diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index cf3c3768c7cd..181c0fa5bfe2 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -1049,7 +1049,6 @@ def complete_sso_ui_auth( registered_user_id: str, session_id: str, request: SynapseRequest, - requester: Requester, ): """Having figured out a mxid for this user, complete the HTTP request @@ -1059,18 +1058,15 @@ def complete_sso_ui_auth( client_redirect_url: The URL to which to redirect the user at the end of the process. """ - # If the user ID of the SAML session does not match the user from the - # request, something went wrong. - if registered_user_id != requester.user.to_string(): - raise SynapseError(403, "SAML user does not match requester.") - # Mark the stage of the authentication as successful. sess = self._get_session_info(session_id) if "creds" not in sess: sess["creds"] = {} creds = sess["creds"] - creds[LoginType.SSO] = True + # Save the user who authenticated with SSO, this will be used to ensure + # that the account be modified is also the person who logged in. + creds[LoginType.SSO] = registered_user_id self._save_session(sess) # Render the HTML and return. diff --git a/synapse/handlers/saml_handler.py b/synapse/handlers/saml_handler.py index d5e1089e664a..bee692057f9e 100644 --- a/synapse/handlers/saml_handler.py +++ b/synapse/handlers/saml_handler.py @@ -145,9 +145,8 @@ async def handle_saml_response(self, request): # Complete the interactive auth session or the login. if current_session and current_session.ui_auth_session_id: - requester = await self._auth.get_user_by_req(request) self._auth_handler.complete_sso_ui_auth( - user_id, current_session.ui_auth_session_id, request, requester + user_id, current_session.ui_auth_session_id, request ) else: