immerda

Actually saml auth seems to be supported and we identified the [root issue](https://github.com/jitsi/jitsi-meet-electron-utils/pull/81) to be CSP frame-anchestor headers set on the login page.

We actually have a patch that I would like to upstream, that supports multiple certificates for a SP. If you are interested I would start to try and somehow extract...

@jphenow ping :)

I am trying to follow what is happening here. If I understand you @summersab correctly, then `checkPassword` was never called without the SSO secret patch? Or in other words this...

Hey, thanks for the explanation. What I don't understand is what about the case where there is no idp secret? I mean that is going to be the most common...

Right, it would work, but it is equivalent to `return true` in that case. Maybe that's ok. And maybe it would even in the case the password is non-empty be...

I dug some more into this and indeed currently `checkPassword` is never called, because user_saml creates "passwordless tokens". The current implementation of `checkPassword` is completetly bogus and can be changed...

> Without this fix in place, these two PRs don't quite work properly: We are in agreement here. But *without* the PRs you mention, the function is never called. >...

I tried this patch and there are currently some issues: The `UserBackend` is missing a `implements IProvideUserSecretBackend`. For that reason the secret is never requested by https://github.com/nextcloud/server/pull/27929/files#diff-b30a8c4cef5da5cede4d9038c16ede43e1746f85270e4249598fd305b0fa77deR182 The `getCurrentUserSecret` is...

For the record, here is my working version of the patch to UserBackend, which also requires the `IProvideUserSecretBackend::getCurrentUserSecret()` to be typed `?string` instead of `string`: ``` --- a/apps/user_saml/lib/UserBackend.php +++ b/apps/user_saml/lib/UserBackend.php...