SSO & SAML authentication new account logins not getting auto group #42
Comments
|
Hi @The0tter0ne, Thanks for getting in touch! Just to be sure: Did you enable the option „Check for correct Auto Groups membership on every login“ at the bottom of the settings? This is required for the Auto Groups app to work correctly with external user backends. Furthermore, a logout and re-login might be necessary. Please let me know whether or not this makes it work in your case. |
stjosh
added
bug
|
Hi, Yes I checked the option. I also already did a login/logout and such with multiple test accounts. See settings attached |
|
Hmm, thanks for the update. Honestly, I did not have the chance to test it with the SSO app so far. Do you see anything suspicious in the logs? I.e., maybe an exception is thrown which would help us? Meanwhile, I‘ll try to reproduce your setup in the coming days. |
|
This tutorial could help to test it with Auth0: https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf |
|
Without having studied the code in great depth, I suspect that the SSO App does not emit the events which the Auto Groups app expects (i.e., at least UserLoggedIn and, optionally, also UserCreated). I think the UserLoggedIn event should be emitted somewhere here: However, this needs further investigation. |
I've checked the logs and could find no failures or whatsoever. I've set it up almost as similar to the setup described here: |
|
I see. Well, as I said, I think that simply the events expected by the Auto Groups app are not emitted when authenticating via the SSO app. I think we should first try to verify this assumption and, if verified, open an issue in the SSO app's issue tracker to add these events (at least the PostLoginEvent). @The0tter0ne Do you think you could assist me in testing? The easiest would be if you could add an error/warning log line in the Auto Group app's source at the beginning of the e.g., Then login and see if the log line appears in your logs. If it does not, that means that the event is never emitted when authenticating via the SSO app. This would save me the time and effort to setup a working SSO setup myself. |
stjosh
added
help wanted
|
I've added the line for the logging however it cannot be found in the logs, so it appears it's not emitting that event. (Deleted the user, logged in via SSO, no groups were added, logged out the user and back in and still no groups were added) |
|
Unfortunately, I did not manage to get a SAML setup working myself. So may I ask you to help testing again? I have attached a patched version of Here's the diff - basically, I have just added the necessary code to emit the PostLogin event: --- SAMLControllerOriginal.php 2020-05-18 09:29:32.000000000 +0200
+++ SAMLController.php 2020-05-18 09:30:50.000000000 +0200
@@ -42,6 +42,9 @@ use OneLogin\Saml2\Error;
use OneLogin\Saml2\Settings;
use OneLogin\Saml2\ValidationError;
+use OCP\User\Events\PostLoginEvent;
+use OCP\EventDispatcher\IEventDispatcher;
+
class SAMLController extends Controller {
/** @var ISession */
private $session;
@@ -62,6 +65,8 @@ class SAMLController extends Controller
/** @var IL10N */
private $l;
+ private $eventDispatcher;
+
/**
* @param string $appName
* @param IRequest $request
@@ -85,7 +90,8 @@ class SAMLController extends Controller
IURLGenerator $urlGenerator,
IUserManager $userManager,
ILogger $logger,
- IL10N $l) {
+ IL10N $l,
+ IEventDispatcher $eventDispatcher) {
parent::__construct($appName, $request);
$this->session = $session;
$this->userSession = $userSession;
@@ -96,6 +102,7 @@ class SAMLController extends Controller
$this->userManager = $userManager;
$this->logger = $logger;
$this->l = $l;
+ $this->eventDispatcher = $eventDispatcher;
}
/**
@@ -294,6 +301,8 @@ class SAMLController extends Controller
if($firstLogin) {
$this->userBackend->initializeHomeDir($user->getUID());
}
+
+ $this->eventDispatcher->dispatchTyped(new PostLoginEvent($user, '', false));
} catch (\Exception $e) {
$this->logger->logException($e, ['app' => $this->appName]);
return new Http\RedirectResponse($this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.notProvisioned'));Can you try whether replacing the SAMLController.php with this patched version fixes the issue with the Auto Groups? (Of course, make sure to backup the original one and restore it after your test... 😉) |
|
This fixes it, left the log write in the line and it triggered and wrote line in the log: |
|
Great. I'd suggest to do a last test before opening an issue in the SSO & SAML repo. Specifically, I noticed that there are two events, i.e., PostLoginEvent and UserLoggedInEvent. Currently, AutoGroups is listening to the PostLoginEvent. I am not sure what the difference is between those two events, but I'd like to test whether or not it makes a difference if we listen to the UserLoggedInEvent instead. Therefore, could you please,
Then, do your tests again. If the result is the same as above, I can probably simply change the event AutoGroups is listening to. If the auto groups are not assigned and the log messages do not appear anymore, that's an issue which needs to be fixed in the SSO & SAML app. |
|
Changing the PostLoginEvent to UserLoggedInEvent also appears to be working. (Deleted user -> Logged in via SSO -> Login successful with folders) Also provides logfile, would be nice to have an info log if a new user is logging in via this method and gets group(s) but that's probably up to the SSO & SAML app. |
|
@The0tter0ne Great!! Just to double-check:
Well, Auto Groups writes logs, but only with log level notice: https://github.com/stjosh/auto_groups/blob/master/lib/AutoGroupsManager.php#L102 . You'll probably have to adjust your |
Yes I've put the original file back and only put in the edit with the changed Event. Thanks for the support. However a new problem came up, when using this the users additional groups get removed as soon as you re-login. Also with the fix it suddenly stopped working as a whole. I removed app and re-enabled it and applied the fix but no luck after this. After re-applying the patched version of the user_saml app it started working again. |
|
Sorry, now I‘m lost. 🤔
It might help if you could give a more specific, verbose example, i.e., which groups were set in Auto Groups, which groups did the user have in addition, what was the state after login, what was the expected state after login, etc. Thanks! |
|
The fix appeared to work at first but didn't after I tried again today. So I re-applied the user_saml edit for the other app for SSO which appears to do the job all the time in regards to assigning groups automatically in combination with this app. However, when assigning the user additional groups and the users then logs out and logs back in. All groups, other than the one selected in the auto_group app, gets removed. The expected state after re-login was the user would have the assigned group from the earlier assigned auto group and additional group memberships assigned manual. This does not work with either the user_saml app edit or auto_group edit earlier. |
|
That leaves me puzzled. 🤔 The Auto Groups app will only ever remove users from a configured Auto Group. So, a few questions:
Unfortunately, I don't have the time at the moment to try getting a SAML setup working and reproduce the issue(s). I tried yesterday for 1.5hours and failed miserably... |
|
I've illustrated the issue for you below.
Find logs attached, I've briefly looked through them but cannot pinpoint the issue: Hope this makes it more clear. |
|
Many thanks for the pics & logs. Your pictures confirm that my understanding of the issue is correct. However, I do honestly doubt that AutoGroups is responsible for the "lost" groups:
{"reqId":"pPkCPhNCIzAW35EjfFh5","level":1,"time":"2020-05-19T07:10:13+00:00","remoteAddr":"REMOTE.IP","user":"test.user@test.mail","app":"auto_groups","method":"POST","url":"/apps/user_saml/saml/acs","message":"Add user test.user@test.mail to auto group Medewerkers","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","version":"18.0.4.2"}
{"reqId":"pPkCPhNCIzAW35EjfFh5","level":0,"time":"2020-05-19T07:10:13+00:00","remoteAddr":"REMOTE.IP","user":"test.user@test.mail","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"Group attribute content: []","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","version":"18.0.4.2"}shortly followed by the following lines, indicating that the user was removed from some group, because the group attribute's content is empty: {"reqId":"pPkCPhNCIzAW35EjfFh5","level":0,"time":"2020-05-19T07:10:13+00:00","remoteAddr":"REMOTE.IP","user":"test.user@test.mail","app":"no app in context","method":"POST","url":"/apps/user_saml/saml/acs","message":"Deprecated event type for OCP\\IGroup::preRemoveUser: Symfony\\Component\\EventDispatcher\\GenericEvent","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","version":"18.0.4.2"}
{"reqId":"pPkCPhNCIzAW35EjfFh5","level":0,"time":"2020-05-19T07:10:13+00:00","remoteAddr":"REMOTE.IP","user":"test.user@test.mail","app":"no app in context","method":"POST","url":"/apps/user_saml/saml/acs","message":"Deprecated event type for OCP\\IGroup::postRemoveUser: Symfony\\Component\\EventDispatcher\\GenericEvent","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","version":"18.0.4.2"}And right after these lines, the auto_groups does its duty and adds the configured Auto Group again. 😄 Thus, I'd propose to test the same workflow again with the "Auto Groups" app disabled, i.e., login, assign some groups, log out and log in again. If the groups are gone, it's probably the SAML app assigning the groups received by the SAML backend (e.g., the Azure AD). I'm pretty sure there's an option to disable this behavior. |
|
Ah, it appears the mapping to groups messed it up in the SAML SSO app. Removed the mapping to group and this resolved it: Furthermore, I checked with your previous fix with "Replace the two occurrences of PostLoginEvent with UserLoggedInEvent in AutoGroupsManager.php (there should be two of them)"; this works with the current setup. Thanks for the support! |
|
Okay. great. Now we have a plan to fix it. 😃 |
|
Release 1.2.0 is built and should fix your issue. It basically contains the fix that you have currently applied anyway. Unfortunately, the nextcloud app store API seems to be down at the moment, so I can't push it to the app store. I will close this issue once you have confirmed that Auto Groups works nicely with SAML using v1.2.0 from the official Nextcloud App store. |
stjosh
added
blocked
|
v1.2.0 is now published to the App Store. Could you please verify and confirm that this is working with an unmodified user_saml? Many thanks! |
|
The unmodified user_saml was already set back. Furthermore I checked and when removing the user and then logging in group gets assigned via SSO via Azure AD. Also when additional groups are assigned the group permission remains after a logging in and out. Thanks for the fix! |
|
Great! 🥳 PS A positive rating in the app store would be appreciated 😉 |
|
After doing additional testing with other users it appears new users still do not get the auto group. The fix doesn't appear to do the trick unfortunately as the function is not called upon. Do you have any other ideas? Or should the user_saml app be updated perhaps? |
|
Hmm, nope, no other ideas except opening an issue for the user_saml app, saying that neither UserLoggedInEvent nor PostLoginEvent is emitted for user logins and asking whether or not this is intended behavior... I think it might make sense if you opened that issue, since you will be able to test any proposals by the SAML team. I‘ll follow it as well, though, since I am curious about how this turns out. 😉 |
|
Thanks for the follow up, as you can see above I've created an issue with the app. |
|
sadly, I´m facing the same Problem at the moment on NC 19.0.3 an app version 1.2.0; |
|
@menace133780 Unfortunately, there‘s not much I can do about this. You may try to leave a note on nextcloud/user_saml#426 to increase the visibility on the user_saml side. |
|
@outofcontrol Seems that you have a working setup with SAML SSO and Maybe, meanwhile the problem has been fixed either in core or in the |
|
@The0tter0ne and/or @menace133780 - maybe, if having this fixed would still provide value for you, you might want to try it again as it seems to work with recent versions of Nextcloud and the SAML SSO app. |
|
Nextcloud: Server: (Apologies for switching to my work on the other issue. Too many accounts) |
|
Great, many thanks for your config details! |
|
Closing this issue after more than a year without any feedback. |
When logging in via SSO & SAML (https://apps.nextcloud.com/apps/user_saml) connected to Azure AD the new user will not be assigned a group automatically.
The text was updated successfully, but these errors were encountered: