search

dominik-th / matomo-plugin-LoginOIDC

external authentication services for matomo
https://plugins.matomo.org/LoginOIDC/
GNU General Public License v3.0
40 stars 29 forks source link

LoginLDAP plugin compatibility #36

Open l00v3 opened 3 years ago

l00v3 commented 3 years ago

Hello, first thank you for this plugin! Looks nice, I hope we can get it to work in our case.

Problem

We are using LoginLDAP plugin to sync the users with Matomo. The users have email as username, so they login with user@domain.com. Now we don't allow OAuth or Matomo registrations, because we manage users with LDAP.

LoginOIDC is installed, configured with Keycloak and it's working. But the situation is the following. Normal login works for LDAP user. But when I try to login with OIDC with existing user (user@domain.com) from LDAP, the error is: User not found. OAuth registrations are disabled.

If I allow OAuth registration and try to login with the same user, the error is: Username 'user@domain.com' already exists.

If I allow OAuth registration and login with non-existing user from LDAP, the registration is successful, so OIDC is working.

Expected functionality

We just want to use "SSO - Single Sign On" with OIDC, but only create users with LDAP.

I think that the problem is somehow the compatibility with LoginLDAP plugin. I don't know how to diagnose this, so any help would be appreciated. Also if you guys need any more information, I will post it.

Thank you very much for your help! Tom

Info

Matomo version 4.0.5

LoginLdap (v4.2.2)

LoginOIDC (v4.0.0)

OIDC provider Keycloak

Fix

Had to apply fix from - using Percona cluster 8.0:

31

dominik-th commented 3 years ago

Hi! Your users still have to link their Matomo account with the keycloak account in the security settings

l00v3 commented 3 years ago

Hello! Thank you for your quick reply! Yes, this was it, user has to manually link their Matomo user with Keycloak account.

But as they are the same user (both Matomo and Keycloak use LDAP as user source), is it possible to automatically link the Matomo user and Keycloak account?

Because we want to enable 2FA via Keycloak only, and configure Matomo with OpenID login only, the user cannot login into Matomo to configure this manually, it would have to be done automatically. Is this possible?

Edit: Did not find option to only allow logins via Keycloak OpenID, is this possible? Because if we enable 2FA in Keycloak and don't disable Matomo login, users can still login with no 2FA via normal Matomo login.

Thank you very much! Tom

l00v3 commented 3 years ago

If I understand correctly, #44 (#45) would solve this also for LDAP users? And the feature for disabling password login would be very good, as suggested in pull request comment -> https://github.com/dominik-th/matomo-plugin-LoginOIDC/pull/45#issuecomment-791360796

l00v3 commented 1 year ago

We solved the auto linking of accounts also when OpenLDAP backend is used. I would be a security feature to disable password login form in Piwik, so users can only login via OIDC. As this is not only connected to LoginLDAP plugin, should I open a new issue regarding the feature to disable login form?