Update of User_saml app breaks user_saml

[LeonKNL]

Hello i installed NC 19 with user_saml and ldap backend, everything working fine, (was using duo access gateway for SAML)

I just updated NC 19 -> NC20 and Saml authentication is not working anymore.
I can use direct login, so that part works fine.

• OS Ubuntu 18.04
• mariadb
• nginx
• php 7.4

When i try logging in using SAML i get Account not provisioned.
in the logs:

[user_saml] Fatal: No InResponseTo at the Response, but it was provided the requestId related to the AuthNRequest sent by the SP: ONELOGIN_e40f79f35f16d5ce674e5342399c0bf0..

POST /apps/user_saml/saml/acs
from <ip> at 2020-11-03T15:36:53+01:00

and:

[user_saml] Fatal: invalid_response

POST /apps/user_saml/saml/acs
from <ip> at 2020-11-03T15:36:53+01:00

I tried a fresh install on a new machine, same issue

any ideas?

[syncopsta]

Same problem and error messages on a Debian 10.5, PHP 7.3.19 with Apache2. With NextCloud 19 and 20.

[LeonKNL]

I uninstalled user_saml and installed version 3.1.2, now everything works again: https://github.com/nextcloud/user_saml/releases/download/v3.1.2/user_saml-3.1.2.tar.gz

[LeonKNL]

Changed the title, NC 20 does not seem to have anything to do with it, more likely the user_saml update, as 3.1.2 works just fine.

[blizzz]

Please provide configs and log files (while loglevel was set to 0 in config.php). I cannot reproduce any issues.

[LeonKNL]

{"reqId":"awBtSrqpeOBx5nnfxQGK","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"serverDI","method":"POST","url":"/apps/user_saml/saml/acs","message":"The requested alias "ControllerMethodReflector" is depreacted. Please request "OCP\AppFramework\Utility\IControllerMethodReflector" directly. This alias will be removed in a future Nextcloud version.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"awBtSrqpeOBx5nnfxQGK","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"Attributes send by the IDP: []","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"awBtSrqpeOBx5nnfxQGK","level":4,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"invalid_response","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"awBtSrqpeOBx5nnfxQGK","level":4,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"No InResponseTo at the Response, but it was provided the requestId related to the AuthNRequest sent by the SP: ONELOGIN_2d62f66943744b41d72c8bd9c5aa5c09f78dad8a","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"awBtSrqpeOBx5nnfxQGK","level":1,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"Auth failed","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"dPGQVZvv6eftFBmxgKEk","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"user_saml","method":"GET","url":"/apps/user_saml/saml/notProvisioned","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"dPGQVZvv6eftFBmxgKEk","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"serverDI","method":"GET","url":"/apps/user_saml/saml/notProvisioned","message":"The requested alias "ControllerMethodReflector" is depreacted. Please request "OCP\AppFramework\Utility\IControllerMethodReflector" directly. This alias will be removed in a future Nextcloud version.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"dPGQVZvv6eftFBmxgKEk","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"scss_cacher","method":"GET","url":"/apps/user_saml/saml/notProvisioned","message":"SCSSCacher::process ordinary check follows","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}
{"reqId":"dPGQVZvv6eftFBmxgKEk","level":0,"time":"2020-11-12T12:25:06+01:00","remoteAddr":"","user":"--","app":"scss_cacher","method":"GET","url":"/apps/user_saml/saml/notProvisioned","message":"SCSSCacher::process ordinary check follows","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0","version":"20.0.1.1"}

config.php:

?php
$CONFIG = array (
'instanceid' => '',
'passwordsalt' => '',
'secret' => '',
'trusted_domains' =>
array (
0 => '',
),
'datadirectory' => '/var/nc_data',
'dbtype' => 'mysql',
'version' => '20.0.1.1',
'overwrite.cli.url' => '',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:/var/run/mysqld/mysqld.sock',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '',
'dbpassword' => ',
'installed' => true,
'activity_expire_days' => 14,
'auth.bruteforce.protection.enabled' => true,
'blacklisted_files' =>
array (
0 => '.htaccess',
1 => 'Thumbs.db',
2 => 'thumbs.db',
),
'cron_log' => true,
'enable_previews' => true,
'enabledPreviewProviders' =>
array (
0 => 'OC\Preview\PNG',
1 => 'OC\Preview\JPEG',
2 => 'OC\Preview\GIF',
3 => 'OC\Preview\BMP',
4 => 'OC\Preview\XBitmap',
5 => 'OC\Preview\Movie',
6 => 'OC\Preview\PDF',
7 => 'OC\Preview\MP3',
8 => 'OC\Preview\TXT',
9 => 'OC\Preview\MarkDown',
),
'filesystem_check_changes' => 0,
'filelocking.enabled' => 'true',
'htaccess.RewriteBase' => '/',
'integrity.check.disabled' => false,
'knowledgebaseenabled' => false,
'logfile' => '/var/nc_data/nextcloud.log',
'loglevel' => 2,
'logtimezone' => 'Europe/Amsterdam',
'log_rotate_size' => 104857600,
'maintenance' => false,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.locking' => '\OC\Memcache\Redis',
'overwriteprotocol' => 'https',
'preview_max_x' => 1024,
'preview_max_y' => 768,
'preview_max_scale_factor' => 1,
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
'quota_include_external_storage' => false,
'share_folder' => '/Shares',
'skeletondirectory' => '',
'theme' => '',
'trashbin_retention_obligation' => 'auto, 7',
'updater.release.channel' => 'stable',
'ldapIgnoreNamingRules' => false,
'ldapProviderFactory' => 'OCA\User_LDAP\LDAPProviderFactory',
'app_install_overwrite' =>
array (
0 => 'user_saml',
),
);

I have a duo access gateway in place, idp settings

identity: https:://fqdn of duo access gateway/dag/saml2/idp/metadata.php
auth-request: https://fqdn of DAG/dag/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fnextcloud url%2Fapps%2Fuser_saml%2Fsaml%2Fmetadata

and certificate of duo access gateway
If you need more info about the duo access gateway appliance or the duo application please let me know i can send you details by mail

[markrattray]

We have PingFederate and confirm that reverting to 3.1.2 also solves our issue. Thanks for figuring this out!

Clutching at straws but I see from the user_saml metadata has <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</md:NameIDFormat> but we cannot use SAML_SUBJECT for some reason which has this format, so mapped another attribute with urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified + v3.1.2 works.

[MushroomSquad]

Have the same problem
user_saml - v5.0.2
nextcloud - v23.0.2
keycloak - v19.0.0