Kerberos SSO (GSSAPI/SPNEGO) authentication to on-prem installations of synapse

[matrixbot]

This issue has been migrated from #9412.

---

It would be a killer feature to have real single-sign-on abilities in synapse. When deployed in an "enterprise" environment where computers are enrolled in a Kerberos realm.

I think the standards to look into is SPNEGO (since it's often used for any "kerberized" HTTP-service). Take a look at mod_auth_krb or mod_auth_gssapi for Apache for ideas.

I have coded a few things like this before (at least GSSAPI on client/server), and this way of authenticating to an on-prem installation would really be user friendly but as secure as one would like.

This way any user able to login to his/her computer on the local network, would automatically be able to sign-in to their respective matrix accounts.

[kumlali]

+1. We are currently exploring open-source alternatives to Skype for Business and have focused on Matrix-based solutions, such as Synapse. Our key requirements include support for Kerberos SSO (particularly with Active Directory) and the ability to select users from LDAP (rather than manually entering the @user:hostname).