user_saml
user_saml copied to clipboard
nextcloud
Possibility "to match" users from LDAP and SAML
Hello, I have my NextCloud configured with LDAP Authentication and want to provide additional SAML authentication provided by KeyCloak. In the default configuration LDAP usese the objectGUID of LDAP as username and stores it uppercase.
KeyCloak on the other side stores that ID in lower case and there seems to be no possibility to deliver that as upper case SAML attribute.
So there is no possibility "to match" users from LDAP and SAML
Is there any possibility to make the UID matching case insensitive?
best regards
I have basically the same issue but instead of the objectGUID, I use the cn of a user. Nextcloud imports users from LDAP with case-sensitivity applied to its own database. This seems to be no problem when logging in against the LDAP backend, since LDAP is case-insensitive - which is fine. The problem now happens, when I want to use SAML2: Keycloak creates all the tokens with the username in lower case while the username in the NC user-database is case-sensitive. When the SAML2 auth tries to match the usernames, the one in the SAML2 token (lowercase) won't match the one in the userdatabase (case-sensitivie).
Suggested solution: Make the checks case-insensitive against the userdatabase.
I tried the same setup with Azure SSO and the users appear with email addresses as the ID instead of the guid, so they don't map to the ldap users. This cascades to the Azure logins not being able to authenticate to the external storage shares mounted in Nextcloud.
Hi, @vace11 . As workaround, you may set javascript mapper for SAML client in Keycloak. For example:
/**
* Available variables:
* user - the current user
* realm - the current realm
* clientSession - the current clientSession
* userSession - the current userSession
* keycloakSession - the current keycloakSession
*/
var ldap_id = user.getAttribute("LDAP_ID").toString();
ldap_id.toUpperCase();
Note that Keycloak >= 19.0.2 disables the upload_scripts feature by default and requires you to deploy the code as jar (https://www.keycloak.org/docs/latest/server_development/#create-a-jar-with-the-scripts-to-deploy) instead:
Deploying scripts through SAML javascript protocol mapper
Until now, administrators, which used SAML javascript protocol mapper on
their SAML clients or client scopes, were allowed to upload scripts to the
server through the Keycloak Administration Console as well as through the
RESTful Admin API.
For now on, this capability is disabled and users should deploy scripts directly
to the server. This behaviour is aligned with other script based providers. For
more details, please take a look at [JavaScript Providers]
(https://www.keycloak.org/docs/latest/server_development/#_script_providers).
And even worse removes/disables all existing Javascript mappers, so prepare for breakage: https://github.com/keycloak/keycloak/discussions/14492
It would be really nice if user_saml could at least offer an option to be case-insensitive, maybe with a big red exclamation mark but judging from the multiple bugreports to this issue alone I can understand why no action was taken to smooth the experience between the most popular sso provider keycloak and this extension dedicated to that sso functionality. It still a plain and obviously any tinkering comes back to bite you where it hurts ...
If anyone cares: https://github.com/netzbegruenung/keycloak-scriptmapper-ldap-id can solve the issue for you with the user_oidc app.
