I did some digging, this is what I think is needed:
The current package uses:
Synapse v1.144.0 (which is compatible - MAS requires v1.136.0+)
Cloudron OIDC for SSO (traditional OIDC provider approach)
PostgreSQL as the database
Standard Matrix authentication endpoints
What MAS Integration Requires
MAS is fundamentally different from traditional OIDC - it's not just another identity provider, but a complete replacement for Synapse's internal authentication system per MSC3861. It needs:
1. MAS Service Deployment
MAS needs to run as a separate service (not just a config change)
It requires its own separate PostgreSQL database
It needs its own domain/subdomain (e.g., auth.matrix.example.com)
Docker image: ghcr.io/element-hq/matrix-authentication-service:latest
2. MAS Configuration Requirements
Encryption secrets and signing keys (RSA minimum)
Connection to Synapse via shared secret
Database configuration for its own PostgreSQL database
HTTP listener configuration
Email configuration for password recovery
Policy configuration (WASM file)
3. Synapse Configuration Changes
Replace traditional OIDC with matrix_authentication_service section:
matrix_authentication_service:
enabled: true
endpoint: http://mas-internal:8080/
secret: "SharedSecretWithMAS"
4. Reverse Proxy Changes
These Matrix endpoints must be routed to MAS (not Synapse):
/_matrix/client/*/login
/_matrix/client/*/logout
/_matrix/client/*/refresh
5. User Migration (For Existing Deployments)
MAS includes syn2mas tool to migrate:
Existing password hashes (bcrypt → argon2id)
Sessions and devices
Access tokens
Upstream IdP mappings
