This application enables federated Shibboleth authentication and automatic user and group provisioning based on Shibboleth attributes. It requires a configured and running Shibboleth SP.

You can configure a Shibboleth SP by following this official guide.

In order to get the authentication backend working you must enforce Shibboleth session at least on the following Location:

<Location /owncloud/index.php/apps/user_shib/login>
	AuthType shibboleth
	ShibRequireSession On
	ShibUseHeaders Off
	ShibExportAssertion On
	ShibRequestSetting requireSession 1
</Location>

Since we establish a proper ownCloud authenticated session on the login URL above, the rest of the ownCloud could be covered by a Shibboleth lazy session, We rely on the ownCloud here to determine, if it needs authentication or not.

<Location /owncloud>
	...
	AuthType shibboleth
	Require shibboleth
	ShibUseHeaders Off
	ShibExportAssertion On
</Location>

As of now, you can install the app by just putting it inside your apps/ directory and enabling it, like you would with any other app.

On the Admin page, you can configure mapping of Shibboleth attributes to ownCloud and some backend options. The meaning of each option is following:

• Attribute prefix - prefix for all attributes provided by Shibboleth (aka attributePrefix Shibboleth setting).
• Shibboleth Session ID - attribute that contains a shibboleth session ID of a user.
• Unique persistent ID - attribute that persistently and uniquely identifies a user amongst all others.
• Username - attribute to be used for ownCloud user name.
• Full Name - attribute to be used for display name.
• First Name - alternative attribute to be used for display name.
• Surname - alternative attribute to be used for display name.
• Email - attribute to be used as contact e-mail address.
• Groups - attribute to be used for group assignment.
• External identities - known external identities of the user (e.g. Google, FB, github) [not implemented yet].
• Required (checkbox) - when checked, users must provide this attribute in order to be logged in

• Backend Activated - Disabling it disables authentication using this user backend, but keeps everything else in place.
• Autocreate accounts - Create new account on user's first login.
• Update user info on login - Updates user's mail, display name, last seen, groups and other metadata on each login.
• Update group membership on login - Whether or not to update user's group membership based on the Groups attribute.
  • Autocreate groups - Create new ownCloud groups based on user's Groups attribute (except for Protected Groups).
  • Autoremove groups - Remove user from groups that are not listed in user's Groups attribute (except for Protected Groups).
  • Protected Groups - Do not override this OC groups membership by Shibboleth attribute Groups.
  • Group filter - Only Groups matching this regex will be recognized by ownCloud.
• Update identity mappings on login - Updates mapping of user's external identities to an ownCloud account on each login (requires External identities field).
• Expiration period - Require users to log in using Shibboleth periodically, otherwise the user account expires and becomes disabled. Leave empty to disable expiration.
• Expiration warning - How many days in advance should users be warned about an expiration. Leave empty to disable warnings.

Users are required to set a special password for the synchronization clients on their Personal page under Client login credentials section.