Save the SSO user ID for later comparison to the auth user ID.

synapse/handlers/auth.py

@@ -1049,7 +1049,6 @@ def complete_sso_ui_auth(
         registered_user_id: str,
         session_id: str,
         request: SynapseRequest,
-        requester: Requester,
     ):
         """Having figured out a mxid for this user, complete the HTTP request
 
@@ -1059,18 +1058,15 @@ def complete_sso_ui_auth(
             client_redirect_url: The URL to which to redirect the user at the end of the
                 process.
         """
-        # If the user ID of the SAML session does not match the user from the
-        # request, something went wrong.
-        if registered_user_id != requester.user.to_string():
-            raise SynapseError(403, "SAML user does not match requester.")
-
         # Mark the stage of the authentication as successful.
         sess = self._get_session_info(session_id)
         if "creds" not in sess:
             sess["creds"] = {}
         creds = sess["creds"]
 
-        creds[LoginType.SSO] = True
+        # Save the user who authenticated with SSO, this will be used to ensure
+        # that the account be modified is also the person who logged in.
+        creds[LoginType.SSO] = registered_user_id
         self._save_session(sess)
 
         # Render the HTML and return.

synapse/handlers/saml_handler.py

@@ -145,9 +145,8 @@ async def handle_saml_response(self, request):
 
         # Complete the interactive auth session or the login.
         if current_session and current_session.ui_auth_session_id:
-            requester = await self._auth.get_user_by_req(request)
             self._auth_handler.complete_sso_ui_auth(
-                user_id, current_session.ui_auth_session_id, request, requester
+                user_id, current_session.ui_auth_session_id, request
             )
 
         else: