Is user_saml an option for CAS auth?

[putt1ck]

There used to be a CAS app, which as a backend solution for auth provides a simple and open way to implement SSO into web apps; now wondering if the CAS app hasn't been reworked for NC11/12 because user_saml can be configured to support CAS. If not, is it on the roadmap?

[ArnY]

Hello,

You can use user_saml to authenticate your users with CAS but you'll need another backend like ldap to provision your accounts. You'll also need to set the environment variable to HTTP_CAS_USER and configure mod_auth_cas (https://wiki.jasig.org/display/casc/mod_auth_cas) on "/index.php/login" and "/index.php/apps/user_saml/saml/login".

For example, for apache2:

        CASVersion 2
        CASLoginURL https://cas.company.com/cas/login
        CASValidateURL cas.company.com/cas/serviceValidate

        <Location "/index.php/login">
                AuthType CAS
                AuthName "CAS Authentication"
                require valid-user
        </Location>

        <Location "/index.php/apps/user_saml/saml/login">
                AuthType CAS
                AuthName "CAS Authentication"
                require valid-user
        </Location>

[putt1ck]

Yeah we install with LDAP auth anyway, just neat to have the user only have to login to org web apps the once. It's not proper SSO if you have to login >1 :)

thx for the tip

[reswild]

If anyone else is searching for this, you can also set up a SAML Identity Provider that uses CAS for authentication. It's a bit more work, but this way you can also access your CAS attributes, and you don't need LDAP.

I'm testing this at the moment, using simpleSAMLphp for my Identity Provider.

[abcfy2]

Hi @reswild . Would you please share your solution?

I'm facing the same scene. I have a CAS server, and I want to use CAS SSO auth, but I don't want to set a LDAP, it's a little troublesome.

Thanks.

[mehrdad-shokri]

@reswild would you please provide your soloution? struggling with cas and nextcloud here

[mehrdad-shokri]

@ArnY hey, I've setup a cas server with mod_auth_cas module on apache. Also have installed user_saml.
Until here nextcloud gets the ticket from cas but I get either an internal server error or Unauthorized error.
Here is a screenshot of the errors.
The returned url has a ticket in the query string.
Also I don't where to check the logs.
What am I missing here?
I haven't connected nextcloud to ldap, should I.
Please help.

[putt1ck]

Our tested method is documented here: https://docswiki.newro.co/index.php/Nextcloud_external_auth#CAS_Auth - hope it helps.

[mehrdad-shokri]

@putt1ck can we have a chat to describe my situation?

[mehrdad-shokri]

@putt1ck please please :((

[putt1ck]

Hard to troubleshoot an unknown setup. Does your error not get logged in the NC log at all?

[mehrdad-shokri]

Not at all. datadirectory is set to /var/www/nextcloud-data in the config.php.
When I tail -f nextcloud.log nothing is shown.

CAS server is working correctly, and giving back token.
mod_auth_cas is set up and everything is working just fine.
When cas server returns from login page this page is shown:

I'm just suspicious of one thing, I haven't setup ldap yet. do you think that's the problem?
Also please note that cas server(and ldap) is located in another remote server and cas is accessed by a url.

[putt1ck]

It's not seeing the account you are logging in as one that exists on NC - we use LDAP in our implementations which might be what auto-provisions the account.

Our servers are normally split up (typically 6 of them as a starting point, plus storage server if needed).

[mehrdad-shokri]

So your Nextcloud app is connected directly to ldap?
Do you know how nextcloud auto-provisions the attribute returned from cas?
AFAIK the returned attributes should be mapped to support auto provisioning.

[putt1ck]

CAS in our setup only returns an "auth'd" response. The user attributes are pulled from LDAP (commonly from Samba or AD servers)

[mehrdad-shokri]

@putt1ck So we have set up a ldap service. until this point, user can login via cas but nextcloud can't retrieve the user from ldap.
How would you handle the process of retrieving a user from LDAP? can you provide a code snippet or demonstrate the process?

[reswild]

@abcfy2 @mehrdaad So my solution was to set up a SAML Identity Provider using SimpleSAMLphp, and use this with CAS authentication. I can then get all my attributes directly from CAS, and I don't need to set up LDAP. It was a bit of a hassle to get everything set up correctly, so I probably wouldn't have bothered if it was just to connect to Nextcloud, but I will use it for connecting to other services also.

In any case, if anyone wants to try this, here are the steps I used:

1. Install SimpleSAMLphp (see https://simplesamlphp.org/docs/stable/simplesamlphp-install for instructions).

2. Enable the SimpleSAMLphp Identity Provider functionality by editing the config/config.php file and set the enable.saml20-idp option to true. (There are also a number of other options in this file that you'll probably want to review before going live.) 'enable.saml20-idp' => true,

3. Enable the SimpleSAMLphp CAS module by adding an empty enable file in the modules/cas folder

4. Edit the config/authsources.php file and add a CAS authentication source. You'll have to specify all the CAS attributes that you need to access when logging in. Here is my configuration:

   'cas' => array(
   'cas:CAS',
   'cas' => array(
       'login' => 'https://example.org/cas/login',
       'serviceValidate' => 'https://example.org/cas/serviceValidate',
       'logout' => 'https://example.org/cas/logout',
       'attributes' => array(
         'user' => '/cas:serviceResponse/cas:authenticationSuccess/cas:user',
         'mail' => '/cas:serviceResponse/cas:authenticationSuccess/cas:mail',
         'nickname' => '/cas:serviceResponse/cas:authenticationSuccess/cas:nickname',
       ),
   ),
   'ldap' => array(
   ),
   ),

5. Generate a X.509 key and certificate, and add these to the cert folder. Sample command for generating a certificate: openssl req -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem

6. Configure the Identity Provider by editing the metadata/saml20-idp-hosted.php file, and add the certificate and authentication source you set up above. My configuration is:

   $metadata['__DYNAMIC:1__'] = array(
   'host' => '__DEFAULT__',
   'privatekey' => 'example.org.pem',
   'certificate' => 'example.org.crt',
   'auth' => 'cas',
   'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
   );

7. Link the Nextcloud Service Provider to your Identity Provider by editing the metadata/saml20-sp-remote.php file. My configuration is:

   $metadata['https://cloud.example.org/index.php/apps/user_saml/saml/metadata'] = array(
   'AssertionConsumerService' => 'https://cloud.example.org/index.php/apps/user_saml/saml/acs',
   'SingleLogoutService' => 'https://cloud.example.org/index.php/apps/user_saml/saml/sls',
   );

8. Configure the SAML settings in Nextcloud. My configuration is:

   
   General
   user

Identity Provider Data https://example.org/simplesaml/saml2/idp/metadata.php https://example.org/simplesaml/saml2/idp/SSOService.php

Attribute mapping nickname mail

For more information about configuring a SimpleSAML Identity Provider, see https://simplesamlphp.org/docs/1.5/simplesamlphp-idp#section_6