Commit Graph

191 Commits

Author SHA1 Message Date
Clément OUDOT 8d6eb60128 Merge remote-tracking branch 'upstream/master' into fix-saml-single-logout 2020-03-05 19:39:12 +01:00
Julius Härtl e75809a5f7
Add setting to specify a different signature algorithm
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-02-13 16:01:03 +01:00
Frank Tröger ee459c687c
fixed login with chrome browser
- fix 'environment-variable' login problem with chrome browser
- problem: using nextcloud behind apache2 mod_auth_mellon, chrome browser gets too many redirects
- description: nc_sameSiteCookiestrict is not sent by chrome, because of the origin POST request by idp and the 3xx redirects on nextcloud side
2020-01-28 20:01:47 +01:00
Soisik Froger 2313df0e00 use NameId format, name qualifier and name SP qualifier in SAML logout request (fixed SP qualifier typo)
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
2019-12-16 16:59:48 +01:00
Clément OUDOT 04fcb5387b use NameId format, name qualifier and name SP qualifier in SAML logout request
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
2019-12-16 16:59:48 +01:00
Roeland Jago Douma 8888d5a9ad
Add counting to the user backend
This will allow reporting to also list the number of SAML users on the
instance.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-28 15:20:03 +01:00
Arthur Schiwon f81d18c816
don't expose method for no reason
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-09-23 12:43:14 +02:00
Arthur Schiwon c839dc1e73
decode objectGUID to their ASCII representation if
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-09-19 14:07:06 +02:00
Arthur Schiwon 3737d92d4b
prevent confirmation dialogs for passwordless users
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-06-28 18:29:36 +02:00
Frieder Schrempf 413c7a9239
Handle SLO logout requests from IdP via POST
Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.

This solves #82.

Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
2019-06-17 18:56:55 +02:00
Dylann Cordel f780006005
fix IDP-initiated Logout #334
Signed-off-by: Dylann Cordel <d.cordel@webu.coop>
2019-06-07 21:28:04 +02:00
Roeland Jago Douma 1c8b32c841
Use a prefix to obtain the nameid format
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-29 09:53:52 +02:00
Roeland Jago Douma 4e8ee3ae0a
Make NameIDFormat configurable
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-28 23:00:34 +02:00
Roeland Jago Douma 1365bf820d
Load a timezone file if no timezone is set
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-27 08:39:22 +02:00
blizzz 8b5733828e
Merge pull request #319 from nextcloud/fix/noid/user-search-parity
user search parity as with local users
2019-05-06 11:42:15 +02:00
Björn Schiessle eb9f3ffb02
add additional debug output when reading attributes from the IDP
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2019-04-25 13:36:46 +02:00
Arthur Schiwon 12e8767baa
user search parity as with local users
* also take displayname and email into account

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-04-12 17:07:23 +02:00
Björn Schiessle 577f612267
Merge pull request #286 from nextcloud/fix-268
always create user in the SAML back-end and update the attributes
2019-01-24 14:58:11 +01:00
Arthur Schiwon ec593bce13
user might be already known, but was not mapped yet. init on first login.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-01-22 13:38:56 +01:00
rakekniven 4e82b97055
Fixed typo.
Reported at Transifex.

Signed-off-by: Mark Ziegler <mark.ziegler@rakekniven.de>
2019-01-19 22:30:10 +01:00
Björn Schiessle 0b0bfe94a2
create user in the SAML back-end and update the attributes when
the user was found on another back-end during login

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-12-18 16:54:27 +01:00
Björn Schiessle e9f58dae96
sort idps alphabetically
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-12-12 20:22:03 +01:00
Björn Schiessle d1d43d68f4
Merge pull request #279 from klada/userhome_sanity_check
Add sanity checks for user home directory
2018-11-27 17:32:58 +01:00
Björn Schiessle 6734601db8
Merge pull request #188 from nextcloud/dav_saml
Add sabredav plugin to register environment auth for dav requests
2018-11-27 11:55:28 +01:00
Daniel Klaffenbach 3b930d8628 Add sanity checks for user home directory
When the mapped user home is not a fully qualified path name we'll fall
back to setting the mapped home below the server's datadirectory. This
provides consistent behavior with the "user_ldap" app which uses the same
fallback/safety mechanism.

Signed-off-by: Daniel Klaffenbach <daniel.klaffenbach@hrz.tu-chemnitz.de>
2018-11-26 09:39:21 +01:00
Daniel Klaffenbach 624d1a23b9 Implement mapping of user's home directory
Signed-off-by: Daniel Klaffenbach <daniel.klaffenbach@hrz.tu-chemnitz.de>
2018-11-22 09:45:08 +01:00
Björn Schiessle 0aeaa0401a
Merge pull request #271 from nextcloud/better-error-messages
improve error messages in case SAML is not configured properly
2018-11-21 17:11:56 +01:00
Björn Schiessle 9790fbcb56
improve error messages in case SAML is not configured properly
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-20 17:34:46 +01:00
Robin Appelman b7cab9d740 remove anonymous option handling
this was moved to core

Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman e123a8b984 set saml user as dav authenticated
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman 57c0a4d474 allow anonymous options request
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman a7f0e35225 Add sabredav plugin to register environment auth for dav requests
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Björn Schiessle 087efb7359
content doesn't have to be a array, e.g. for category=type, content is 'saml'
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-19 12:25:12 +01:00
Björn Schiessle e38a46eb64
first check if it is an array and that the key exists, to avoid error messages in the log file
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-19 12:17:35 +01:00
Björn Schiessle 69c0c5f479
log IDP parameters in debug mode
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-16 16:46:31 +01:00
Robin Appelman f20252a5f4 log provisioning errors during sso environment login
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-14 15:05:44 +01:00
Björn Schiessle fadb3a1e4a
add a combobox instead of buttons to select the login method if more then 4 different IDPs are configured
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-09 14:46:38 +01:00
Björn Schiessle 860ffb24ad
make global scale setup more robust
If this server acts as a global scale master and the user is not
a local admin of the server we just create the user and continue
no need to update additional attributes.
But for local users, e.g. the admins of the global scale master
we should complete the user setup with all attributes

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-24 14:06:27 +02:00
Roeland Jago Douma 140100b23e
Actually add error page
* The base route now has a function as well so it is not just some empty
route
* We now actually have an error page

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-11 11:56:55 +02:00
Björn Schiessle 6d02ab0717
set base url to 'http://domain/nextcloud/index.php/apps/user_saml/saml'
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 22:08:33 +02:00
Björn Schiessle 425173365e
adjust Nextcloud app to php-saml 3.0
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 22:08:33 +02:00
Björn Schiessle b80b94e408
we need to store some basic user information, even in the global scale scenario
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 16:57:03 +02:00
Björn Schiessle e148d9f8d1
add missing use clause
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-04 15:19:55 +02:00
Björn Schiessle 179e4d5b76
fix error message
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle 8e95292198
get both the raw data from the IDP and the formated ones according to the configured parameter mapping
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle 53fe18a99f
allow redirect to the logout if it comes from the same server
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle 4cbd3e0fe6
format user data before sending it to the client node
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Björn Schiessle 0d020c048a
add method to get the user data from the idp
This is needed in the global scale setup to forward the user data
from the master node (where the login happens) to the client node

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Björn Schiessle 4f852af4ce
don't auto provision the user on a global scale setup
with global scale the authentication happens on the master node
and then the user is forward to the node they are located.
Therefore no user should be created on the master node after the
authentication at the idp was successful

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Jean-Baptiste PIN 3f3cd68ef4
added redirection to originalUrl when using SSO
Signed-off-by: Jean-Baptiste PIN <jeanbaptiste@idruide.com>
2018-08-17 16:14:19 +02:00
Jean-Baptiste 0828185832
Added copyright
Signed-off-by: Jean-Baptiste <jibet.pin@gmail.com>
2018-08-17 16:14:09 +02:00
Björn Schiessle 630765f9b4
make sure that we don't show the "select user back-end login screen if authentication over environment variables has been chosen
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-15 12:52:17 +02:00
Björn Schiessle 2ac9adaf79
add missing parameter to function call
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-13 17:06:54 +02:00
Björn Schiessle b6b576852a
we only allow multiple user back ends in combination with SAML, not with environment variables
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-13 16:51:59 +02:00
Björn Schiessle 73ae008f6c
fix documentation
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 18:31:14 +02:00
Björn Schiessle d055a0dafb
fix property name
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:20 +02:00
Björn Schiessle 2d62533eac
fix unit tests
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:20 +02:00
Julius Härtl 00711b8fbb
Fix attribute mapping config fetching
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:43:19 +02:00
Björn Schiessle 20757e9f0e
make sure to always use the right idp config
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle dafaf016a6
skip the 'type' if we build the settings page
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Julius Härtl da69ddd5e3
Fix missing config values when switching idp
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:43:19 +02:00
Björn Schiessle e378f22d10
always read the right idp config
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle 39b3d52746
make sure to redirect to correct idp
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle afeee8beaa
show all configured IdP's on the login screen
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Julius Härtl 174234a14e
Fix issue when removing and adding the first idp
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:09 +02:00
Julius Härtl 1b4b4ee188
Add controller method to delete all idp config keys
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:08 +02:00
Julius Härtl 8c3a4b83e4
Add global settings that are valid for all identity providers
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:08 +02:00
Julius Härtl ee5308382b
Allow to configure multiple SAML providers
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:06 +02:00
Roeland Jago Douma b6531dbca7
Follow the redirect url on direct login
This makes sure the auth flow also works with the direct login.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-11 13:35:15 +02:00
FGIKCM ce6e825b0f
Create skeleton and dispatch first login event
Code taken from 'regular' login method do create skeleton and dispatch event of the user creation.
A better idea would be to directly use the `prepareUserLogin()` method of `lib/private/User/Session.php`, but as it is private...
2018-06-18 16:21:28 +02:00
Sérgio Faria 423a76a843 Add and remove user groups with SAML
Based on PR #95, however:
- Also removes groups based on the group attribute(s).
- Supports groups with spaces (which the previous PR didn't).
- Includes unit test

Signed-off-by: Sérgio Faria <sergio.faria@is4health.com>
2018-03-19 16:07:42 +00:00
bne86 18aa824206 first version for group-mapping. groups are added and user assigned to groups. until now no group removal
Signed-off-by: bne86 <b.von.st.vieth@fz-juelich.de>
2018-03-19 16:07:33 +00:00
bne86 ee38ad3a17 when attribute from saml_response is of type array, return all valies with space as separator
Signed-off-by: bne86 <b.von.st.vieth@fz-juelich.de>
2018-03-19 14:03:05 +00:00
Roeland Jago Douma 82102c6f18
Merge pull request #196 from nextcloud/multiple-user-back-ends
Multiple user back ends
2018-03-19 14:01:07 +01:00
Björn Schiessle 02cde8030b
fix function documentation
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:39 +01:00
Björn Schiessle 8bc343da6f
make display name of SSO identity provider configurable
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:38 +01:00
Björn Schiessle 7daab97ace
add landing page to chose between SSO and direct login
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:30 +01:00
blizzz 1df4ef8f2b
Merge pull request #192 from nextcloud/fix/162/search-uid-if-not-known
try to lookup a user if the uid does not resolve and autoprov is disabled
2018-03-19 12:20:05 +01:00
Björn Schiessle cc361cc409
add setting to allow multiple user back-ends parallel to the saml back-end
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-16 14:56:29 +01:00
Björn Schiessle 742ae5e80d
set quota to 'default' if no quota parameter is given or quota was set to ''
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-15 16:19:24 +01:00
Roeland Jago Douma 9bf0d3eb3d
Add support for mapping the quota
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-14 21:15:04 +01:00
Arthur Schiwon bed32b460f
try to lookup a user if the uid does not resolve and autoprov is disabled
it might well may be that the user exists but is not yet known to the
specific backend in Nextcloud and need to be mapped first.

This assumes that searching for the uid will actually find the user. This
is not necessarily given by the backend configuration.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-03-14 17:53:07 +01:00
Björn Schiessle 4b8558522b
detect disabled user and show a appropriated error message
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-13 19:06:41 +01:00
Björn Schiessle b9d5f56d25
add a meaningful error message in case a empty uid is given
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-16 12:14:21 +01:00
Björn Schiessle d34e216e9d
update the display name in accounts table
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-07 17:14:33 +01:00
Roeland Jago Douma f05649f554
Use @NoSameSiteCookieRequired annotation
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-26 15:36:20 +02:00
Lukas Reschke cbc0ecd918
Read appname out of variable
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-21 17:13:20 +02:00
Lukas Reschke 6a00897841
More logging for debugging
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-21 17:08:17 +02:00
Lukas Reschke 54804783c2
Add logout attribute for < 12.0.3
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-18 14:11:43 +02:00
Lukas Reschke 082ae7ffd7
Redirect to `/` if CSRF check does not pass
Some IDPs redirect to the SLS page after pressing the logout link. While this is a questionable behaviour it is unlikely we can change that, so let's work around this by forcing a proper redirect.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-30 17:02:11 +02:00
Lukas Reschke 45e52c97c3 Merge pull request #145 from nextcloud/new-slo-url
Implement new SLO URL API
2017-08-30 14:47:02 +02:00
Lukas Reschke 940bcd30a3
Redirect users to previous page
This change ensures that users will be sent to the previous page.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 13:58:03 +02:00
Lukas Reschke 2d4aad3487
Implement new SLO URL API
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 12:29:49 +02:00
Lukas Reschke a1986b46b0
Also update timestamp for environment variable auth
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 18:19:34 +02:00
Lukas Reschke bae5f79cbd
Use static variable for storing backends
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 18:16:54 +02:00
Lukas Reschke 3a3eb261aa
Fix order of session actions
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 17:24:01 +02:00
Lukas Reschke 5a4d327c0a
Perform logic in ACS
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 16:55:01 +02:00
Lukas Reschke bc98b466bd
Set last login after successful login operation
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 12:54:59 +02:00
Lukas Reschke 69a6484257
baseurl is expected to be the host name and protocol without path
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:17:32 +02:00
Lukas Reschke 2a3e46dc2f
Proper casing of file
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 11:30:15 +02:00