| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
|
|
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
|
|
- adds user_saml_configurations table and migrates existing configuration
- Controller methods are added since appconfig endpoints cannot be used
anymore. THIS IS A BREAKING CHANGE.
- Frontend code is adjusted to use new endpoints.
- security-sloWebServerDecode was changed from global to provider specific
setting. It being global seemed to be unintended. A migration path is yet
missing.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
|
|
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
|
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.
Until we have considered a better solution for this, this adds a new checkbox that one can configure.
Ref https://github.com/nextcloud/user_saml/issues/403
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
sanitize and test user id received from IdP, if original does not match
|
|
To make debugging SLO errors easier, this adds logging for any
encountered error in that phase.
This is similar to the logging already done on the ACS handling.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
- solved code duplication on uid mapping attribute determiniation
- a single point for user id normalization
- slightly reduces logic in the Controller
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Some people seem to want to have a custom direct login text. This allows
them to set it. For now only via occ. But maybe some day we also add a
GUI component to it.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Fix incorrect key name in "Login flow fix"
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Add checked user id to InvalidArgumentException
|
|
optional possibility to provide a URL for SLO Response
|
|
'name' key was put in flowData table, but 'token' key was retrieved from this table, thus triggering the following error:
Undefined index: token at /nextcloud/apps/user_saml/lib/Controller/SAMLController.php#306
Signed-off-by: orandev <63342732+orandev@users.noreply.github.com>
|
|
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
|
Because of the strict samesite cookies SAML fails with the login flow.
Because the post that comes back is not transfering the proper cookies
to use the same session. Hence the token in use gets lost etc.
Now we store this all (encrypted) in a cookie. So that when we come back
we can restore the proper session.
FAQ:
* Is it elegant?
Nope!
* Does it work?
Yes!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
If the SLO throws an error we should catch it. This is so that we do not
show an error page. We should also still logout the current session.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
* the void statements end up in a useless blank page
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Requires https://github.com/nextcloud/server/pull/21479 to fully work.
Basically don't save this info in the session (which is lax by default
starting with NC19 but also soon with new chromes and firefox). We now
save it is a cookie that is set to None. This is the best we can do I
think.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
- fix 'environment-variable' login problem with chrome browser
- problem: using nextcloud behind apache2 mod_auth_mellon, chrome browser gets too many redirects
- description: nc_sameSiteCookiestrict is not sent by chrome, because of the origin POST request by idp and the 3xx redirects on nextcloud side
|
|
request (fixed SP qualifier typo)
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
|
|
Signed-off-by: Clément OUDOT <clement.oudot@worteks.com>
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.
This solves #82.
Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
|
|
Signed-off-by: Dylann Cordel <d.cordel@webu.coop>
|
|
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
always create user in the SAML back-end and update the attributes
|
|
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
|
Reported at Transifex.
Signed-off-by: Mark Ziegler <mark.ziegler@rakekniven.de>
|
|
the user was found on another back-end during login
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
Signed-off-by: Daniel Klaffenbach <daniel.klaffenbach@hrz.tu-chemnitz.de>
|
|
improve error messages in case SAML is not configured properly
|
|
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
messages in the log file
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
|
different IDPs are configured
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
If this server acts as a global scale master and the user is not
a local admin of the server we just create the user and continue
no need to update additional attributes.
But for local users, e.g. the admins of the global scale master
we should complete the user setup with all attributes
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
|
|
* The base route now has a function as well so it is not just some empty
route
* We now actually have an error page
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
