During login, if there are multiple IdPs enabled, offer the user a choice of
IdPs.

Removes the trailing slash with causes issues with matrix.to/Element.

Adds a new setting `email.invite_client_location` which, if defined, is
passed to the identity server during invites.

The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow
`UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser
back to the client, we redirect to a username-picker resource, which allows the user to enter a username.
We *then* complete the SSO flow (including doing the client permission checks).

The static resources for the username picker itself (in 
https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker)
are essentially lifted wholesale from
https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. 
As the comment says, we might want to think about making them customisable, but that can be a follow-up. 

Fixes #8876.

Move it from the federation section to the server section to match
ip_range_blacklist.

This defaults `ip_range_blacklist` to reserved IP ranges and also adds an
`ip_range_whitelist` setting to override it.

Authentication is done by checking a shared secret provided
in the Synapse configuration file.

Replaces the `federation_ip_range_blacklist` configuration setting with an
`ip_range_blacklist` setting with wider scope. It now applies to:

* Federation
* Identity servers
* Push notifications
* Checking key validitity for third-party invite events

The old `federation_ip_range_blacklist` setting is still honored if present, but
with reduced scope (it only applies to federation and identity servers).

Add a config option to change whether unread push notification counts are per-message or per-room (#8820)

This PR adds a new config option to the `push` section of the homeserver config, `group_unread_count_by_room`. By default Synapse will group push notifications by room (so if you have 1000 unread messages, if they lie in 55 rooms, you'll see an unread count on your phone of 55).

However, it is also useful to be able to send out the true count of unread messages if desired. If `group_unread_count_by_room` is set to `false`, then with the above example, one would see an unread count of 1000 (email anyone?).

This PR updates the push config's formatting to better align with our [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).

If the SAML metadata includes multiple IdPs it is necessary to
specify which IdP to redirect users to for authentication.

Updates the sample configuration with the pysaml2 configuration for
accepting clock skew/drift between the homeserver and IdP.

Signed-off-by: Adrian Wannenmacher <tfld@tfld.dev>

add some mdui:UIInfo element examples for saml2_config in homeserver.yaml

Signed-off-by: Mateusz Przybyłowicz <uamfhq@gmail.com>

Per https://github.com/matrix-org/matrix-doc/pull/2788

This allows for connecting to certain IdPs, e.g. GitLab.

Add a pair of federation metrics to track the delays in sending PDUs to/from 
particular servers.

Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com>

This adds configuration flags that will match a user to pre-existing users
when logging in via OpenID Connect. This is useful when switching to
an existing SSO system.

This PR adds a confirmation step to resetting your user password between clicking the link in your email and your password actually being reset.

This is to better align our password reset flow with the industry standard of requiring a confirmation from the user after email validation.

This is a config option ported over from DINUM's Sydent: https://github.com/matrix-org/sydent/pull/285

They've switched to validating 3PIDs via Synapse rather than Sydent, and would like to retain this functionality.

This original purpose for this change is phishing prevention. This solution could also potentially be replaced by a similar one to https://github.com/matrix-org/synapse/pull/8004, but across all `*/submit_token` endpoint.

This option may still be useful to enterprise even with that safeguard in place though, if they want to be absolutely sure that their employees don't follow links to other domains.

Fixes https://github.com/matrix-org/synapse/issues/6583

Hopefully this mostly speaks for itself. I also did a bit of cleaning up of the
error handling.

Fixes #8047

Fixes #7901.

Signed-off-by: Niklas Tittjung <nik_t.01@web.de>

The [postgres setup docs](https://github.com/matrix-org/synapse/blob/develop/docs/postgres.md#set-up-database) recommend setting up your database with user `synapse_user`.

However, uncommenting the postgres defaults in the sample config leave you with user `synapse`.

This PR switches the sample config to recommend `synapse_user`. Took a me a second to figure this out, so assume this will beneficial to others.