Authentication via SAML attribute urn:oid:0.9.2342.19200300.100.1.3 / Mapping LDAPUser without modify UUID

mx_ulrich · August 22, 2016, 2:03pm

I have 9.0.52 (stable) Version of Nextcloud installed, a LDAP Backend for user provisioning and a SAML 2.0 IdP for the authentication process.

When I use SAML authentication with the option “Only allow authentication if an account is existent on some other backend. (e.g. LDAP)” the plugin initiates some SQL Selects to identify the correct LDAP-User via “owncloud_name” in “oc_ldap_user_mapping” table.
So it is necessary to modify the “UUID Attribute for Users” in the LDAP section that the “owncloud_name” is equal to the mail attribute from the LDAP backend when I use “urn:oid:0.9.2342.19200300.100.1.3” (mail) as SAML-Attribute to map the UID to.
This works well for the initial LDAP sync of users. But in case of email address change afterward we run into problems because already mapped user will not updated in nextcloud DB. So after a change of mail attribute in LDAP and at the IdP side the mapping will not work anymore.

So I have added a new function in apps/user_saml/lib/userbackend.php which return the standard userid from oc_preferences by provide the email-address as parameter.
This function will be called from „public function userExists“ also located in userbackend.php

/**
 * check if a user exists
 * @param string $uid the username
 * @return boolean
 * @since 4.5.0
 */
	public function userExists($uid) {
	$uid = $this->userEMAILinDatabase($uid);
        if($backend = $this->getActualUserBackend($uid)) {
		return $backend->userExists($uid);
	} else {
		return $this->userExistsInDatabase($uid);
        }
}	

/**
 * Return the id of the current user [search by mail-address]
 * @return string
 * @edited by max
 */
public function userEMAILinDatabase($emailaddress) {
	/* @var $qb IQueryBuilder */
	$qb = $this->db->getQueryBuilder();
	$qb->select('userid')
		->from('preferences')
		->where('configkey = :identifier1')
		->andwhere('LOWER(configvalue) = LOWER(:identifier2)')
		->setParameter(identifier1, email)
		->setParameter(identifier2, $emailaddress) 
		->setMaxResults(1);
	$result = $qb->execute();
	$userid = $result->fetchAll();
	$result->closeCursor();

	return ($userid[0][userid]);
}

With this function the authentication via SAML attribute urn:oid:0.9.2342.19200300.100.1.3 and the mail attribute from LDAP backend works without modify the standard UUID .
But now i have found out, that this (mail address) SAML authenticated user does not use the additional LDAP Attributes (quota, custom folder path …)

Is there any other way to use SAML authentication without modify the standard UUID via LDAP Plugin?
In my opinion this option would be great as standard feature in Nextcloud user_saml. (Authentication via SAML attribute urn:oid:0.9.2342.19200300.100.1.3 / Mapping LDAPUser without modify UUID )

mx_ulrich · August 24, 2016, 12:08pm

Ok, now I have found the failure in my case.
I called my additional function from the “public function userExists” and this wasn’t correct.
I have to call this function in “public function getCurrentUserId” located in userbackend.php and also in samlcontroller.php at following section:
$uidMapping = \OC::$server->getConfig()->getAppValue('user_saml', 'general-uid_mapping', ''); if(isset($auth->getAttributes()[$uidMapping])) { $uid = $auth->getAttributes()[$uidMapping][0]; $uid = $this->userBackend->userEMAILinDatabase($uid);
Now it seems to work - the authenticated SAML user has now all defined LDAP attributes from backend.
I really think this should be a standard feature in nextcloud and can be useful for many other who want to use the mail attribute from LDAP for SAML authentication without modify the standard UUID which is the GUID from the user object in LDAP backend.