user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard
verified publisher icon nextcloud

Error: Account not provisioned - cannot login after update to version 7.0.0 or 7.1.0

Open pelzvieh opened this issue 5 months ago • 7 comments

How to use GitHub

Steps to reproduce

  1. Setup nextcloud with user_saml
  2. upgrade user_saml to version 7.0.0

Expected behaviour

SAML authenticated users still are able to login

Actual behaviour

Generic error message "Account not provisioned" is appearing

Server configuration

Web server: Apache

Database: Maria

PHP version: 8.4

Nextcloud version: 31.0.8

List of activated apps 
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.3.9
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.2.5
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.2
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_external: 1.23.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - fileslibreofficeedit: 2.0.1
  - firstrunwizard: 4.0.0
  - forms: 5.1.2
  - groupfolders: 19.1.3
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - mail: 5.3.0
  - memories: 7.6.2
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.3
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recognize: 9.0.3
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - tasks: 0.16.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - uppush: 2.3.0
  - user_ldap: 1.22.0
  - user_saml: 7.0.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Server log 
Aug 20 19:13:26 nextcloud Nextcloud[95504]: {"reqId":"REMOVED","level":3,"time":"2025-08-20T17:13:26+00:00","remoteAddr":"REMOVED","user":"--","app":"user_saml","method":"POST","url":"/nextcloud/index.php/apps/user_saml/saml/acs","message":"The response was received at https://somehost/nextcloud/index.php/apps/user_saml/saml/index.php/apps/user_saml/saml/acs instead of https://somehost/nextcloud/index.php/apps/user_saml/saml/acs","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0","version":"31.0.8.1","data":{"app":"user_saml"}}

Browser

Browser name: Firefox, Safari, TorBrowser

Browser version: (various)

Operating system: MacOS

Fixes for me 
# diff vendor/onelogin/php-saml/src/Saml2/Utils.php.orig vendor/onelogin/php-saml/src/Saml2/Utils.php
659c659
<         $infoWithBaseURLPath = self::buildWithBaseURLPath($route);
---
>         $infoWithBaseURLPath = self::getBaseURLPath($route);

pelzvieh avatar Aug 20 '25 21:08 pelzvieh

Can confirm this happening for our instance (31.0.7) as well. The 7.0.0 Update made the App non-functional with the same symptoms.

The provided fix works and we applied it manually to restore functionality. Thanks a lot for figuring it out!

LMonert avatar Aug 26 '25 12:08 LMonert

I too can confirm that user_saml is currently broken. I've also applied your patch and it works again. Thanks.

AKRyt avatar Oct 06 '25 09:10 AKRyt

The same problem occurs with 7.1.0; same fix is working for me.

pelzvieh avatar Nov 12 '25 18:11 pelzvieh

Nothing related in this regard has changed within 7.0.0 or 7.1.0 on our side. Auto-tests also continue to work correctly as well as any other configuration I was looking at.

# diff vendor/onelogin/php-saml/src/Saml2/Utils.php.orig vendor/onelogin/php-saml/src/Saml2/Utils.php

This is related to the library we are using, https://github.com/SAML-Toolkits/php-saml/

Could it be related to https://github.com/SAML-Toolkits/php-saml/issues/629 ?

You have to have something in your setup/configuration that leads to this situation (not saying it is your fault, I am not making any conclusions at this time).

blizzz avatar Nov 12 '25 21:11 blizzz

It appears that this is the same problem indeed. It seems that any installation is affected, where Nextcloud is on a path on a reverse proxy: https://somehost/nextcloud/ in my log. Surprisingly, the validation error is not related to that path, but the received request is built to a string that duplicates the relative path within the nextcloud installation (apps/user_saml/saml/index.php/apps/user_saml/saml in my log). Therefore definitely a coding error.

pelzvieh avatar Nov 14 '25 19:11 pelzvieh

Can confirm this still happening as before. The upgrade to 7.1 happened automatically and effectively deleted the fix described above which we applied manually. How can we accelerate the fix? Is this something that has to be handled upstream as this is some external module? Its troubling that this app currently does not work with path-based setups.

LMonert avatar Nov 18 '25 16:11 LMonert

Yes, it is an upstream issue, as confirmed above.

blizzz avatar Nov 20 '25 17:11 blizzz