Setting up Delegated Authentication with SAML on Microsoft Azure (WIP)

Before setting up the installer, you have to configure Microsoft Entra ID.

Set up Microsoft Entra ID

With an account with enough rights, go to : Enterprise Applications

• Click on New Application
• Click on Create your own application on the top left corner
• Choose a name for it, and select Integrate any other application you don't find in the gallery
• Click on "Create"
• Select Set up single sign on
• Select SAML
• Edit on Basic SAML Configuration
• In Identifier , add the following URL : https://<synapse fqdn>/_synapse/client/saml2/metadata.xml
• Remove the default URL
• In Reply URL , add the following URL : https://<synapse fqdn>/_synapse/client/saml2/authn_response
• Click on Save
• Edit on Attributes & Claims
• Remove all defaults additional claims
• Click on Add new claim to add the following claims. The UID will be used as the MXID, the
• value here is mostly a suggestion :
  • Name: uid , Transformation : ExtractMailPrefix , Parameter 1 :user.userprincipalname
  • Name: email , Source attribute : user.mail
  • Name: displayName , Source attribute : user.displayname
• Click on Save
• In Users and Groups , add groups and users which may have access to element

Configure the installer

Add a SAML provider in the 'Synapse' configuration after enabling Delegated Auth and set the following fields in the installer:

• Allow Unknown Attributes
• Under Attribute Map, select the Identifier - URN:Oasis:Names:TC:SAML:2.0:Attrname Format:Basic
• Under Mapping add the following mappings:
  • From: Primary Email To email
  • From First Name To firstname
  • From Last Name To lastname

• Certificates????
• Encryption??????
• Under Entity, enter a description, the Entity ID (from Azure) and a name.
• Under User Mapping Provider select the following:
  • MXID Mapping: Dotreplace
  • MXID Source Attribut: uid
• Under Metadata URL, add the App Federation Metadata URL from Azure