[Owncloud] SSO solution and sync clients authentication (OC 5.0.7, user_saml)

Sixto Martin smartin at yaco.es
Wed Jun 26 11:17:15 UTC 2013 

I'm agree with the solution proposed by Tornóci László

Other option is to allow the user to change his password without knowing
his old password, maybe using a "reset password based on mail
functionality".
(Only users that plan to use a non-web based interface will be required to
do that)



2013/6/26 Tornóci László <tornoci.laszlo at med.semmelweis-univ.hu>

> On 06/26/2013 12:16 PM, alen vodopijevec wrote:
>
>> Dear OwnCloud-ers,
>>
>> we have a test implementation of Owncloud instance at our institution
>> (since ver. 4.5.0). So far a dozen of our users happily share their
>> files and collaborate. "user_saml" is working fine with OC 5.0.7.
>>
>> Current system specification:
>> --
>> 1. Owncloud ver. 5.0.7 on Debian GNU Linux system (simplesaml sP)
>> 2. A few standard plugins
>> 3. user_saml plugin (with couple of adjustments regarding user
>> filtering) for authentication through our national authentication and
>> authorization system AAI at EduHr (http://www.aaiedu.hr)
>> --
>>
>> I'm experimenting with sync client (1.3.0) but there is catch. When user
>> authenticates (user_saml) for the first time he/she gets a new record on
>> "oc_users" table with random password -> OK.. simplesamlphp manages user
>> login, so system password is not used for web logins.
>>
>>
>> PROBLEM:
>> Users cannot use sync clients because they don't know their random
>> system password and they cannot even change it because of the same
>> issue.. Admin user can change other user passwords (after applying patch
>> https://github.com/owncloud/**core/commit/**
>> 563f343291fb5d0292c66cb761a053**557bfdae47<https://github.com/owncloud/core/commit/563f343291fb5d0292c66cb761a053557bfdae47>
>> )
>> .. thats ok but it's not the real solution.
>>
>
>
> I think there is a simple solution, if you have access to the LDAP that is
> the backend to the identity provider service. Simply untick the "Autocreate
> user after SAML login" and set up LDAP auth too. The first prevents the
> creation of a record in oc_users. The second provides you auth for webdav
> services. This setup works for me quite well.
>
>                                         Yours: Laszlo
>
> ______________________________**_________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/**listinfo/owncloud<https://mail.kde.org/mailman/listinfo/owncloud>
>



-- 
Sixto Pablo Martín García
Ingeniero Informático
Yaco Sistemas SL
Teléfono +34 954 50 00 57
C/Rioja 5-1ª Planta
41001 Sevilla
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130626/3f81643c/attachment.html>

More information about the Owncloud mailing list