Federation
Overview
Federation allows two or more homeservers to communicate with each other. Federation uses port 443 with TLS. When homeservers are federated, visibility between users, rooms, and spaces is not automatically unrestricted. What users can discover across federated homeservers depends on how federation and directory settings are configured.
Visibility Between Federated Homeservers
Whether users on one homeserver can see identity-related information and shared content on another homeserver is configurable.
The following Synapse settings affect this behaviour:
allow_public_rooms_over_federation: allows any other homeserver to fetch the server's public rooms directory.federation_domain_whitelist: restricts federation to a defined whitelist of domains.allow_profile_lookup_over_federation: allows other homeservers to obtain profile data of users on this homeserver.allow_device_name_lookup_over_federation: controls whether other homeservers can obtain the display names of user devices.
In practice, this means that two federated homeservers do not automatically expose everything to each other. Visibility depends on the selected configuration.
Federation Scope
Federation trust, allow, and deny behaviour is fundamentally server-scoped, not user-scoped.
Synapse supports restricting federation by domain allowlist through federation_domain_whitelist. There is no native option to federate with only specific individuals on a remote homeserver while blocking other users on that same homeserver.
Public Spaces and Public Rooms
Spaces follow the same basic rules as rooms because spaces are rooms with additional structure. Visibility depends on:
- The join rules of the room or space.
- Whether the room or space is advertised or discoverable.
Two settings are particularly relevant:
allow_public_rooms_over_federationenable_room_list_search
The same considerations apply to both public spaces and public rooms. If these settings allow discovery and the room or space is configured accordingly, users on the federated homeserver can see it.
Bots and Room Ownership
For audit bot usage, administrators can add audit bots to selected rooms. Administrators cannot add an audit bot to rooms that were not created on that homeserver.
Separating Internal and External Communication
If an organization wants one highly secure environment for internal communication and a more relaxed environment for external communication, two homeservers are the better option.
It is possible to use spaces, but this requires ongoing care. For rooms that must remain non-federated, they need to be created with "Block anyone not part of homeserver from ever joining this room." User search can also become an issue in this model. Relevant Synapse configuration is under user_directory.
Deployment Model
If a customer requires two homeservers, they do not need to be deployed on two separate virtual machines. Both homeservers can run on the same VM. One example is a Kubernetes deployment using two different namespaces.
Calls and Conferences
Calls do not use Jitsi servers.
For conferences, authentication in Jitsi can be configured to work with two or more homeservers, so this setup is possible in a federated deployment.
Automatic Room and Space Membership from AD
Group sync can be used to manage membership automatically. If a space is configured with an LDAP cn, the sync process adds users to that space and reacts to changes in LDAP. This provides a way to add or remove people from spaces based on changes in AD or LDAP group membership.
Viewing Federation in the Admin Website
In the Admin Website:
-
Go to the Federation tab.
-
Click the server on the All federation destinations list that you want to view.
You can view the following details:
- First failed attempt. Information on when the first federation attempt failed.
- Last failed attempt. Information on when the last federation attempt failed.
- Next attempt. Information on when the next federation attempt is.
- Federated rooms. List of all federated rooms in the federated server.
Note: Federated servers are shown here only if one or more rooms are federating with each other. A server does not appear in this view only because federation_domain_whitelist is set.