SSO mode does not offer multiple user back-ends anymore

[kleinem86]

Steps to reproduce

1. After Upgrading my NC installation from 13 to 17, The SSO/SAML App needed to be upgraded aswell to 2.4.1
2. The SSO configuration Tab does not offer the "allow multiple back ends" configuration option anymore

Expected behaviour

The SSO configuration Tab does offer the "allow multiple back ends" configuration option. So users on non-domain devices can log in by typing in their credentials.

Actual behaviour

The SSO configuration Tab does not offer the "allow multiple back ends" configuration option. This effectively renders users on non-domain joined devices unable to log in anymore.

Server configuration

Nextcloud version: 17

List of activated apps: user_saml

Apache configuration:

 <IfModule mod_auth_gssapi.c>
  <Location "/index.php/apps/user_saml/saml/login">
   AuthName "kleinet Nextcloud - Kerberos Login"
   AuthType GSSAPI
#   ErrorDocument 401 /index.php/login?direct=1
   GssapiCredStore keytab:/etc/httpd.keytab
   GssapiAllowedMech krb5
   GssapiLocalName on
   LogLevel debug
   Require valid-user
  </Location>
 </IfModule>

Apache logs:

non-domain joined device

abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:37 +0100] "GET / HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/login HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET / HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=8egn8jGhBvUhENqEJyWt%2BTr5vQEmHnVJGE9sw5FSmMY%3D%3AhttWxkH7dJ9Vd7m2Sn/OtgKs6U5KVUF7TR4Bhuc06rw%3D HTTP/1.1" 401 381 abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/login HTTP/1.1" 302 - abcd:defg:8c5::1f:949e:c01d - - [12/Feb/2020:16:38:39 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=vLIe5CwrkgatgDiT5EpzHwo0KBY1oOQhsMT82Fxh4/o%3D%3Ay4Fv0Fxx4GzZ51uhiRAQUDJhfFlZ69AT5ZWRnSoHkYA%3D&idp=1 HTTP/1.1" 401 381

domain joined device

fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET / HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET /index.php/login HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:49 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=oiyLa1rGL0sxQoghotBuU5b3K/sjo8vgCBlHni5p5CM%3D%3Awx/vWmyqbQ1yEOVzyYMcJvmdGa1oyo6EYGg1xGonplM%3D&idp=1 HTTP/1.1" 401 381 fd00::201:9d26:c5b5:ec6f:5c94 - kleinem [12/Feb/2020:16:38:49 +0100] "GET /index.php/apps/user_saml/saml/login?originalUrl=&requesttoken=oiyLa1rGL0sxQoghotBuU5b3K/sjo8vgCBlHni5p5CM%3D%3Awx/vWmyqbQ1yEOVzyYMcJvmdGa1oyo6EYGg1xGonplM%3D&idp=1 HTTP/1.1" 303 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:50 +0100] "GET / HTTP/1.1" 302 - fd00::201:9d26:c5b5:ec6f:5c94 - - [12/Feb/2020:16:38:50 +0100] "GET /index.php/apps/files/ HTTP/1.1" 200 49386

[kleinem86]

I just scrolled through other Issues and realized this is essentialy a duplicate of #80 which is 2 years old now. Should not be too hard to implement imho, because this is a functionality which was definitely available in an older version of the user_saml app.

[Flamme-2]

Hi,

I provide an answer in this old post, because, this post is always found on Google without real solution.

Based on this workaround .

I can use SSO when users have Kerberos ticket in office and standard credential when users is connected out of office. The configuration used on my Apache server for authentication is :

  <Location "/index.php/apps/user_saml/saml/login">
    AuthType GSSAPI
    AuthName "Single Sign On Login"
    GssapiCredStore keytab:/etc/httpd/keytab/nextcloud.keytab
    GssapiUseSessions On
    GssapiLocalName On
    Session On
    SessionCookieName gssapi_session path=/gssapi;httponly;secure;
    require valid-user
    ErrorDocument 401 '<meta http-equiv="refresh" content="0; URL=/index.php/login?direct=1">'
  </Location>

If workaround describe above can help us, so it's a good new :)