Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NextCloud AAI : SAML : Didmos Staging #107

Open
35 tasks done
darnold-zalf opened this issue Jan 23, 2025 · 0 comments
Open
35 tasks done

NextCloud AAI : SAML : Didmos Staging #107

darnold-zalf opened this issue Jan 23, 2025 · 0 comments
Assignees
@darnold-zalf
Labels
draven nextcloud

Comments

@darnold-zalf
Copy link
Contributor

Steps done so far:

Carmen/I are keeping this documented updated : https://nextcloud.fairagro.net/apps/onlyoffice/18081?filePath=%2FFAIRagro%2F06_TA_Ordner%2FTA4%2FM4.2%2Fmeetings%20-%20protocols%2FIAM4NFDI%20Inkubator%2FDidmos_Meeting_Notes.docx

  • SAML entries manually entered into nextcloud at https://nextcloud.fairagro.net/settings/admin/saml
    • x509 self-signed certificate uploaded
    • metadata file generated and provided to Didmos/DAASI team
      • Note the metadata file comes with a 2-day validity , however this can be manually adjusted to 1 year in advance.
  • 16.October meeting w/ Ali Haider (Didmos)/Carsten/Carmen/Stephan
    • Verified SAML metadata file (once Ali manually updated the validUntil field to 1 year in future)
      • Ail needed to jenkins-rebuild his staging environment with the updated SAML metadata file (?)
    • Carsten verified SAML connection from https://nextcloud.fairagro.net ('Federated FAIRagro log in') to the Didmos/DAASI staging environment, however ..
    • .. there were issues with the staging LDAP account/service in the auth.staging.nfdi-aai.daasi.de environment
  • 16-23 October : Ali fixed the staging LDAP account
  • 23.October: "Account not provisioned" error.
    • Fixed by loading the correct IdP certificate in the correct format
  • 23.October-5.November : "IDP parameter for the UID not found. Possible parameters are"
    • Download + install SAML tracer for chrome + give results to Ali
    • Attribute mappings need to be correctly setup
  • 5.November: Attribute mappings w/ Ali + Carmen:
    • With the below attributes mapped, the testuser can now SAML-login to NC
      • displayname = urn:oid:2.16.840.1.113730.3.1.241
      • email address = urn:oid:0.9.2342.19200300.100.1.3
      • Group Mapping Prefix, default: SAML_ = urn:geant:dfn.de:nfdi.de:group
  • Still todo: 'Group too long error'
    • Ali to check with his team and get back to us.
    • note: Carmen Scheuner (?) created the proper nextcloud groups in the production didmos environment, but we are currently testing against the staging didmos environment, so the groups we setup in prod aren't in staging.
    • 18.November : sent followup email to Ali
      • group-too-long-error
      • testuser@nfdi.com no longer works
      • although we config didmos SAML against staging didmos, the didmos-login connects to the prod login portal
    • 25.November
      • Ali rebuilt the staging environment with a new attribute 'isMemberof' with urn urn:oid:1.3.6.1.4.1.5923.1.5.1.1
      • The SAML response is now correct:
      • <ns1:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="isMemberOf"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema\" xsi:type="xs:string">Next Cloud</ns1:AttributeValue></ns1:Attribute>
      • And the testuser@nfdi.com is now a member of the Next Cloud group (this retrieved from SAML)
  • This concludes the successful evaluation of NC -> SAML -> didmos (staging)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darnold-zalf darnold-zalf

Labels
draven nextcloud
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@darnold-zalf