SAML authentication with WEBDAV. Is it possible?

i use nextcloud with a SAML authentification and i would like to use WEBDAV feature. Is it possible ?
I know that authentication to WEBDAV works with users from an LDAP or directly from the nextcloud database, but I do not know if I can authenticate using the SAML method.

2 Likes

Please @paulbach have you succeeded connecting via WebDAV when usinh SAML auth?

I’ve tried several methods but all failed, if needed I can experiment more and give more detailed feedback.

Thanks! Giovanni.

Hi @all,

any news on that topic? I face the same problem. When I try to access nextcloud 25.0.6 via webdav with saml with Azure AD, the file explorer shows a empty folder.

Thanks
Christian

I think you’ll probably need to create an App password for this. Got to personal settings → security and you can do it there

Hi crobarcro,
but this ist not what I want. The saml auth should work also with webdav.
I tried is with an app password, but with the same result. Somtimes is works fine and after a reboot
it doesn’t. Sometimes is works

I have no idea.

Any suggestions?

Thanks
Chris

What appears in your NC logs around that time?

I use App password for WebDAV as SSO&SAML authentication integrated with 2FA.

With the log, I can find the following.

{"reqId":"zoBMfbWzMVTwvUirdxJS","level":0,"time":"2023-05-04T08:44:28+00:00","remoteAddr":"80.147.79.142","user":"--","app":"user_saml","method":"OPTIONS","url":"/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.19044","version":"25.0.6.1","data":{"app":"user_saml"}}
{"reqId":"JNLzxH8pWCNZWueiyGZO","level":0,"time":"2023-05-04T08:44:29+00:00","remoteAddr":"80.147.79.142","user":"--","app":"user_saml","method":"OPTIONS","url":"/login","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.19044","version":"25.0.6.1","data":{"app":"user_saml"}}
{"reqId":"w0FyGiFMPM8slzCX8O1L","level":0,"time":"2023-05-04T08:44:29+00:00","remoteAddr":"80.147.79.142","user":"--","app":"user_saml","method":"OPTIONS","url":"/apps/user_saml/saml/selectUserBackEnd?redirectUrl=","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.19044","version":"25.0.6.1","data":{"app":"user_saml"}}
{"reqId":"sXusbBDyQVoiaJNPT7tf","level":0,"time":"2023-05-04T08:44:29+00:00","remoteAddr":"80.147.79.142","user":"--","app":"user_saml","method":"PROPFIND","url":"/remote.php/webdav","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.19044","version":"25.0.6.1","data":{"app":"user_saml"}}
{"reqId":"sXusbBDyQVoiaJNPT7tf","level":0,"time":"2023-05-04T08:44:29+00:00","remoteAddr":"80.147.79.142","user":"--","app":"webdav","method":"PROPFIND","url":"/remote.php/webdav","message":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.19044","version":"25.0.6.1","exception":{"Exception":"Sabre\\DAV\\Exception\\NotAuthenticated","Message":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured","Code":0,"Trace":[{"file":"/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->","args":[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->","args":["beforeMethod:PROPFIND",[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/html/apps/dav/appinfo/v1/webdav.php","line":85,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/html/remote.php","line":172,"args":["/var/www/html/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","Line":152,"message":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured","exception":{},"CustomMessage":"No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured"}}

The same trouble for me. Sometimes it works, sometimes not.

Hi @a3linux , so once you got the app password in your WebDAV app, it is not any longer 2FA. The only factor is the app password. Did I understand you correctly?

Yes, with app password, It is not 2FA. It is a Nextcloud app credential then.
You can very easy to track and revoke app sessions in Nextcloud security settings and without the 2FA web login, I do not think you have the way to create and use app password, so it is still safe.

1 Like