User_saml and shibboleth


I’m not used with shibboleth nor saml but with the sparse informations I gathered, it seems that user_saml is it own service provider (SP) and do not use shibd (shibboleth daemon). Am I right ?

I manage to get user_saml configured but when I try to connect, my IdP says that it does not know my SP id.

Error Message: SAML 2 SSO profile is not configured for relying party https://FOOBAR/index.php/apps/user_saml/saml/metadata

(If I understand correctly, that’s the purpose of the “Download metadata” button, to be able to properly configure the IdP)

So I have two questions.

  • does the user_saml app able to use the shib daemon ?
  • does the user_saml app allow to map some IdP returned properties to put the user in some groups ?

Many thanx for any answer, or link to documentations :slight_smile:

Hey @Armage

I guess I can help you more on that, at the moment the user_saml app only acts as a SP. This gives us more flexibility and also integrates with more than “just” Shibboleth.

However, there is a new feature request from this morning that is about adding support for an external service provider. I think that’s a feasible idea and will see if I find some time to add that for our next major release.

At the moment though, only using Nextcloud as service provider is supported.

Can you share your configuration with us? Shibboleth should actually work quite fine, see the following topic that contains some examples for Shibboleth:

Not yet. At the moment it is however supported to use it in combination with another user backend. So if you have user_ldap configured the whole group management and user information would be pulled from there.

Can you maybe open a feature request at and describe what the advantages on this approach would be?

Thanks a lot! And if you have any more questions please let me know. If you have specific feature requests or encounter bugs please file them directly on GitHub. :rocket: