[Owncloud] SSO solution and sync clients authentication (OC 5.0.7, user_saml)

alen vodopijevec alen at irb.hr
Wed Jun 26 13:37:42 UTC 2013 

Well, I have access to local LDAP and benefits that you state (mixing 
users/groups) are in place but:

1. I would like to provide users with SSO funcionalities for web interface
2. I would like to authenticate other users that come from federation
3. I would like to avoid storing SSO credentials locally
4. I don't want to mess with another authentication mechanism (LDAP) if 
not necessary

I believe that password/token solution for sync clients for users that 
are using any of external auth mechanisms would be a good choice.

Yes, it's a two passwords problem, but minority of my users will use 
sync-client and you don't configure sync-client every day..

And in addition, I think there should be a configuration option to allow 
or not the usage of local passwords for web interface when external 
authentication is enabled.

Regarding point 3. - sync-client password in 
~/.local/share/data/ownCloud/owncloud.cfg is base64 encoded.

# echo -n 'QmFkIGd1eXMgY2FuIHJlYWQgbXkgcGFzc3dvcmQhIDop' | base64 -d


Regards,
--
alen


On 06/26/2013 02:22 PM, Tornóci László wrote:
> Most of my users are employees of my university. We also have a 
> federated auth system like you, but the federation just provides a 
> "where are you from" service, and the IdP-s are local. Since I provide 
> the local IdP service as well, it is not a problem to access the LDAP 
> too. LDAP auth also gives you LDAP groups, quota management etc.
> The nice thing about this is that OC allows you to mix locally defined 
> users and users defined in LDAP. You can define local groups alongside 
> of groups defined in LDAP too. So I define users who are not in my 
> LDAP dir as local OC users, and this works quite well.
> However, if you want to provide OC service to lots of people who are 
> in the federation, but not in the local LDAP (or simply there is no 
> way to access the local LDAP - but that is silly), you are in trouble. 
> I would probably write a web front end to set up local OC users based 
> on the federated authentication data, and would let my users to pick 
> their own passwords stored in oc_users. And I would not use SAML auth 
> in OC at all. Otherwise you will have loads of problems because people 
> may have two different passwords to access different services in OC.
> An alternative possibility to automatically mail the generated 
> password to your users. But this also leads to the 2 passwords problem.
>

More information about the Owncloud mailing list