search

nextcloud / user_saml

:lock: App for authenticating Nextcloud users using SAML https://apps.nextcloud.com/apps/user_saml
https://portal.nextcloud.com/article/configuring-single-sign-on-10.html
GNU Affero General Public License v3.0
95 stars 75 forks source link

Have user_saml ask for totp code if enabled for user #288

Open ChessSpider opened 5 years ago

ChessSpider commented 5 years ago

Steps to reproduce

  1. Configure nextcloud to use user_saml
  2. Configure nextcloud to use https://github.com/nextcloud/twofactor_totp
  3. Configure totp for your user
  4. Login using SAML

Expected behaviour

After authentication using SAML, I would expect to the 2nd factor authentication to kick in. Aka, it should ask for the totp code.

Actual behaviour

Immediately logged in without asking for totp code

Server configuration

Operating system: linux Web server: docker Database: postgresql docker PHP version: 7.2.19

Version: 15.0.10

Updated from an older version or fresh install: update

List of activated apps: notable user_saml for login, and twofactor_totp for 2nd factor auth

Client configuration

Browser: firefox

Operating system: win10

Logs

Web server error log
Insert your webserver log here
Server log (data/nextcloud.log)

nothing of totp or user_saml here

ChessSpider commented 5 years ago

After making an issue at the totp github, I was redirected here. Thread: https://github.com/nextcloud/twofactor_totp/issues/373

Messsage from Christoph Wurst:

@ChristophWurst: @schiessle: have you ever used 2fa with saml? @schiessle: @ChristophWurst: no, I also think that this is not possible. With saml the authentication happens at the idp not at Nextcloud, the idp redirect the user to an endpoint of the saml app, we check the idp data and log the user in. The whole idea of SSO is that you don't have to authenticate at each service but in one central idp and then you are logged in everywhere @ChristophWurst: okay, thanks for that info! @schiessle: 2fa should be done at the idp, not at Nextcloud if you use sso

My response:

Thanks for the feedback.

Schiessle's opinion, while valid of course, differs from other applications we use (most notably gitlab) and my expectations. I would very much after enabling totp have totp ask for the 2nd factor after being authenticated by the idp if possible.

(Background: SSO in my setup only asks for username/password w/ long session lifetime, and I prefer to have a separate totp code per (critical) application to prevent abuse of the long-running sessions at the sso-point)

ChessSpider commented 5 years ago

Best wishes for the new year everyone. Would a maintainer of user_saml be able to reply to this report? Thank you in advance,

ChessSpider commented 5 years ago

Bump, still a nice feature for me

maferick commented 5 years ago

I don't think this is what you want, though it will work, this isn't part of SSO as Schiessle correctly mentions. You are using the TOTP as step-up authentication, not as SSO.

Basicly you are enabling users to use SSO and then effectifly disabling the SSO with the use of application side TOTP for each application.

Using short sessions and IDP witch a MFA possibility means you also don't need to have TOTP on the application side, where you, if needed, always can use the provided TOTP as step-up authentication.

in SSO the IDP is the trusted source for the application and ALL authentication/authorisations should be done there, not on the application side.

ChessSpider commented 5 years ago

I don't think this is what you want, though it will work, this isn't part of SSO as Schiessle correctly mentions. You are using the TOTP as step-up authentication, not as SSO.

Except though it doesn't work. Semantics discussion aside whether this is true sso or not; if i enable totp for a user on nextcloud then I expect Nextcloud to ask the user for a totp code. SSO login is just used as an alternative for password login in my organization, it's just one factor auth.

Gitlab, Nmbrs,.. prompts for totp after sso login and so should nextcloud imho

thanks for keeping the issue alive 👍

maferick commented 5 years ago

Except though it doesn't work. Semantics discussion aside whether this is true sso or not; if i enable totp for a user on nextcloud then I expect Nextcloud to ask the user for a totp code. SSO login is just used as an alternative for password login in my organization, it's just one factor auth.

Sorry, I mean in theory, as step-up option, it should work (and its not implemented like that in nextcloud). In SSO the IDP is responsible for the authentication part and as such nextcloud is expecting the IDP to handle the MFA part and not asking for the TOTP code.

Though don't get me wrong, I think its a great feature if this can be implemented with different MFA providers to get step-up auth available.

ChessSpider commented 5 years ago

@ChristophWurst @schiessle Hi Christoph, Schiessle, can maybe one of you indicate whether this is something you'd want to work on or if this is on the roadmap? Thank you

ChristophWurst commented 5 years ago

This is not on our roadmap.

ChessSpider commented 5 years ago

Is there a way to get it on the road map? E. G. Pull request or donation?

On Fri, Mar 1, 2019, 08:48 Christoph Wurst notifications@github.com wrote:

This is not on our roadmap.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nextcloud/user_saml/issues/288#issuecomment-468575016, or mute the thread https://github.com/notifications/unsubscribe-auth/ACEWNBj0RofJtl5zDMFI7TCHcFDJbxQ8ks5vSNs0gaJpZM4ZZr0A .

schiessle commented 5 years ago

@ChessSpider Of course, there are many way. :slightly_smiling_face:

You mentioned already one possible way: a pull request. Christoph and I are just two persons of a large Nextcloud community. Nextcloud is completely Free Software, this means that everyone is welcome to join and to contribute. If you or anyone else want to work on it, this would be great! We appreciate every pull request, and we are definitely able to help in case of questions, reviews, etc.

Another option is creating a bounty at Bountysource, although just putting money on an issue doesn't guarantee that someone picks it up (in time). This is also a nice way to support the large Nextcloud community. In case of a Nextcloud GmbH employee picks up the bounty we will give it back to the community by putting the money back on other bounties to make sure all bounties benefit the Nextcloud community.

Additionally we have a category for Freelancers in our form. Another option would be to post an offer there and try to find a freelancer who want to work on it.

The most direct way for a company or organization to get the issue addressed is to get a Enterprise Subscription. This includes everything to enable you to run Nextcloud in a productive environment with guaranteed SLA's and more. The Enterprise Subscription also includes optional professional services such as custom development. Feel free to reach out to us. We are happy to explore the possibilities how to make Nextcloud fit your needs.