user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Using federative SSO

Open nordlolek opened this issue 8 years ago • 11 comments

Hi!

We use federative SSO (structure is similar to: https://www.switch.ch/aai/about/federation/Federation_Structure.png ) . When our users are logging to service, they have to use discovery service to choose their idp so that SP is communicating with right idp. Current nexclouds user_saml app is unfortunately not enabling us such use. We tried to set URL Target of the Idp where SP will send the Auth Request Message to our discovery service and leave IdP entity empty but it's doesn't work. I don't know if onelogin php-saml library enables such use, but it would be great if you consider such implementation.

Besides that we noticed that generated meta data includes 2 parameters 'validUntil' and 'validUntil' . Is there any reason for that? When registering SP to federation this parameters have to be removed, otherwise you have to re-register metadata after it expires. It's really no need to do that as metadata doesn't change.

nordlolek avatar Sep 26 '16 09:09 nordlolek

We use federative SSO (structure is similar to: https://www.switch.ch/aai/about/federation/Federation_Structure.png ) . When our users are logging to service, they have to use discovery service to choose their idp so that SP is communicating with right idp. Current nexclouds user_saml app is unfortunately not enabling us such use. We tried to set URL Target of the Idp where SP will send the Auth Request Message to our discovery service and leave IdP entity empty but it's doesn't work. I don't know if onelogin php-saml library enables such use, but it would be great if you consider such implementation.

That should actually be possible to implement (or even work already). I do however have no access to a Shibboleth instance configured using the DiscoveryService.

Would you be able to provide me with test credentials for such? This would make it fairly easier on our side to implement.

Besides that we noticed that generated meta data includes 2 parameters 'validUntil' and 'validUntil' . Is there any reason for that?

I guess you mean cacheDuration and validUntil?

When registering SP to federation this parameters have to be removed, otherwise you have to re-register metadata after it expires. It's really no need to do that as metadata doesn't change.

I assume just referencing http://example.com/index.php/apps/user_saml/saml/metadata won't work?

While removing the validUntil won't be easily possible with the used library, what would be possible is to set an expiration date in the far future. (e.g. 20 years). How would that sound?

LukasReschke avatar Sep 28 '16 13:09 LukasReschke

  1. Shure, I will provide you account for our services with additional information and send it to your email.
  2. Yes, I meant cacheDuration and validUntil.
  3. In our SSO federation, every SP has to be registered and metadata has to be manually uploaded. So yes, references does't work. 20 years expiration date should do the trick.

nordlolek avatar Sep 29 '16 06:09 nordlolek

Awesome! Looking forward to your mail! 🚀

LukasReschke avatar Sep 29 '16 13:09 LukasReschke

have you had any progress on this?

kosli avatar Oct 23 '16 17:10 kosli

Any progress on this one?

I've been trying to get a federative SSO working by using an external SP (mod_auth_mellon) and the user_saml type "environment-variable" - without any luck so far.

linuxrrze avatar Feb 14 '17 18:02 linuxrrze

Would be great if this could be made to use a discovery service/federation, would speed our transition from ownCloud!

jbobgla avatar Apr 07 '17 14:04 jbobgla

Update: mod_auth_mellon and user_saml "environment-variable" now working!

One more fix seems to be required in order to make it work - will open issue on that.

linuxrrze avatar Aug 28 '17 11:08 linuxrrze

Fix can be found here:

https://github.com/nextcloud/user_saml/pull/147

Thanx to Frank for finding the cause for these odd login loops in Chrome!

linuxrrze avatar Aug 28 '17 11:08 linuxrrze

Update: mod_auth_mellon and user_saml "environment-variable" now working!

Can you share your configuration files? I got mod_auth_mellon working well for some other services, and I am trying to use user_saml for nextcloud, but thinking of mod_mellon because I am having some issue: https://github.com/nextcloud/user_saml/issues/314

tuxcrafter avatar Mar 08 '19 21:03 tuxcrafter

Apologies for re-animating this issue, but has there been any progress on this? If not would there be anything that can be done to progress further on this? Would be truly useful to be able to use federated SSO natively.

kastanas avatar Oct 06 '20 09:10 kastanas

Unfortunately at our organisation we are no longer using Nextcloud.

But I can confirm that using "environment-variable" was working OK with Shibboleth SP.

I also managed to make working setup with onelogin and simplesamlphp IdP Proxy (which was using DS on SP side of proxy). Onelogin metadata was exchanged only with Proxy IdP.

nordlolek avatar Nov 09 '20 11:11 nordlolek