[Freeipa-users] Re: freeipa and saml

Wed, 07 Feb 2018 10:35:07 -0800 

On ke, 07 helmi 2018, Rob Crittenden via FreeIPA-users wrote:

Николай Савельев via FreeIPA-users wrote:

Hi.
I have freeipa with AD trust.
I want to setup Nextcloud with ipa and ad users.
Ldap in cn=compat,dc=dom,dc=lan doesnt have memberOf atribute.
I setup ipsilon (https://ipsilon-project.org/) for SSO and SAML autentification.
Autentification with login and password works
But i have local domain for ipsilon and nextcloud and kerberos DOM.LAN and 
internet domain domain.ru
So, when I go to nextcloud with my kerberos tiket, i get 500 internal error.

Maybe anybody knows how correct this mistake?





Is there an option to use uniqueMember for groups instead in nextcloud?
That should be available in cn=compat.

I have my own FreeIPA deployment working with nextcloud user_saml
plugin via ipsilon. We identified one bug in Ipsilon related to the use
of encrypted NameID and encrypted assertion responses with Ipsilon
developers, this is going to be fixed soon.

sqlite> select * from oc_appconfig where appid='user_saml' and not (configkey = 
'idp-x509cert' or configkey = 'sp-privateKey' or configkey = 'sp-x509cert');
user_saml|installed_version|1.4.0
user_saml|enabled|yes
user_saml|types|authentication
user_saml|type|saml
user_saml|general-uid_mapping|uid
user_saml|idp-singleSignOnService.url|some url
user_saml|idp-singleLogoutService.url|some url
user_saml|idp-entityId|some url
user_saml|security-signMetadata|1
user_saml|security-authnRequestsSigned|1
user_saml|saml-attribute-mapping-email_mapping|mail
user_saml|saml-attribute-mapping-displayName_mapping|gecos
user_saml|security-logoutRequestSigned|1
user_saml|security-wantAssertionsSigned|1
user_saml|security-wantAssertionsEncrypted|0
user_saml|security-wantMessagesSigned|1
user_saml|security-logoutResponseSigned|1
user_saml|security-wantXMLValidation|1
user_saml|general-require_provisioned_account|0

However, user_saml needs some updates to get file info for user storage
done right. This comment reflects what happens:
https://github.com/nextcloud/server/issues/7212#issuecomment-346859823

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to