- adds user_saml_configurations table and migrates existing configuration
- Controller methods are added since appconfig endpoints cannot be used
anymore. THIS IS A BREAKING CHANGE.
- Frontend code is adjusted to use new endpoints.
- security-sloWebServerDecode was changed from global to provider specific
setting. It being global seemed to be unintended. A migration path is yet
missing.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.
Until we have considered a better solution for this, this adds a new checkbox that one can configure.
Ref https://github.com/nextcloud/user_saml/issues/403
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
To make debugging SLO errors easier, this adds logging for any
encountered error in that phase.
This is similar to the logging already done on the ACS handling.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
- solved code duplication on uid mapping attribute determiniation
- a single point for user id normalization
- slightly reduces logic in the Controller
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Some people seem to want to have a custom direct login text. This allows
them to set it. For now only via occ. But maybe some day we also add a
GUI component to it.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
- is more tolerate when decoding, uuid structure is still tested later
- ensures the uid is resolved on getCurrentId()
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
'name' key was put in flowData table, but 'token' key was retrieved from this table, thus triggering the following error:
Undefined index: token at /nextcloud/apps/user_saml/lib/Controller/SAMLController.php#306
Signed-off-by: orandev <63342732+orandev@users.noreply.github.com>
Because of the strict samesite cookies SAML fails with the login flow.
Because the post that comes back is not transfering the proper cookies
to use the same session. Hence the token in use gets lost etc.
Now we store this all (encrypted) in a cookie. So that when we come back
we can restore the proper session.
FAQ:
* Is it elegant?
Nope!
* Does it work?
Yes!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
If the SLO throws an error we should catch it. This is so that we do not
show an error page. We should also still logout the current session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Requires https://github.com/nextcloud/server/pull/21479 to fully work.
Basically don't save this info in the session (which is lax by default
starting with NC19 but also soon with new chromes and firefox). We now
save it is a cookie that is set to None. This is the best we can do I
think.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>