose a name for it, and select
Integrate any other application you don't find in the gallery
- Click on "Create"
- Select
Set up single sign on
- Select
SAML
-
Edit
onBasic SAML Configuration
- In
Identifier
, add the following URL :https://<synapse fqdn>/_synapse/client/saml2/metadata.xml
- Remove the default URL
- In
Reply URL
, add the following URL :https://<synapse fqdn>/_synapse/client/saml2/authn_response
- Click on
Save
-
Edit
onAttributes & Claims
- Remove all defaults additional claims
- Click on
Add new claim
to add the following claims. The UID will be used as the MXID, the - value here is mostly a suggestion :
- Name:
uid
, Transformation :ExtractMailPrefix
, Parameter 1 :user.userprincipalname - Name:
email
, Source attribute :user.mail
- Name:
displayName
, Source attribute :user.displayname
- Name:
- Click on
Save
- In
Users and Groups
, add groups and users which may have access to element
Configure the installer
Add a SAML provider in the 'Synapse' configuration after enabling Delegated Auth
and set the following fields in the installer:
-
Allow Unknown Attributes
- Under
Attribute Map
, select theIdentifier
-URN:Oasis:Names:TC:SAML:2.0:Attrname Format:Basic
- Under
Mapping
add the following mappings:- From:
Primary Email
Toemail
- From
First Name
Tofirstname
- From
Last Name
Tolastname
- From:
- Certificates????
- Encryption??????
- Under Entity, enter a description, the Entity ID (from Azure) and a name.
- Under User Mapping Provider select the following:
- MXID Mapping: Dotreplace
- MXID Source Attribute: uid
- Under Metadata URL, add the metadata URL from Azure