Support MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On.#19693
Open
reivilibre wants to merge 5 commits intodevelopfrom
Open
Support MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On.#19693reivilibre wants to merge 5 commits intodevelopfrom
reivilibre wants to merge 5 commits intodevelopfrom
Conversation
This allows clients to specify the identity provider they'd like to log in with for SSO when they have multiple upstream IdPs associated with their account. Previously, Synapse would just pick one arbitrarily. But this was undesirable as you may want to use a different one at that point in time. When logging in, the user is able to choose when IdP they use - during UIA (which uses fallback auth mechanism) they should be able to do the same.
reivilibre
changed the title
MadLittleMods
approved these changes
Apr 15, 2026
| self.msc4354_enabled: bool = experimental.get("msc4354_enabled", False) | ||
|
|
||
| # MSC4450: Identity Provider selection for User-Interactive Authentication | ||
| # with Legacy Single Sign-On |
Contributor
There was a problem hiding this comment.
Suggested change
| # with Legacy Single Sign-On | |
| # with Legacy Single Sign-On (`m.login.sso`) |
| if sso_auth_provider is None: | ||
| raise SynapseError( | ||
| 400, | ||
| f"Unknown Identity Provider: '{preferred_idp_id}'", |
Contributor
There was a problem hiding this comment.
Suggested change
| f"Unknown Identity Provider: '{preferred_idp_id}'", | |
| f"Unknown preferred Identity Provider: '{preferred_idp_id}'", |
Comment on lines
+627
to
+630
| self.assertIn( | ||
| f"Continue with {provider_config['idp_name']}", | ||
| channel.text_body, | ||
| ) |
Contributor
There was a problem hiding this comment.
We should at-least note where this comes from synapse/res/templates/sso_auth_confirm.html
| flows, [{"stages": ["m.login.sso"]}, {"stages": ["m.login.password"]}] | ||
| ) | ||
|
|
||
| for idp_id, provider_config in ( |
Contributor
There was a problem hiding this comment.
Explain why we try with both (comment)
| self.assertEqual( | ||
| channel.code, | ||
| HTTPStatus.OK, | ||
| f"Attempted /auth with {idp_id} : {channel.text_body}", |
Contributor
There was a problem hiding this comment.
The current message about be confusing if encoutered.
Perhaps:
Suggested change
| f"Attempted /auth with {idp_id} : {channel.text_body}", | |
| f"Failed to use the {endpoint} endpoint as part of the UIA flow for idp_id={idp_id} : response_body={channel.text_body}", |
MadLittleMods
added
A-SSO
A-Legacy-Auth
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes: #19688
Part of: MSC4450 whose Experimental Feature tracking issue is #19691
Base:
developThis pull request is intended for whole-diff review.
Add an unstable, namespaced
idp_idquery parameter tofallback/webThis allows clients to specify the identity provider they'd like to log
in with for SSO when they have multiple upstream IdPs associated with
their account.
Previously, Synapse would just pick one arbitrarily. But this was
undesirable as you may want to use a different one at that point in
time. When logging in, the user is able to choose when IdP they use -
during UIA (which uses fallback auth mechanism) they should be able to
do the same.
Cosmetic tweaks
Add MSC4450 experimental feature flag