You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently running Synapse that's closed for registration and I'm using SSO for authentication. Other login methods have been disabled.
Since we can't disable registration with homeserver config file, I followed the advice given here #11968 which is using attribute_requirements to restrict who can login or register using SSO.
oidc_providers:
- idp_id: google
idp_name: Google
idp_brand: "google" # optional: styling hint for clients
issuer: "https://accounts.google.com/"
client_id: "xxx" # TO BE FILLED
client_secret: "xxxx" # TO BE FILLED
scopes: ["openid", "profile", "email"]
attribute_requirements:
- attribute: email
value: "[email protected]"
This worked perfecly to restrict SSO only to my email. The issue came up when I tried adding more email addresses to "the whitelist" above
With this setup, Synapse ignores all values except the last line ([email protected]) and the SSO handler no longer matches to [email protected]. I suppose this is intended behavior, since even the config file clearly states "All of the listed attributes must match for the login to be permitted". However, this makes it really difficult to enable single sign-on and only allow logins from "friends only".
The only way I could figure out how to really get it to work was to hack /synapse/handlers/sso.py and hardcode email addresses there.
Would it be possible to allow matching several different values on required attributes? (In this case, allowing multiple email addresses.)
The text was updated successfully, but these errors were encountered:
This issue has been migrated from #13238.
Description:
I'm currently running Synapse that's closed for registration and I'm using SSO for authentication. Other login methods have been disabled.
Since we can't disable registration with homeserver config file, I followed the advice given here #11968 which is using attribute_requirements to restrict who can login or register using SSO.
This worked perfecly to restrict SSO only to my email. The issue came up when I tried adding more email addresses to "the whitelist" above
or
With this setup, Synapse ignores all values except the last line ([email protected]) and the SSO handler no longer matches to [email protected]. I suppose this is intended behavior, since even the config file clearly states "All of the listed attributes must match for the login to be permitted". However, this makes it really difficult to enable single sign-on and only allow logins from "friends only".
The only way I could figure out how to really get it to work was to hack /synapse/handlers/sso.py and hardcode email addresses there.
Would it be possible to allow matching several different values on required attributes? (In this case, allowing multiple email addresses.)
The text was updated successfully, but these errors were encountered: