https://github.com/mirekys/user_shib
Shibboleth user and group backend app for ownCloud
https://github.com/mirekys/user_shib
authentication external-identities owncloud shibboleth users
Last synced: about 2 months ago
JSON representation
Shibboleth user and group backend app for ownCloud
- Host: GitHub
- URL: https://github.com/mirekys/user_shib
- Owner: mirekys
- License: agpl-3.0
- Created: 2016-02-05T09:52:05.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2018-01-22T16:16:15.000Z (over 8 years ago)
- Last Synced: 2025-02-25T22:14:13.752Z (over 1 year ago)
- Topics: authentication, external-identities, owncloud, shibboleth, users
- Language: PHP
- Size: 89.8 KB
- Stars: 1
- Watchers: 1
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: COPYING
- Authors: AUTHORS.md
Awesome Lists containing this project
README
# User Shib
This application enables federated Shibboleth
authentication and automatic user and group provisioning
based on Shibboleth attributes. It requires
a configured and running Shibboleth SP.
# Shibboleth configuration
You can configure a Shibboleth SP by following this official [guide](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted).
# Apache configuration
In order to get the authentication backend working you
must enforce Shibboleth session at least on the following Location:
```
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders Off
ShibExportAssertion On
ShibRequestSetting requireSession 1
```
Since we establish a proper ownCloud authenticated session on the login URL above,
the rest of the ownCloud could be covered by a Shibboleth [lazy session](https://aai-demo.switch.ch/lazy/),
We rely on the ownCloud here to determine, if it needs authentication or not.
```
...
AuthType shibboleth
Require shibboleth
ShibUseHeaders Off
ShibExportAssertion On
```
# App configuration
As of now, you can install the app by just putting it inside your _apps/_ directory
and enabling it, like you would with any other app.
## Admin configuration
On the _Admin_ page, you can configure mapping of Shibboleth attributes
to ownCloud and some backend options. The meaning of each option is following:
### Mapping configuration
* **Attribute prefix** - prefix for all attributes provided by Shibboleth (aka _attributePrefix_ Shibboleth setting).
* **Shibboleth Session ID** - attribute that contains a shibboleth session ID of a user.
* **Unique persistent ID** - attribute that persistently and uniquely identifies a user amongst all others.
* **Username** - attribute to be used for ownCloud user name.
* **Full Name** - attribute to be used for display name.
* **First Name** - alternative attribute to be used for display name.
* **Surname** - alternative attribute to be used for display name.
* **Email** - attribute to be used as contact e-mail address.
* **Groups** - attribute to be used for group assignment.
* **External identities** - known external identities of the user (e.g. Google, FB, github) [_not implemented yet_].
* **Required (checkbox)** - when checked, users must provide this attribute in order to be logged in
### Backend configuration
* **Backend Activated** - Disabling it disables authentication using this user backend, but keeps everything else in place.
* **Autocreate accounts** - Create new account on user's first login.
* **Update user info on login** - Updates user's mail, display name, last seen, groups and other metadata on each login.
* **Update group membership on login** - Whether or not to update user's group membership based on the _Groups_ attribute.
* **Autocreate groups** - Create new ownCloud groups based on user's _Groups_ attribute (except for _Protected Groups_).
* **Autoremove groups** - Remove user from groups that are not listed in user's _Groups_ attribute (except for _Protected Groups_).
* **Protected Groups** - Do not override this OC groups membership by Shibboleth attribute _Groups_.
* **Group filter** - Only _Groups_ matching this regex will be recognized by ownCloud.
* **Update identity mappings on login** - Updates mapping of user's external identities to an ownCloud account on each login (_requires External identities field_).
* **Expiration period** - Require users to log in using Shibboleth periodically, otherwise the user account expires and becomes disabled. Leave empty to disable expiration.
* **Expiration warning** - How many days in advance should users be warned about an expiration. Leave empty to disable warnings.
## Personal configuration
Users are required to set a special password for the synchronization clients on their _Personal_ page
under _Client login credentials_ section.