[Owncloud] SAML plans for OC (Was: SSO solution and sync clients authentication (OC 5.0.7, user_saml))

Frank Karlitschek frank at owncloud.org
Thu Jun 27 20:56:50 UTC 2013 

On 26.06.2013, at 21:48, Tornóci László <tornoci.laszlo at med.semmelweis-univ.hu> wrote:

> On 06/26/2013 03:37 PM, alen vodopijevec wrote:
>> Well, I have access to local LDAP and benefits that you state (mixing
>> users/groups) are in place but:
>> 
>> 1. I would like to provide users with SSO funcionalities for web interface
>> 2. I would like to authenticate other users that come from federation
>> 3. I would like to avoid storing SSO credentials locally
>> 4. I don't want to mess with another authentication mechanism (LDAP) if
>> not necessary
>> 
>> I believe that password/token solution for sync clients for users that
>> are using any of external auth mechanisms would be a good choice.
>> 
>> Yes, it's a two passwords problem, but minority of my users will use
>> sync-client and you don't configure sync-client every day..
>> 
>> And in addition, I think there should be a configuration option to allow
>> or not the usage of local passwords for web interface when external
>> authentication is enabled.
>> 
>> Regarding point 3. - sync-client password in
>> ~/.local/share/data/ownCloud/owncloud.cfg is base64 encoded.
>> 
>> # echo -n 'QmFkIGd1eXMgY2FuIHJlYWQgbXkgcGFzc3dvcmQhIDop' | base64 -d
> 
> I see. One more thing: I remember seeing a presentation by Frank Karlitschek about OC (sorry can't find the link to it), and SAML authentication was mentioned on one of his slides as something planned for OC. It gave the impression that there is going to be a core implementation of SAML auth in OC just like LDAP auth. (I know about the 2 different 3rd party solutions). So I wonder: what are the "official" plans for SAML auth in OC? Perhaps the developers have some good idea already how to solve the issues you have.
> 
> Frank, could you comment on this?

sure :-)

Well SAML is an important feature and I know that a lot of users want that. There are the mentioned 3rd party solutions on apps.owncloud.com and on github and they work as far as I know. I personally don't use it so I don' know the exact status but it is all open source and everybody can contribute if something is missing.

I know that the Desktop client and the mobile client guys are also working on integrating SAML into the clients directly.

If you have special requirements or you want to speed up the development please contribute. Everybody can help.

Frank


> 
> 					Yours: Laszlo
>> 
>> 
>> Regards,
>> --
>> alen
>> 
>> 
>> On 06/26/2013 02:22 PM, Tornóci László wrote:
>>> Most of my users are employees of my university. We also have a
>>> federated auth system like you, but the federation just provides a
>>> "where are you from" service, and the IdP-s are local. Since I provide
>>> the local IdP service as well, it is not a problem to access the LDAP
>>> too. LDAP auth also gives you LDAP groups, quota management etc.
>>> The nice thing about this is that OC allows you to mix locally defined
>>> users and users defined in LDAP. You can define local groups alongside
>>> of groups defined in LDAP too. So I define users who are not in my
>>> LDAP dir as local OC users, and this works quite well.
>>> However, if you want to provide OC service to lots of people who are
>>> in the federation, but not in the local LDAP (or simply there is no
>>> way to access the local LDAP - but that is silly), you are in trouble.
>>> I would probably write a web front end to set up local OC users based
>>> on the federated authentication data, and would let my users to pick
>>> their own passwords stored in oc_users. And I would not use SAML auth
>>> in OC at all. Otherwise you will have loads of problems because people
>>> may have two different passwords to access different services in OC.
>>> An alternative possibility to automatically mail the generated
>>> password to your users. But this also leads to the 2 passwords problem.
>>> 
>> 
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud

More information about the Owncloud mailing list