The nextcloud desktop client shows the SAML login on each startup. After each successful login a new auth token is created for my user. So I’d expect this token is stored by the client and will be used to authenticate against the nextcloud in the future. But the only secret that is stored by the client is the _shibsession_ cookie which is pretty useless as its content is just authenticated. Additionally I figured out that I have to re-login after I’ve restarted the Apache that serves the nextcloud. So I assume that the nextcloud client uses some session cookies for the authentication for the WebDAV API if user_saml is activated.
1 Like
I’m experiencing this as well on all desktop platforms. This issue is not present on Android. Oddly enough, I’ve noticed that if I close the login prompt without logging in, then choose login from the tray icon menu (on Windows, haven’t tried on other platforms), it will login without prompting.
What gives?