- adds user_saml_configurations table and migrates existing configuration
- Controller methods are added since appconfig endpoints cannot be used
anymore. THIS IS A BREAKING CHANGE.
- Frontend code is adjusted to use new endpoints.
- security-sloWebServerDecode was changed from global to provider specific
setting. It being global seemed to be unintended. A migration path is yet
missing.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.
Until we have considered a better solution for this, this adds a new checkbox that one can configure.
Ref https://github.com/nextcloud/user_saml/issues/403
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
To make debugging SLO errors easier, this adds logging for any
encountered error in that phase.
This is similar to the logging already done on the ACS handling.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
- solved code duplication on uid mapping attribute determiniation
- a single point for user id normalization
- slightly reduces logic in the Controller
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Some people seem to want to have a custom direct login text. This allows
them to set it. For now only via occ. But maybe some day we also add a
GUI component to it.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
'name' key was put in flowData table, but 'token' key was retrieved from this table, thus triggering the following error:
Undefined index: token at /nextcloud/apps/user_saml/lib/Controller/SAMLController.php#306
Signed-off-by: orandev <63342732+orandev@users.noreply.github.com>
Because of the strict samesite cookies SAML fails with the login flow.
Because the post that comes back is not transfering the proper cookies
to use the same session. Hence the token in use gets lost etc.
Now we store this all (encrypted) in a cookie. So that when we come back
we can restore the proper session.
FAQ:
* Is it elegant?
Nope!
* Does it work?
Yes!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
If the SLO throws an error we should catch it. This is so that we do not
show an error page. We should also still logout the current session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Requires https://github.com/nextcloud/server/pull/21479 to fully work.
Basically don't save this info in the session (which is lax by default
starting with NC19 but also soon with new chromes and firefox). We now
save it is a cookie that is set to None. This is the best we can do I
think.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
- fix 'environment-variable' login problem with chrome browser
- problem: using nextcloud behind apache2 mod_auth_mellon, chrome browser gets too many redirects
- description: nc_sameSiteCookiestrict is not sent by chrome, because of the origin POST request by idp and the 3xx redirects on nextcloud side
Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.
This solves #82.
Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
If this server acts as a global scale master and the user is not
a local admin of the server we just create the user and continue
no need to update additional attributes.
But for local users, e.g. the admins of the global scale master
we should complete the user setup with all attributes
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* The base route now has a function as well so it is not just some empty
route
* We now actually have an error page
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
with global scale the authentication happens on the master node
and then the user is forward to the node they are located.
Therefore no user should be created on the master node after the
authentication at the idp was successful
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>