bekucera/synapse
1
0
Fork 0
mirror of https://github.com/element-hq/synapse.git synced 2025-09-17 11:05:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow only requiring a field be present in an SSO response, rather than specifying a required value (#18454)

Browse Source
This commit is contained in:
Andrew Morgan
2025-05-19 17:50:02 +01:00
committed by GitHub
parent 17e6b32966
commit 1f4ae2f9eb
4 changed files with 86 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/usage/configuration/config_documentation.md
View File

@@ -3782,17 +3782,23 @@ match particular values in the OIDC userinfo. The requirements can be listed und
```yaml
attribute_requirements:
- attribute: family_name
value: "Stephensson"
one_of: ["Stephensson", "Smith"]
- attribute: groups
value: "admin"
# If `value` or `one_of` are not specified, the attribute only needs
# to exist, regardless of value.
- attribute: picture
```
`attribute` is a required field, while `value` and `one_of` are optional.
All of the listed attributes must match for the login to be permitted. Additional attributes can be added to
userinfo by expanding the `scopes` section of the OIDC config to retrieve
additional information from the OIDC provider.
If the OIDC claim is a list, then the attribute must match any value in the list.
Otherwise, it must exactly match the value of the claim. Using the example
above, the `family_name` claim MUST be "Stephensson", but the `groups`
above, the `family_name` claim MUST be either "Stephensson" or "Smith", but the `groups`
claim MUST contain "admin".
Example configuration: