[Owncloud] SSO solution and sync clients authentication (OC 5.0.7, user_saml)

Tornóci László tornoci.laszlo at med.semmelweis-univ.hu
Wed Jun 26 12:22:15 UTC 2013 

On 06/26/2013 01:24 PM, alen vodopijevec wrote:
> On 06/26/2013 12:46 PM, Tornóci László wrote:
>>
>> I think there is a simple solution, if you have access to the LDAP
>> that is the backend to the identity provider service. Simply untick
>> the "Autocreate user after SAML login" and set up LDAP auth too. The
>> first prevents the creation of a record in oc_users. The second
>> provides you auth for webdav services. This setup works for me quite
>> well.
>>
>
> Thank you for your suggestion. We don't have access to LDAP database ..
> AAI at EduHr is a service in front of all individual LDAP databases located
> at our academic and research institutions - so, LDAP auth is not an
> option in this case.

Most of my users are employees of my university. We also have a 
federated auth system like you, but the federation just provides a 
"where are you from" service, and the IdP-s are local. Since I provide 
the local IdP service as well, it is not a problem to access the LDAP 
too. LDAP auth also gives you LDAP groups, quota management etc.
The nice thing about this is that OC allows you to mix locally defined 
users and users defined in LDAP. You can define local groups alongside 
of groups defined in LDAP too. So I define users who are not in my LDAP 
dir as local OC users, and this works quite well.

However, if you want to provide OC service to lots of people who are in 
the federation, but not in the local LDAP (or simply there is no way to 
access the local LDAP - but that is silly), you are in trouble. I would 
probably write a web front end to set up local OC users based on the 
federated authentication data, and would let my users to pick their own 
passwords stored in oc_users. And I would not use SAML auth in OC at 
all. Otherwise you will have loads of problems because people may have 
two different passwords to access different services in OC.
An alternative possibility to automatically mail the generated password 
to your users. But this also leads to the 2 passwords problem.

					Yours: Laszlo

More information about the Owncloud mailing list