Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SSO login via CAS create user with registration disabled #15775

Closed
agrimpard opened this issue Jun 13, 2023 · 3 comments · Fixed by #16262
Closed

SSO login via CAS create user with registration disabled #15775

agrimpard opened this issue Jun 13, 2023 · 3 comments · Fixed by #16262
Labels
A-SSO Single Sign-On (maybe OIDC) O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@agrimpard
Copy link
Contributor

Description

If a user logs in with SSO (CAS) but is not registered in Matrix's user database, he should get an error warning that he is not authorized to access the service (401).

However, Matrix will automatically register the user regardless of the registration disabled parameter, then let him connect to the server and use the service.

Steps to reproduce

Matrix config homeserver.yaml :

enable_registration: false
cas_config:
  enabled: true
  server_url: "https://cas.mydomain.com"

Homeserver

Private server

Synapse Version

1.85.0

Installation Method

Debian packages from packages.matrix.org

Database

PostgreSQL

Workers

Single process

Platform

KVM / Debian 11

Configuration

No response

Relevant log output

Not relevant ?

Anything else that would be useful to know?

No response
@MatMaul MatMaul added A-SSO Single Sign-On (maybe OIDC) O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. labels Jun 16, 2023
@olmari
Copy link
Contributor

olmari commented Jun 17, 2023

Usually the whole point using SSO is to have SSO handling the users so Synapse "doesn't have to". I suppose there could be an way within SSO to allow or disallow matrix per uaer basis, but I don't know.

@agrimpard
Copy link
Contributor Author

agrimpard commented Jun 19, 2023
edited
Loading

Usually the whole point using SSO is to have SSO handling the users so Synapse "doesn't have to". I suppose there could be an way within SSO to allow or disallow matrix per uaer basis, but I don't know.

The advantage of using SSO is that users authenticate only once, whatever the application: Matrix, webmail, Nextcloud, etc. This means that applications don't have to manage authentication, but SSO doesn't have to replace the user database of these applications.

I've tried several configurations to avoid the problem of Matrix creating a user when it doesn't exist.

  • The best way would be to use the required_attributes parameter in the cas_config but for some reason Synapse doesn't get the CAS attributes : Synapse doesn't retrieve CAS attributes when using CAS Protocol 3.0 #15807.
  • I can imagine creating an intermediary between SSO and Matrix but it's very hacky.
  • If I don't find it, I'll pre-register all my users and disable those who aren't authorized to use the service.

Ideally, of course, Matrix wouldn't register users on its own with enable_registration: false parameter ...

@MatMaul
Copy link
Contributor

MatMaul commented Jun 20, 2023

This is on purpose, cf this comment.

An enable_registration could be added at the CAS configuration level, as it was done for OIDC in the linked PR.

PR welcome :)

@clokep clokep changed the title SSO login create user with registration disabled SSO login via CAS create user with registration disabled Jun 21, 2023
@agrimpard agrimpard mentioned this issue Sep 6, 2023
Merged
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-SSO Single Sign-On (maybe OIDC) O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle "registration_enabled" parameter for CAS
3 participants
@MatMaul @olmari @agrimpard