khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 02:09:45 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2078 from nextcloud/wiswedel/encryptionIssueSAML

Browse Source 
Drawbacks of SAML auth on server-side encryption and 2nd hand auth
This commit is contained in:
Sascha Wiswedel
2020-05-15 10:37:24 +02:00
committed by GitHub
parent b11b85e8ae 0c9f6e4522
commit 973ddc1213
2 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin_manual/configuration_files/encryption_details.rst
View File

@@ -38,6 +38,8 @@ Key type: user key
While the user key encryption has been enabled by default in older versions of Nextcloud it now has to be enabled explicitly in newer versions including Nextcloud 16 by calling ``./occ encryption:disable-master-key``. With user key encryption enabled all users have their own user keys that are used to secure the files handled by Nextcloud. The user keys are protected by the user passwords. The advantage is that the server administrator is not able to decrypt user files without knowing any user password - unless the file is publicly shared or a recovery key is defined - but has the disadvantage that files are permanently lost if the users forget their user passwords - unless the files are (publicly) shared or a recovery key is defined.
.. note:: This method cannot be used with SAML authentication, because Nextcloud does not get a hold of any credentials whatsoever and therefore cannot use any users' passwords for encryption.
.. _file_type_public_key_file_label:
File type: public key file

16
admin_manual/configuration_files/external_storage/auth_mechanisms.rst
View File

@@ -32,13 +32,15 @@ setup of the mount point.
The **Log-in credentials, save in session** mechanism uses the Nextcloud login
credentials of the user to connect to the storage. These are not stored anywhere
on the server, but rather in the user session, giving increased security. The
drawbacks are that sharing is disabled when this mechanism is in use, as
Nextcloud has no access to the storage credentials, and background file scanning
does not work. Desktop and mobile clients that use tokens to authenticate can
not access those shares. Other services that might request the file through
a different request like Collabora Online or OnlyOffice will also not be able to
open files in that case.
on the server, but rather in the user session, giving increased security.
This method has some important drawbacks, since Nextcloud has no access to the storage
credentials and therefore cannot perform any background tasks on the storage:
* Sharing is disabled
* Background file scanning does not work
* Desktop and mobile clients that use tokens to authenticate can not access those shares
* Other services that might request the file through a different request like Collabora Online or OnlyOffice will not be able to open files from that storage
* The method cannot be used with SAML authentication, because Nextcloud does not get a hold of any credentials whatsoever
The **Log-in credentials, save in database** mechanism uses the Nextcloud login
credentials of the user to connect to the storage. These are stored in the