Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Demonstration 1: Integrated SAML with one IdP

Built-in SAML

https://cloud.looc.aarc.demo.university/nextcloud/index.php/

Image Added

Configured using NextCloud's built-in SAML to connect to one IdP as if used by a single university or research community using a proxy IdP.

Keys were created using the Shibboleth SP keygen tool and pasted into the configuration form in NextCloud. EPPN was used for NextCloud usernames (identified by URN)

NextCloud generated its own metadata, but the expiry date was only for a few days and so was removed before sharing. Various combinations of encryption and signing can be set.

Demonstration 2: External authentication (SAML) plus LDAP

External SSO

https://cloud.aarc.federated-example.website/nextcloud/index.php/apps/files/

 

Configured to use a single IDP, using the external SSO plugin and a conventional Shibboleth SP. NextCloud was configured to search an LDAP directory for records matching the SAML-authenticated user's EduPersonPrincipalName. LDAP was also used to discover which groups a user was a member of. These groups can be used for access control. 

Session lifespans for the external authentication service (Shibboleth SP) and Nextcloud's own sessions can become out-of-sync, and require some adjustments to work together consistently. 

Demonstration 3: Integrated SAML with a federated IdP Proxy

Built-in

An Aside: Federated data storage

...

The External Storage plugin allows remote data storage to be used, including other NextCloud or OwnCloud services, Windows shares and NFS. 

Caveats

Speed

The display of Collabora is generated by sending many tile-like images over the web as individual files, and is rather slow. Over a normal broadband internet connection the display is not quite fast enough to keep up with typing.

...