[Owncloud] SAML plans for OC (Was: SSO solution and sync clients authentication (OC 5.0.7, user_saml))

Tornóci László tornoci.laszlo at med.semmelweis-univ.hu
Wed Jun 26 20:48:10 UTC 2013


On 06/26/2013 03:37 PM, alen vodopijevec wrote:
> Well, I have access to local LDAP and benefits that you state (mixing
> users/groups) are in place but:
>
> 1. I would like to provide users with SSO funcionalities for web interface
> 2. I would like to authenticate other users that come from federation
> 3. I would like to avoid storing SSO credentials locally
> 4. I don't want to mess with another authentication mechanism (LDAP) if
> not necessary
>
> I believe that password/token solution for sync clients for users that
> are using any of external auth mechanisms would be a good choice.
>
> Yes, it's a two passwords problem, but minority of my users will use
> sync-client and you don't configure sync-client every day..
>
> And in addition, I think there should be a configuration option to allow
> or not the usage of local passwords for web interface when external
> authentication is enabled.
>
> Regarding point 3. - sync-client password in
> ~/.local/share/data/ownCloud/owncloud.cfg is base64 encoded.
>
> # echo -n 'QmFkIGd1eXMgY2FuIHJlYWQgbXkgcGFzc3dvcmQhIDop' | base64 -d

I see. One more thing: I remember seeing a presentation by Frank 
Karlitschek about OC (sorry can't find the link to it), and SAML 
authentication was mentioned on one of his slides as something planned 
for OC. It gave the impression that there is going to be a core 
implementation of SAML auth in OC just like LDAP auth. (I know about the 
2 different 3rd party solutions). So I wonder: what are the "official" 
plans for SAML auth in OC? Perhaps the developers have some good idea 
already how to solve the issues you have.

Frank, could you comment on this?

					Yours: Laszlo
>
>
> Regards,
> --
> alen
>
>
> On 06/26/2013 02:22 PM, Tornóci László wrote:
>> Most of my users are employees of my university. We also have a
>> federated auth system like you, but the federation just provides a
>> "where are you from" service, and the IdP-s are local. Since I provide
>> the local IdP service as well, it is not a problem to access the LDAP
>> too. LDAP auth also gives you LDAP groups, quota management etc.
>> The nice thing about this is that OC allows you to mix locally defined
>> users and users defined in LDAP. You can define local groups alongside
>> of groups defined in LDAP too. So I define users who are not in my
>> LDAP dir as local OC users, and this works quite well.
>> However, if you want to provide OC service to lots of people who are
>> in the federation, but not in the local LDAP (or simply there is no
>> way to access the local LDAP - but that is silly), you are in trouble.
>> I would probably write a web front end to set up local OC users based
>> on the federated authentication data, and would let my users to pick
>> their own passwords stored in oc_users. And I would not use SAML auth
>> in OC at all. Otherwise you will have loads of problems because people
>> may have two different passwords to access different services in OC.
>> An alternative possibility to automatically mail the generated
>> password to your users. But this also leads to the 2 passwords problem.
>>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud




More information about the Owncloud mailing list