user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Admin asked for password even though logged in with SAML

Open wiswedel opened this issue 5 years ago • 4 comments

Steps to reproduce

  1. Login as Admin user by SAML
  2. let some time go by
  3. make an administrative change (e.g. install an app)

Actual behaviour

Admin gets asked for password confirmation before change can be applied.

Expected behaviour

Basically that confirmation dialog is a good thing, but if the admin is logged in via SAML, they don't have a password to provide. There should at least be some hint on the SAML config page that admins should store a generic password for those cases.

wiswedel avatar Feb 21 '19 18:02 wiswedel

Is this still the case... IIRC this was fixed long ago but I don't have a system to test it at the moment

schiessle avatar Jun 29 '20 08:06 schiessle

@schiessle I'm still experiencing this with NC 24.0.4 and user_saml 5.0.2

dugite-code avatar Aug 24 '22 03:08 dugite-code

I'm still experiencing this too on NC 24.0.4 and user_saml 5.0.2. However it only happens after a while of being logged in. Logging out and back in fixes this issue temporarily for me. Edit: Just seen that the delay was already stated in the main issue.

zroug avatar Aug 24 '22 11:08 zroug

Same issue for me with 24.0.5

fastlorenzo avatar Sep 27 '22 23:09 fastlorenzo

same with 24.0.9

pierreozoux avatar Mar 08 '23 08:03 pierreozoux

It looks like this problem also affects non-admin users. This is what I noticed after a user has been logged in for a while:

  1. When a user tries to create an app password, he is prompted for a password.
  2. The logout button doesn't use single logout, so the user doesn't get logged out properly.

Latest test with v5.1.2 and NC v25.0.4.

zroug avatar Mar 08 '23 11:03 zroug

This affects admins for administrative actions, ie. install an app but also the normal users that want to generate app passwords for use with 3rd party clients and apps.

I'm surprised this problem has gone unresolved since 2019, could someone have a look at this please?

GeorgeGedox avatar Aug 26 '23 17:08 GeorgeGedox

@GeorgeGedox I'm sure this is actually an issue with Nextcloud itself as I've switched to Social login for OIDC and I'm also encountering this there. It looks like there was work done a long time ago on this: https://github.com/nextcloud/server/pull/7487 By my admittedly quick skimming over this it looks like the user backend is checked and if the user is a saml user then password confirmation is not required.

However I believe that my user is only LINKED to my SSO therefore the original user backend will never be SSO exclusive. This would be true with both SAML and now with OIDC where the user backend is shown as Database. You can see your users backend under the user management tab (Click settings and select show user backend)

*EDIT: Looks like the social login app actually had implemented this as a fix on a per-user basis. https://github.com/zorn-v/nextcloud-social-login/blob/fac1c374c5afd84417aeb0236c71f4be1db2e224/lib/AppInfo/Application.php#L48

dugite-code avatar Aug 28 '23 07:08 dugite-code

This is an issue for me using SAML with Authentik, try to update a user's quota and it wont accept my pw

j007bond007 avatar Jan 17 '24 19:01 j007bond007

*EDIT: Looks like the social login app actually had implemented this as a fix on a per-user basis. https://github.com/zorn-v/nextcloud-social-login/blob/fac1c374c5afd84417aeb0236c71f4be1db2e224/lib/AppInfo/Application.php#L48

SAML backend does the same: https://github.com/nextcloud/user_saml/blob/master/lib/UserBackend.php#L493C11-L493C30

Those effected, are you using env mode or built-in saml mode?

blizzz avatar Jan 18 '24 10:01 blizzz

Closing in favor of https://github.com/nextcloud/server/issues/43612 – oidc suffers as well and solution might be possible on server side. PR soon.

blizzz avatar Mar 01 '24 17:03 blizzz