Authentication Section
Info
This is a new section introduced in LTS 24.10 which replaces the previous Delegated Authentication options found within the Synapse section. Your previous configuration will be upgraded on first-run of the newer LTS.
In the Authentication section you will find options to configure settings specific to Authentication. Regardless of if you are using the Matrix Authentication Server, or have enabled Legacy Auth, the settings on this page will remain the same.
However please note, MAS does not support delegated authentication with SAML or GroupSync - if you wish to enable either of these you will need to return to the Host section and enable Legacy Auth.
All settings configured via the UI in this section will be saved to your deployment.yml, with the contents of secrets being saved to secrets.yml. You will find specific configuration examples in each section.
Config Example
By default, if you do not change any settings on this page, defaults will be added to your configuration file/s (see example below).
Config Example
metadata:
annotations:
ui.element.io/layer: |
components:
spec:
synapse:
config:
delegatedAuth:
localPasswordDatabase:
enableRegistration: false # (1)!
- Note, if you deploy without any authentication methods enabled, the installer will default to Local Accounts.
User Profiles
Config Example
spec:
components:
synapse:
config:
delegatedAuth:
userProfiles:
allowAvatarChange: true # (1)!
allowDisplayNameChange: true # (1)!
allowEmailChange: true # (1)!
- Not present if left as default
The User Profiles section provides some self-explanatory config options to adjust what changes users are allowed to make to their User Profile, such as changing their Display Name. You may wish to restrict this if you'd prefer to delegate the setting of these values to the associated Identity Provider.
OIDC
You can add and configure one, or multiple, OIDC providers - to do so you will need to click the Add OIDC / Add more OIDC button found after toggling on the OIDC section:
Once an OIDC provider is added, you can remove any providers by clicking the rubbish bin icon found to the left of the provider.
IdP Name
Config Example
- Required
IdP ID
Config Example
- Required
IdP Brand
Issuer
Config Example
- Required
Client Auth Method
Config Example
spec:
components:
synapse:
config:
delegatedAuth:
oidc:
clientAuthMethod: client_secret_basic # (1)!
-
If no
clientAuthMethoddefined, will default toclient_secret_basic. Alternative options include:
Client ID
Client Secret
Config Example
Allow Existing Users
Scopes
Config Example
User Mapping Provider
Subject Template
Config Example
Localpart Template
Config Example
If using legacy auth, you should use Jinja python to format your template; if using MAS, you should use Jinja rust formatting instead. For example, to get the a valid localpart from an email, you would use {{ user.preferred_username.split('@')[0] }} if using Legacy Auth, or {{ (user.preferred_username | split('@'))[0] }} if using MAS.
Display Name Template
Config Example
Email Template
Config Example
Endpoints Discovery
Auto Discovery
Config Example
spec:
components:
synapse:
config:
delegatedAuth:
oidc:
- clientId: synapsekieranml
clientSecretSecretKey: oidcClientSecret
endpointsDiscovery:
skipVerification: false
idpId: 01JDS2WKNYTQS21GFAKM9AKD9R
idpName: Keycloak
issuer: https://keycloak.ems-support.element.dev/realms/matrix
scopes:
- openid
- profile
- email
userMappingProvider:
displayNameTemplate: "{{ user.name }}"
emailTemplate: "{{ user.email }}"
Skip Verification
Config Example
spec:
components:
synapse:
config:
delegatedAuth:
oidc:
- clientId: synapsekieranml
clientSecretSecretKey: oidcClientSecret
endpointsDiscovery:
skipVerification: false
idpId: 01JDS2WKNYTQS21GFAKM9AKD9R
idpName: Keycloak
issuer: https://keycloak.ems-support.element.dev/realms/matrix
scopes:
- openid
- profile
- email
userMappingProvider:
displayNameTemplate: "{{ user.name }}"
emailTemplate: "{{ user.email }}"
Backchannel Logout Enabled
Warning
The Matrix Authentication Service does not support configuring Backchannel Logout. You can only configure Backchannel logout if you have enabled Legacy Auth from the Host Section.
Config Example
spec:
components:
synapse:
config:
delegatedAuth:
oidc:
- clientId: synapsekieranml
clientSecretSecretKey: oidcClientSecret
endpointsDiscovery:
skipVerification: false
idpId: 01JDS2WKNYTQS21GFAKM9AKD9R
idpName: Keycloak
issuer: https://keycloak.ems-support.element.dev/realms/matrix
scopes:
- openid
- profile
- email
userMappingProvider:
displayNameTemplate: "{{ user.name }}"
emailTemplate: "{{ user.email }}"
SAML
Warning
The Matrix Authentication Service does not support SAML and it is recommended to switch to OIDC. You can only enable SAML authentication if you have enabled Legacy Auth from the Host Section.