Closed michielbdejong closed 1 year ago
Just tested this with latest main branch, and this is what you see when user Admin logs in to the gss master:
The gss master is configured to take the user discovery from SAML, so this is blocked on #18.
As I read about GSS configuration, we need to have a lookup server that all nodes have in their configuration files.
Something like this:
'lookup_server' => 'URL_TO_LOOKUPSERVER'
and the lookup server is a database of users with some APIs.
In this line of GSS ask from lookup server for the user:
Here is the lookup server:
we need to have a lookup server
Hm, isn't that dealt with by #6?
https://github.com/nextcloud/globalsiteselector says:
In "master" mode the server will query the lookup-server for the users location and redirect the user to the right Nextcloud server. [...] // define a class which will be used to decide on which server a user should be // provisioned in case the lookup server doesn't know the user yet. // Note: That this will create a user account on a global scale note for every user // so make sure that the Global Site Selector has verified if it is a valid user before. // The user disovery module might require additional config paramters you can find in // the documentation of the module 'gss.user.discovery.module' => '\OCA\GlobalSiteSelector\UserDiscoveryModules\UserDiscoverySAML',
We have a user discovery module configured in https://github.com/pondersource/nextcloud-mfa-awareness/blob/97a1435/servers/sunet-nextcloud/init-nc1-gss-master.sh#L17 so I don't think we need a lookup server?
So far, so good:
Yay, it's working :)
SAML Idp provider is working and we are redirecting from the leader or follower next cloud node to the IDP server. the login process is also ok but when the user is redirected to the Leader Nextcloud we are encountering this error:
Could not find a location for user: user1
I took a look at the https://github.com/nextcloud/globalsiteselector/blob/03b191361014fad6b5c580376935ebdb35990270/lib/Master.php#L155 and found that the GSS needs one of this two options to find the location of user:
I will try to enable one of them.
Ha, that's because you misspelled the username :)
It's "usr1", not "user1". See https://github.com/pondersource/nextcloud-mfa-awareness/blob/9c51370/servers/setup-gss.sh#L77
I wonder why the SAML server let you log in with that username though...
Or are you diverging from the setup-gss.sh
script? If so, let's see how we can fix your setup so you can run the script properly. I'll ping you on Slack!
Ah, it's because of
'gss.user.discovery.module' => 'OCAGlobalSiteSelectorUserDiscoveryModulesUserDiscoverySAML',
in sunet-nc1:/var/www/html/config/config.php.
Apparently the slashes are still not properly escaped in https://github.com/pondersource/nextcloud-mfa-awareness/blob/0655f1b/servers/sunet-nextcloud/init-nc1-gss-leader.sh#L17
we are redirecting from the leader or follower next cloud node to the IDP server. Note that redirection from a follower server only works if you run
./setup-gss.sh localhost
. If you run./setup-gss.sh testnet
or./setup-gss.sh example.com
, redirection from the leader will work, but from the follower will not. See "NB1" in the readme.
Ha, that's because you misspelled the username :) It's "usr1", not "user1". See https://github.com/pondersource/nextcloud-mfa-awareness/blob/9c51370/servers/setup-gss.sh#L77 I wonder why the SAML server let you log in with that username though... Or are you diverging from the
setup-gss.sh
script? If so, let's see how we can fix your setup so you can run the script properly. I'll ping you on Slack!
I saw the username and password are inserted in setup-gss.sh
I got them from there.
@navid-dada says this is working already, but I got an error last time I tried. Will check again to reproduce.