From c620a4658ddc1362aa501a2c452d17e00f385033 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Mon, 19 Sep 2022 16:33:21 +0200
Subject: [PATCH] Carry IdP Session IDs through user-mapping sessions.

Signed-off-by: Quentin Gliech <quenting@element.io>
---
 changelog.d/13839.misc  | 1 +
 synapse/handlers/sso.py | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 changelog.d/13839.misc

diff --git a/changelog.d/13839.misc b/changelog.d/13839.misc
new file mode 100644
index 000000000000..549872c90f0d
--- /dev/null
+++ b/changelog.d/13839.misc
@@ -0,0 +1 @@
+Carry IdP Session IDs through user-mapping sessions.
diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py
index 1e171f3f7115..339d04c89e0a 100644
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@@ -144,6 +144,9 @@ class UsernameMappingSession:
     # A unique identifier for this SSO provider, e.g.  "oidc" or "saml".
     auth_provider_id: str
 
+    # An optional session ID from the IdP.
+    auth_provider_session_id: Optional[str]
+
     # user ID on the IdP server
     remote_user_id: str
 
@@ -461,6 +464,7 @@ async def complete_sso_login_request(
                         client_redirect_url,
                         next_step_url,
                         extra_login_attributes,
+                        auth_provider_session_id,
                     )
 
                 user_id = await self._register_mapped_user(
@@ -582,6 +586,7 @@ async def _redirect_to_next_new_user_step(
         client_redirect_url: str,
         next_step_url: bytes,
         extra_login_attributes: Optional[JsonDict],
+        auth_provider_session_id: Optional[str],
     ) -> NoReturn:
         """Creates a UsernameMappingSession and redirects the browser
 
@@ -604,6 +609,8 @@ async def _redirect_to_next_new_user_step(
             extra_login_attributes: An optional dictionary of extra
                 attributes to be provided to the client in the login response.
 
+            auth_provider_session_id: An optional session ID from the IdP.
+
         Raises:
             RedirectException
         """
@@ -612,6 +619,7 @@ async def _redirect_to_next_new_user_step(
         now = self._clock.time_msec()
         session = UsernameMappingSession(
             auth_provider_id=auth_provider_id,
+            auth_provider_session_id=auth_provider_session_id,
             remote_user_id=remote_user_id,
             display_name=attributes.display_name,
             emails=attributes.emails,
@@ -965,6 +973,7 @@ async def register_sso_user(self, request: Request, session_id: str) -> None:
             session.client_redirect_url,
             session.extra_login_attributes,
             new_user=True,
+            auth_provider_session_id=session.auth_provider_session_id,
         )
 
     def _expire_old_sessions(self) -> None: