Wrap up milestone 5

[michielbdejong]

I linked to the new app repo in https://github.com/pondersource/nextcloud-mfa-awareness and created #37.

Now I'm trying this out on GitPod and updating the readme instructions as I go along.

[michielbdejong]

I'm trying to compose a list of moving parts. I think for globalsiteselector and user_saml our PRs have been merged now. Then we have https://github.com/nextcloud/server/pull/35555 And https://github.com/pondersource/server/tree/feat/mfaverified-check (no PR opened yet?) And https://github.com/pondersource/mfaverifiedzone I'll see if I can get the gss flow working with those.

[michielbdejong]

i'll install both mfachecker and mfaverifiedzone.

[michielbdejong]

Latest status, after running composer install on the mounted apps: the setup is apparently not completed for sunet-nc1, maybe the composer command exited unsuccessfully? will continue debugging tomorrow.

[michielbdejong]

Next problem:

cd servers
./setup-saml.sh
[...]
chowning /var/www/html/config on sunet-nc2
Configuring user_saml on sunet-nc2
OCI runtime exec failed: exec failed: unable to start container process: exec: "./init-nc2-local-saml.sh": stat ./init-nc2-local-saml.sh: no such file or directory: unknown

[michielbdejong]

gitpod-init.sh now reports:

3 errors occurred:
        * Error response from daemon: pull access denied for apache-php, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
        * Error response from daemon: pull access denied for sunet-nextcloud, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
        * Error response from daemon: pull access denied for simple-saml-php, repository does not exist or may require 'docker login': denied: requested access to the resource is denied 

Fixed...

[michielbdejong]

Next error (in GUI): apps folder is not writable

[michielbdejong]

Ah, this commit line was breaking everything!

[michielbdejong]

[michielbdejong]

curl -k https://sunet-nc2/index.php/apps/user_saml/saml/metadata
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2023-03-15T13:53:31Z"
                     cacheDuration="PT604800S"
                     entityID="https://sunet-nc2/index.php/apps/user_saml/saml/metadata">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://sunet-nc2/index.php/apps/user_saml/saml/acs"
                                     index="1" />

    </md:SPSSODescriptor>

[michielbdejong]

"This version of Nextcloud is not compatible with PHP > 8"

[michielbdejong]

![Uploading Screenshot 2023-03-16 at 10.55.35.png…]()

[michielbdejong]

Ah, that one is fixed with a restart, progress!

[michielbdejong]

I renamed 'mfaresterictedzone__tag' to 'mfazone' and 'MFA Verified ... is not verified' to 'multi-factor authentication ... is not verified'

[michielbdejong]

You can "verify MFA" and be in an "MFA verified" state, but you can not "verify MFA verified" :)

[michielbdejong]

Hm, i'm not seeing my change yet in the UI:

[michielbdejong]

And I'll also publish it to the app store

[michielbdejong]

I'm back at metadata not found:

[navid-shokri]

oh, I think this is because HTTP / HTTPS :information_source:

It seems the SSP is not configured for HTTPS and it can just find the configuration by HTTP schema