user_saml
user_saml copied to clipboard
nextcloud
SSO mode does not offer multiple user back-ends anymore
Steps to reproduce
- After Upgrading my NC installation from 13 to 17, The SSO/SAML App needed to be upgraded aswell to 2.4.1
- The SSO configuration Tab does not offer the "allow multiple back ends" configuration option anymore
Expected behaviour
The SSO configuration Tab does offer the "allow multiple back ends" configuration option. So users on non-domain devices can log in by typing in their credentials.
Actual behaviour
The SSO configuration Tab does not offer the "allow multiple back ends" configuration option. This effectively renders users on non-domain joined devices unable to log in anymore.
Server configuration
Nextcloud version: 17
List of activated apps: user_saml
Apache configuration:
<IfModule mod_auth_gssapi.c>
<Location "/index.php/apps/user_saml/saml/login">
AuthName "kleinet Nextcloud - Kerberos Login"
AuthType GSSAPI
# ErrorDocument 401 /index.php/login?direct=1
GssapiCredStore keytab:/etc/httpd.keytab
GssapiAllowedMech krb5
GssapiLocalName on
LogLevel debug
Require valid-user
</Location>
</IfModule>
Apache logs:
non-domain joined device
abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:37 +0100] "GET / HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/login HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET / HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=8egn8jGhBvUhENqEJyWt%2BTr5vQEmHnVJGE9sw5FSmMY%3D%3AhttWxkH7dJ9Vd7m2Sn/OtgKs6U5KVUF7TR4Bhuc06rw%3D HTTP/1.1" 401 381 abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/login HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=vLIe5CwrkgatgDiT5EpzHwo0KBY1oOQhsMT82Fxh4/o%3D%3Ay4Fv0Fxx4GzZ51uhiRAQUDJhfFlZ69AT5ZWRnSoHkYA%3D&idp=1 HTTP/1.1" 401 381
domain joined device
fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET / HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET /index.php/login HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=oiyLa1rGL0sxQoghotBuU5b3K/sjo8vgCBlHni5p5CM%3D%3Awx/vWmyqbQ1yEOVzyYMcJvmdGa1oyo6EYGg1xGonplM%3D&idp=1 HTTP/1.1" 401 381 fd00::201:9d26:c5b5:ec6f:5c94 - kleinem [12/Feb/2020:16:38:49 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=oiyLa1rGL0sxQoghotBuU5b3K/sjo8vgCBlHni5p5CM%3D%3Awx/vWmyqbQ1yEOVzyYMcJvmdGa1oyo6EYGg1xGonplM%3D&idp=1 HTTP/1.1" 303 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:50 +0100] "GET / HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:50 +0100] "GET /index.php/apps/files/ HTTP/1.1" 200 49386
I just scrolled through other Issues and realized this is essentialy a duplicate of #80 which is 2 years old now. Should not be too hard to implement imho, because this is a functionality which was definitely available in an older version of the user_saml app.
Hi,
I provide an answer in this old post, because, this post is always found on Google without real solution.
Based on this workaround .
I can use SSO when users have Kerberos ticket in office and standard credential when users is connected out of office. The configuration used on my Apache server for authentication is :
<Location "/index.php/apps/user_saml/saml/login">
AuthType GSSAPI
AuthName "Single Sign On Login"
GssapiCredStore keytab:/etc/httpd/keytab/nextcloud.keytab
GssapiUseSessions On
GssapiLocalName On
Session On
SessionCookieName gssapi_session path=/gssapi;httponly;secure;
require valid-user
ErrorDocument 401 '<meta http-equiv="refresh" content="0; URL=/index.php/login?direct=1">'
</Location>
If workaround describe above can help us, so it's a good new :)
