Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.
Until we have considered a better solution for this, this adds a new checkbox that one can configure.
Ref https://github.com/nextcloud/user_saml/issues/403
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
To make debugging SLO errors easier, this adds logging for any
encountered error in that phase.
This is similar to the logging already done on the ACS handling.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
- solved code duplication on uid mapping attribute determiniation
- a single point for user id normalization
- slightly reduces logic in the Controller
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Some people seem to want to have a custom direct login text. This allows
them to set it. For now only via occ. But maybe some day we also add a
GUI component to it.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
- is more tolerate when decoding, uuid structure is still tested later
- ensures the uid is resolved on getCurrentId()
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
'name' key was put in flowData table, but 'token' key was retrieved from this table, thus triggering the following error:
Undefined index: token at /nextcloud/apps/user_saml/lib/Controller/SAMLController.php#306
Signed-off-by: orandev <63342732+orandev@users.noreply.github.com>
Because of the strict samesite cookies SAML fails with the login flow.
Because the post that comes back is not transfering the proper cookies
to use the same session. Hence the token in use gets lost etc.
Now we store this all (encrypted) in a cookie. So that when we come back
we can restore the proper session.
FAQ:
* Is it elegant?
Nope!
* Does it work?
Yes!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
If the SLO throws an error we should catch it. This is so that we do not
show an error page. We should also still logout the current session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Requires https://github.com/nextcloud/server/pull/21479 to fully work.
Basically don't save this info in the session (which is lax by default
starting with NC19 but also soon with new chromes and firefox). We now
save it is a cookie that is set to None. This is the best we can do I
think.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
- fix 'environment-variable' login problem with chrome browser
- problem: using nextcloud behind apache2 mod_auth_mellon, chrome browser gets too many redirects
- description: nc_sameSiteCookiestrict is not sent by chrome, because of the origin POST request by idp and the 3xx redirects on nextcloud side
Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.
This solves #82.
Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
Björn Schiessle