This application enables federated Shibboleth authentication and automatic user and group provisioning based on Shibboleth attributes. It requires a configured and running Shibboleth SP.
You can configure a Shibboleth SP by following this official guide.
In order to get the authentication backend working you must enforce Shibboleth session at least on the following Location:
<Location /owncloud/index.php/apps/user_shib/login>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders Off
ShibExportAssertion On
ShibRequestSetting requireSession 1
</Location>
Since we establish a proper ownCloud authenticated session on the login URL above, the rest of the ownCloud could be covered by a Shibboleth lazy session, We rely on the ownCloud here to determine, if it needs authentication or not.
<Location /owncloud>
...
AuthType shibboleth
Require shibboleth
ShibUseHeaders Off
ShibExportAssertion On
</Location>
As of now, you can install the app by just putting it inside your apps/ directory and enabling it, like you would with any other app.
On the Admin page, you can configure mapping of Shibboleth attributes to ownCloud and some backend options. The meaning of each option is following:
- Attribute prefix - prefix for all attributes provided by Shibboleth (aka attributePrefix Shibboleth setting).
- Username - attribute to be used for ownCloud user name.
- Full Name - attribute to be used for display name.
- First Name - alternative attribute to be used for display name.
- Surname - alternative attribute to be used for display name.
- Email - attribute to be used as contact e-mail address.
- Groups - attribute to be used for group assignment [not implemented yet].
- Affiliation - attribute to be used for access control policy [not implemented yet].
- Backend Activated - Disabling it disables authentication using this user backend, but keeps everything else in place.
- Autocreate accounts - Create new account on user's first login.
- Update user info on login - Updates user's mail, display name, last seen and other metadata on each login.
- Protected Groups - Do not override this OC groups by Shibboleth attribute Groups [not implemented yet].
Users are required to set a special password for the synchronization clients on their Personal page under Client login credentials section.