user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard
verified publisher icon nextcloud

ADFS + SSO not work

Open nova168168 opened this issue 7 years ago • 11 comments

Steps to reproduce

  1. upgrade Nextcloud from 14.0.3 to 15.0.2
  2. install the SSO&SAML 2.1
  3. config the setting

Expected behaviour

Tell us what should happen

Actual behaviour

have error in log shown below

[index] Error: OneLogin\Saml2\Error: Invalid array settings: idp_cert_or_fingerprint_not_found_and_required at <<closure>>

0. /var/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php line 219
   __construct({strict: true,de ... }})
1. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 166
   getMetadata(null)
2. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 99
   executeController(OCA\User_SAML\Co ... {}, "getMetadata")
3. /var/www/nextcloud/lib/private/AppFramework/App.php line 118
   dispatch(OCA\User_SAML\Co ... {}, "getMetadata")
4. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
   main("OCA\\User_SAML\ ... r", "getMetadata", OC\AppFramework\ ... {}, {_route: "user_saml.SAML.getMetadata"})
5. <<closure>>
   __invoke({_route: "user_saml.SAML.getMetadata"})
6. /var/www/nextcloud/lib/private/Route/Router.php line 297
   call_user_func(OC\AppFramework\ ... {}, {_route: "user_saml.SAML.getMetadata"})
7. /var/www/nextcloud/lib/base.php line 987
   match("/apps/user_saml/saml/metadata")
8. /var/www/nextcloud/index.php line 42
   handleRequest()

GET /apps/user_saml/saml/metadata

Server configuration

Operating system: Ubuntu 16.0.4

Web server: Apache2

Database: Type: mysql Version: 10.2.12

PHP version: Version: 7.0.32

Nextcloud version: (see Nextcloud admin page) Nextcloud Version : 15.0.2

Where did you install Nextcloud from: direct updater

List of activated apps: Enabled:

  • accessibility: 1.1.0
  • activity: 2.8.2
  • admin_audit: 1.5.0
  • calendar: 1.6.4
  • cloud_federation_api: 0.1.0
  • comments: 1.5.0
  • contacts: 3.0.2
  • dav: 1.8.1
  • federatedfilesharing: 1.5.0
  • federation: 1.5.0
  • files: 1.10.0
  • files_external: 1.6.0
  • files_pdfviewer: 1.4.0
  • files_rightclick: 0.10.2
  • files_sharing: 1.7.0
  • files_texteditor: 2.7.0
  • files_trashbin: 1.5.0
  • files_versions: 1.8.0
  • files_videoplayer: 1.4.0
  • firstrunwizard: 2.4.0
  • gallery: 18.2.0
  • logreader: 2.0.0
  • lookup_server_connector: 1.3.0
  • nextcloud_announcements: 1.4.0
  • notifications: 2.3.0
  • oauth2: 1.3.0
  • onlyoffice: 2.1.2
  • ownbackup: 18.11.0
  • password_policy: 1.5.0
  • previewgenerator: 2.0.0
  • provisioning_api: 1.5.0
  • serverinfo: 1.5.0
  • sharebymail: 1.5.0
  • socialsharing_email: 1.0.5
  • support: 1.0.0
  • survey_client: 1.3.0
  • systemtags: 1.5.0
  • tasks: 0.9.8
  • theming: 1.6.0
  • twofactor_backupcodes: 1.4.1
  • unsplash: 1.1.3
  • updatenotification: 1.5.0
  • user_ldap: 1.5.0
  • user_saml: 2.1.0
  • workflowengine: 1.5.0 Disabled:
  • encryption
  • files_retention
  • ransomware_protection
  • spreed
  • spreedme

Nextcloud configuration:

{ "system": { "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "localhost", "192.168.1.18", "nextcloud.xxxxxxx.com", "nextcloud.xxxxxxx.com" ], "datadirectory": "REMOVED SENSITIVE VALUE", "overwrite.cli.url": "https://nextcloud.xxxxxxx.com/", "dbtype": "mysql", "version": "15.0.2.0", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "instanceid": "REMOVED SENSITIVE VALUE", "maintenance": false, "mail_smtpmode": "smtp", "memcache.local": "\OC\Memcache\Redis", "filelocking.enabled": true, "memcache.distributed": "\OC\Memcache\Redis", "memcache.locking": "\OC\Memcache\Redis", "redis": { "host": "REMOVED SENSITIVE VALUE", "port": 0, "timeout": 0, "dbindex": 0, "password": "REMOVED SENSITIVE VALUE" }, "htaccess.RewriteBase": "/", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "2828", "theme": "", "loglevel": 2, "onlyoffice": { "verify_peer_off": true }, "mail_smtpauthtype": "LOGIN", "trashbin_retention_obligation": "7,auto", "updater.secret": "REMOVED SENSITIVE VALUE" } }

Client configuration

Browser: Chrome Version 71.0.3578.98

Operating system: Windows7

Nextcloud log (data/owncloud.log)

nextcloud (1).log

1

nova168168 avatar Jan 24 '19 06:01 nova168168

idp_cert_or_fingerprint_not_found_and_required Click on "Show optional Identity Provider settings" , i think you can add an idp cert there

ChessSpider avatar Jan 28 '19 09:01 ChessSpider

+1 same issue using keycloak, the IDP cert is set correctly

alizarion avatar Apr 16 '19 09:04 alizarion

after several tests, it turns out that multiple federation is a problem, the request sent to the back does not contain the configuration index

alizarion avatar Apr 19 '19 22:04 alizarion

I am getting the same error, with the latest Nextcloud and app version:

Mar 11 12:16:03  {"reqId":"s8xW1imiuxFgRdzZp3Ql","level":3,"time":"2022-03-11T11:16:03+00:00","remoteAddr":"151.26.183.239","user":"admin","app":"index","method":"GET","url":"/apps/user_saml/saml/metadat
a?idp=","message":"{\"Exception\":\"OneLogin\\\\Saml2\\\\Error\",\"Message\":\"Invalid array settings: idp_sso_url_invalid, idp_cert_or_fingerprint_not_found_and_required\",\"Code\":2,\"Trace\":[{\"file\":\"/var/www/html/custom_apps/user_
saml/lib/Controller/SAMLController.php\",\"line\":247,\"function\":\"__construct\",\"class\":\"OneLogin\\\\Saml2\\\\Settings\",\"type\":\"->\",\"args\":[{\"strict\":true,\"debug\":false,\"baseurl\":\"https://domain/a
pps/user_saml/saml\",\"security\":{\"nameIdEncrypted\":false,\"authnRequestsSigned\":false,\"logoutRequestSigned\":false,\"logoutResponseSigned\":false,\"signMetadata\":false,\"0\":\"And 9 more entries, set log level to debug to see all e
ntries\"},\"sp\":{\"entityId\":\"https://domain/apps/user_saml/saml/metadata\",\"assertionConsumerService\":{\"url\":\"https://domain/apps/user_saml/saml/acs\"},\"NameIDFormat\":\"urn:oasis:name
s:tc:SAML:1.1:nameid-format:emailAddress\"},\"0\":\"And 1 more entries, set log level to debug to see all entries\"}]},{\"file\":\"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":217,\"function\":\"getMetadata\",\"cl
ass\":\"OCA\\\\User_SAML\\\\Controller\\\\SAMLController\",\"type\":\"->\",\"args\":[0]},{\"file\":\"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php\",\"line\":126,\"function\":\"executeController\",\"class\":\"OC\\\\AppFramewo
rk\\\\Http\\\\Dispatcher\",\"type\":\"->\",\"args\":[{\"__class__\":\"OCA\\\\User_SAML\\\\Controller\\\\SAMLController\"},\"getMetadata\"]},{\"file\":\"/var/www/html/lib/private/AppFramework/App.php\",\"line\":157,\"function\":\"dispatch\
",\"class\":\"OC\\\\AppFramework\\\\Http\\\\Dispatcher\",\"type\":\"->\",\"args\":[{\"__class__\":\"OCA\\\\User_SAML\\\\Controller\\\\SAMLController\"},\"getMetadata\"]},{\"file\":\"/var/www/html/lib/private/Route/Router.php\",\"line\":30
2,\"function\":\"main\",\"class\":\"OC\\\\AppFramework\\\\App\",\"type\":\"::\",\"args\":[\"OCA\\\\User_SAML\\\\Controller\\\\SAMLController\",\"getMetadata\",{\"__class__\":\"OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer\"},{\
"_route\":\"user_saml.SAML.getMetadata\"}]},{\"file\":\"/var/www/html/lib/base.php\",\"line\":1006,\"function\":\"match\",\"class\":\"OC\\\\Route\\\\Router\",\"type\":\"->\",\"args\":[\"/apps/user_saml/saml/metadata\"]},{\"file\":\"/var/w
ww/html/index.php\",\"line\":36,\"function\":\"handleRequest\",\"class\":\"OC\",\"type\":\"::\",\"args\":[]}],\"File\":\"/var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php\",\"Line\":141,\"CustomM
essage\":\"--\"}","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0","version":"23.0.2.1"}

But I don't get any error on Nextcloud or in the backend I had to asks for the logs...

Mte90 avatar Mar 14 '22 11:03 Mte90

So I am getting now with the latest update: Invalid array settings: idp_entityId_not_found, idp_sso_not_found, idp_cert_or_fingerprint_not_found_and_required

But as you can see the settings are there:

immagine

On SimpleSAML server I get the request:

Sep 07 11:17:39 simplesamlphp NOTICE STAT [220afa0b82] saml20-idp-SSO-first https://domain/apps/user_saml/saml/metadata https://login.server/saml2/idp/metadata.php NA
Sep 07 11:17:39 simplesamlphp NOTICE STAT [220afa0b82] saml20-idp-SSO https://domain/apps/user_saml/saml/metadata https://login.server/saml2/idp/metadata.php NA

So the parameters are saved and used by the app but on the onelogin https://github.com/nextcloud/user_saml/blob/d9344081b773aca8faecb5f35122fdcb90bbb648/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php#L514 doesn't seem at all.

The other settings that can help on fixing it... immagine

Mte90 avatar Sep 07 '22 09:09 Mte90

@blizzz there is something I can do to help debug this issue?

Mte90 avatar Sep 13 '22 09:09 Mte90

Just a ping about this annoying issue...

Mte90 avatar Oct 10 '22 13:10 Mte90

Another ping @blizzz

Mte90 avatar Nov 03 '22 13:11 Mte90

try https://github.com/nextcloud/user_saml/pull/656

blizzz avatar Nov 18 '22 23:11 blizzz

On my tests the issue was a complete different one as doesn't happens in the backend interface on the settings like in the ticket I did with the PR. Also in our nextcloud instance we don't have ssh access to update an application to a specific commit but only updates the application and the latest one is before that fix you shared, so we are blocked...

Mte90 avatar Nov 21 '22 11:11 Mte90

I tested with the new latest app version but it is still not working the login...

Mte90 avatar Nov 23 '22 13:11 Mte90