Merge pull request #2298 from pub-solar/docs/synapse-oidc-keycloak

Update docs on how to use synapse & keycloak OIDC
This commit is contained in:
Slavi Pantaleev 2022-11-26 17:23:31 +02:00 committed by GitHub
commit 9427f9408d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -56,21 +56,27 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).
This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat.
For more detailed documentation on available options and how to setup keycloak, see the [Synapse documentation on OpenID Connect with keycloak](https://github.com/matrix-org/synapse/blob/develop/docs/openid.md#keycloak).
In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;
``` ```
- idp_id: keycloak matrix_synapse_configuration_extension_yaml: |
idp_name: "Keycloak" oidc_providers:
issuer: "https://url.ix/auth/realms/x" - idp_id: keycloak
client_id: "matrix" idp_name: "My KeyCloak server"
client_secret: "{{ vault_synapse_keycloak }}" issuer: "https://url.ix/auth/realms/{realm_name}"
scopes: ["openid", "profile"] client_id: "matrix"
authorization_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/auth" client_secret: "{{ vault_synapse_keycloak }}"
token_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/token" scopes: ["openid", "profile"]
userinfo_endpoint: "https://url.ix/auth/realms/x/protocol/openid-connect/userinfo" user_mapping_provider:
user_mapping_provider: config:
config: localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
display_name_template: "{% raw %}{{ user.given_name }}{% endraw %} {% raw %}{{ user.family_name }}{% endraw %}" display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
email_template: "{% raw %}{{ user.email }}{% endraw %}" email_template: "{% raw %}{{ user.email }}{% endraw %}"
allow_existing_users: true # Optional
backchannel_logout_enabled: true # Optional
``` ```