Clément OUDOT
8d6eb60128
Merge remote-tracking branch 'upstream/master' into fix-saml-single-logout
2020-03-05 19:39:12 +01:00
Julius Härtl
e75809a5f7
Add setting to specify a different signature algorithm
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-02-13 16:01:03 +01:00
Frank Tröger
ee459c687c
fixed login with chrome browser
...
- fix 'environment-variable' login problem with chrome browser
- problem: using nextcloud behind apache2 mod_auth_mellon, chrome browser gets too many redirects
- description: nc_sameSiteCookiestrict is not sent by chrome, because of the origin POST request by idp and the 3xx redirects on nextcloud side
2020-01-28 20:01:47 +01:00
Soisik Froger
2313df0e00
use NameId format, name qualifier and name SP qualifier in SAML logout request (fixed SP qualifier typo)
...
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
2019-12-16 16:59:48 +01:00
Clément OUDOT
04fcb5387b
use NameId format, name qualifier and name SP qualifier in SAML logout request
...
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
2019-12-16 16:59:48 +01:00
Roeland Jago Douma
8888d5a9ad
Add counting to the user backend
...
This will allow reporting to also list the number of SAML users on the
instance.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-28 15:20:03 +01:00
Arthur Schiwon
f81d18c816
don't expose method for no reason
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-09-23 12:43:14 +02:00
Arthur Schiwon
c839dc1e73
decode objectGUID to their ASCII representation if
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-09-19 14:07:06 +02:00
Arthur Schiwon
3737d92d4b
prevent confirmation dialogs for passwordless users
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-06-28 18:29:36 +02:00
Frieder Schrempf
413c7a9239
Handle SLO logout requests from IdP via POST
...
Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.
This solves #82 .
Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
2019-06-17 18:56:55 +02:00
Dylann Cordel
f780006005
fix IDP-initiated Logout #334
...
Signed-off-by: Dylann Cordel <d.cordel@webu.coop>
2019-06-07 21:28:04 +02:00
Roeland Jago Douma
1c8b32c841
Use a prefix to obtain the nameid format
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-29 09:53:52 +02:00
Roeland Jago Douma
4e8ee3ae0a
Make NameIDFormat configurable
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-28 23:00:34 +02:00
Roeland Jago Douma
1365bf820d
Load a timezone file if no timezone is set
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-05-27 08:39:22 +02:00
blizzz
8b5733828e
Merge pull request #319 from nextcloud/fix/noid/user-search-parity
...
user search parity as with local users
2019-05-06 11:42:15 +02:00
Björn Schiessle
eb9f3ffb02
add additional debug output when reading attributes from the IDP
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2019-04-25 13:36:46 +02:00
Arthur Schiwon
12e8767baa
user search parity as with local users
...
* also take displayname and email into account
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-04-12 17:07:23 +02:00
Björn Schiessle
577f612267
Merge pull request #286 from nextcloud/fix-268
...
always create user in the SAML back-end and update the attributes
2019-01-24 14:58:11 +01:00
Arthur Schiwon
ec593bce13
user might be already known, but was not mapped yet. init on first login.
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2019-01-22 13:38:56 +01:00
rakekniven
4e82b97055
Fixed typo.
...
Reported at Transifex.
Signed-off-by: Mark Ziegler <mark.ziegler@rakekniven.de>
2019-01-19 22:30:10 +01:00
Björn Schiessle
0b0bfe94a2
create user in the SAML back-end and update the attributes when
...
the user was found on another back-end during login
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-12-18 16:54:27 +01:00
Björn Schiessle
e9f58dae96
sort idps alphabetically
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-12-12 20:22:03 +01:00
Björn Schiessle
d1d43d68f4
Merge pull request #279 from klada/userhome_sanity_check
...
Add sanity checks for user home directory
2018-11-27 17:32:58 +01:00
Björn Schiessle
6734601db8
Merge pull request #188 from nextcloud/dav_saml
...
Add sabredav plugin to register environment auth for dav requests
2018-11-27 11:55:28 +01:00
Daniel Klaffenbach
3b930d8628
Add sanity checks for user home directory
...
When the mapped user home is not a fully qualified path name we'll fall
back to setting the mapped home below the server's datadirectory. This
provides consistent behavior with the "user_ldap" app which uses the same
fallback/safety mechanism.
Signed-off-by: Daniel Klaffenbach <daniel.klaffenbach@hrz.tu-chemnitz.de>
2018-11-26 09:39:21 +01:00
Daniel Klaffenbach
624d1a23b9
Implement mapping of user's home directory
...
Signed-off-by: Daniel Klaffenbach <daniel.klaffenbach@hrz.tu-chemnitz.de>
2018-11-22 09:45:08 +01:00
Björn Schiessle
0aeaa0401a
Merge pull request #271 from nextcloud/better-error-messages
...
improve error messages in case SAML is not configured properly
2018-11-21 17:11:56 +01:00
Björn Schiessle
9790fbcb56
improve error messages in case SAML is not configured properly
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-20 17:34:46 +01:00
Robin Appelman
b7cab9d740
remove anonymous option handling
...
this was moved to core
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman
e123a8b984
set saml user as dav authenticated
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman
57c0a4d474
allow anonymous options request
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Robin Appelman
a7f0e35225
Add sabredav plugin to register environment auth for dav requests
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-20 15:12:51 +01:00
Björn Schiessle
087efb7359
content doesn't have to be a array, e.g. for category=type, content is 'saml'
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-19 12:25:12 +01:00
Björn Schiessle
e38a46eb64
first check if it is an array and that the key exists, to avoid error messages in the log file
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-19 12:17:35 +01:00
Björn Schiessle
69c0c5f479
log IDP parameters in debug mode
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-16 16:46:31 +01:00
Robin Appelman
f20252a5f4
log provisioning errors during sso environment login
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-11-14 15:05:44 +01:00
Björn Schiessle
fadb3a1e4a
add a combobox instead of buttons to select the login method if more then 4 different IDPs are configured
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-11-09 14:46:38 +01:00
Björn Schiessle
860ffb24ad
make global scale setup more robust
...
If this server acts as a global scale master and the user is not
a local admin of the server we just create the user and continue
no need to update additional attributes.
But for local users, e.g. the admins of the global scale master
we should complete the user setup with all attributes
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-24 14:06:27 +02:00
Roeland Jago Douma
140100b23e
Actually add error page
...
* The base route now has a function as well so it is not just some empty
route
* We now actually have an error page
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-11 11:56:55 +02:00
Björn Schiessle
6d02ab0717
set base url to ' http://domain/nextcloud/index.php/apps/user_saml/saml '
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 22:08:33 +02:00
Björn Schiessle
425173365e
adjust Nextcloud app to php-saml 3.0
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 22:08:33 +02:00
Björn Schiessle
b80b94e408
we need to store some basic user information, even in the global scale scenario
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-09 16:57:03 +02:00
Björn Schiessle
e148d9f8d1
add missing use clause
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-10-04 15:19:55 +02:00
Björn Schiessle
179e4d5b76
fix error message
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle
8e95292198
get both the raw data from the IDP and the formated ones according to the configured parameter mapping
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle
53fe18a99f
allow redirect to the logout if it comes from the same server
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:56:36 +02:00
Björn Schiessle
4cbd3e0fe6
format user data before sending it to the client node
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Björn Schiessle
0d020c048a
add method to get the user data from the idp
...
This is needed in the global scale setup to forward the user data
from the master node (where the login happens) to the client node
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Björn Schiessle
4f852af4ce
don't auto provision the user on a global scale setup
...
with global scale the authentication happens on the master node
and then the user is forward to the node they are located.
Therefore no user should be created on the master node after the
authentication at the idp was successful
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-09-25 15:51:22 +02:00
Jean-Baptiste PIN
3f3cd68ef4
added redirection to originalUrl when using SSO
...
Signed-off-by: Jean-Baptiste PIN <jeanbaptiste@idruide.com>
2018-08-17 16:14:19 +02:00
Jean-Baptiste
0828185832
Added copyright
...
Signed-off-by: Jean-Baptiste <jibet.pin@gmail.com>
2018-08-17 16:14:09 +02:00
Björn Schiessle
630765f9b4
make sure that we don't show the "select user back-end login screen if authentication over environment variables has been chosen
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-15 12:52:17 +02:00
Björn Schiessle
2ac9adaf79
add missing parameter to function call
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-13 17:06:54 +02:00
Björn Schiessle
b6b576852a
we only allow multiple user back ends in combination with SAML, not with environment variables
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-13 16:51:59 +02:00
Björn Schiessle
73ae008f6c
fix documentation
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 18:31:14 +02:00
Björn Schiessle
d055a0dafb
fix property name
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:20 +02:00
Björn Schiessle
2d62533eac
fix unit tests
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:20 +02:00
Julius Härtl
00711b8fbb
Fix attribute mapping config fetching
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:43:19 +02:00
Björn Schiessle
20757e9f0e
make sure to always use the right idp config
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle
dafaf016a6
skip the 'type' if we build the settings page
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Julius Härtl
da69ddd5e3
Fix missing config values when switching idp
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:43:19 +02:00
Björn Schiessle
e378f22d10
always read the right idp config
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle
39b3d52746
make sure to redirect to correct idp
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Björn Schiessle
afeee8beaa
show all configured IdP's on the login screen
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-08-03 12:43:19 +02:00
Julius Härtl
174234a14e
Fix issue when removing and adding the first idp
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:09 +02:00
Julius Härtl
1b4b4ee188
Add controller method to delete all idp config keys
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:08 +02:00
Julius Härtl
8c3a4b83e4
Add global settings that are valid for all identity providers
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:08 +02:00
Julius Härtl
ee5308382b
Allow to configure multiple SAML providers
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-08-03 12:42:06 +02:00
Roeland Jago Douma
b6531dbca7
Follow the redirect url on direct login
...
This makes sure the auth flow also works with the direct login.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-11 13:35:15 +02:00
FGIKCM
ce6e825b0f
Create skeleton and dispatch first login event
...
Code taken from 'regular' login method do create skeleton and dispatch event of the user creation.
A better idea would be to directly use the `prepareUserLogin()` method of `lib/private/User/Session.php`, but as it is private...
2018-06-18 16:21:28 +02:00
Sérgio Faria
423a76a843
Add and remove user groups with SAML
...
Based on PR #95 , however:
- Also removes groups based on the group attribute(s).
- Supports groups with spaces (which the previous PR didn't).
- Includes unit test
Signed-off-by: Sérgio Faria <sergio.faria@is4health.com>
2018-03-19 16:07:42 +00:00
bne86
18aa824206
first version for group-mapping. groups are added and user assigned to groups. until now no group removal
...
Signed-off-by: bne86 <b.von.st.vieth@fz-juelich.de>
2018-03-19 16:07:33 +00:00
bne86
ee38ad3a17
when attribute from saml_response is of type array, return all valies with space as separator
...
Signed-off-by: bne86 <b.von.st.vieth@fz-juelich.de>
2018-03-19 14:03:05 +00:00
Roeland Jago Douma
82102c6f18
Merge pull request #196 from nextcloud/multiple-user-back-ends
...
Multiple user back ends
2018-03-19 14:01:07 +01:00
Björn Schiessle
02cde8030b
fix function documentation
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:39 +01:00
Björn Schiessle
8bc343da6f
make display name of SSO identity provider configurable
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:38 +01:00
Björn Schiessle
7daab97ace
add landing page to chose between SSO and direct login
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-19 12:51:30 +01:00
blizzz
1df4ef8f2b
Merge pull request #192 from nextcloud/fix/162/search-uid-if-not-known
...
try to lookup a user if the uid does not resolve and autoprov is disabled
2018-03-19 12:20:05 +01:00
Björn Schiessle
cc361cc409
add setting to allow multiple user back-ends parallel to the saml back-end
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-16 14:56:29 +01:00
Björn Schiessle
742ae5e80d
set quota to 'default' if no quota parameter is given or quota was set to ''
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-15 16:19:24 +01:00
Roeland Jago Douma
9bf0d3eb3d
Add support for mapping the quota
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-14 21:15:04 +01:00
Arthur Schiwon
bed32b460f
try to lookup a user if the uid does not resolve and autoprov is disabled
...
it might well may be that the user exists but is not yet known to the
specific backend in Nextcloud and need to be mapped first.
This assumes that searching for the uid will actually find the user. This
is not necessarily given by the backend configuration.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-03-14 17:53:07 +01:00
Björn Schiessle
4b8558522b
detect disabled user and show a appropriated error message
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-03-13 19:06:41 +01:00
Björn Schiessle
b9d5f56d25
add a meaningful error message in case a empty uid is given
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-16 12:14:21 +01:00
Björn Schiessle
d34e216e9d
update the display name in accounts table
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-07 17:14:33 +01:00
Roeland Jago Douma
f05649f554
Use @NoSameSiteCookieRequired annotation
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-26 15:36:20 +02:00
Lukas Reschke
cbc0ecd918
Read appname out of variable
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-21 17:13:20 +02:00
Lukas Reschke
6a00897841
More logging for debugging
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-21 17:08:17 +02:00
Lukas Reschke
54804783c2
Add logout attribute for < 12.0.3
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-09-18 14:11:43 +02:00
Lukas Reschke
082ae7ffd7
Redirect to `/` if CSRF check does not pass
...
Some IDPs redirect to the SLS page after pressing the logout link. While this is a questionable behaviour it is unlikely we can change that, so let's work around this by forcing a proper redirect.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-30 17:02:11 +02:00
Lukas Reschke
45e52c97c3
Merge pull request #145 from nextcloud/new-slo-url
...
Implement new SLO URL API
2017-08-30 14:47:02 +02:00
Lukas Reschke
940bcd30a3
Redirect users to previous page
...
This change ensures that users will be sent to the previous page.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 13:58:03 +02:00
Lukas Reschke
2d4aad3487
Implement new SLO URL API
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-18 12:29:49 +02:00
Lukas Reschke
a1986b46b0
Also update timestamp for environment variable auth
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 18:19:34 +02:00
Lukas Reschke
bae5f79cbd
Use static variable for storing backends
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 18:16:54 +02:00
Lukas Reschke
3a3eb261aa
Fix order of session actions
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 17:24:01 +02:00
Lukas Reschke
5a4d327c0a
Perform logic in ACS
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 16:55:01 +02:00
Lukas Reschke
bc98b466bd
Set last login after successful login operation
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-04 12:54:59 +02:00
Lukas Reschke
69a6484257
baseurl is expected to be the host name and protocol without path
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:17:32 +02:00
Lukas Reschke
2a3e46dc2f
Proper casing of file
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 11:30:15 +02:00