Nextcloud version 25.0.6
Operating system and version: Ubuntu 22.04
nginx version : 1.18.0
PHP version : 8.1
Is this the first time you’ve seen this error? (Y):
Steps to replicate it:
- Login using LDAPUser
- Connects fine
- Go into apps and enable User_SAML
- Connect to NextCloud and get forwarded to IDP for login
- Login using same account
- Get error: Account not provisioned. Your account is not provisioned, access to this service is thus not possible.
The output of your Nextcloud log in Admin > Logging:
IDP parameter for the UID not found. Possible parameters are: []
SSO & SAML authentication not working using Microsoft AD FS 2022 iDP. LDAP authentication works correctly
Error when logging in Account not provisioned
In Chrome Developer Tools the following SAMLResponce data:
<samlp:Response ID="_5cb7817a-ee03-4190-b4e5-ac1e30cc35d1" Version="2.0" IssueInstant="2023-05-11T03:05:10.623Z" Destination="https://nextcloud/index.php/apps/user_saml/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_ad6a24cdd9f93643a669696bb15791d1d705f8fb" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADFS/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_8540e7de-978b-42ba-95c3-ec477acca4c3" IssueInstant="2023-05-11T03:05:10.623Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ADFS/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8540e7de-978b-42ba-95c3-ec477acca4c3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>EcuCsu6mbeXLd25n5DAmY6+gGsKuRJuxmqbnngeccL8=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>rzqD...</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>MIIE3..</ds:X509Certificate></ds:X509Data>
</KeyInfo></ds:Signature>
<Subject>
<NameID>my_sAMAccountName</NameID> - Correct
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_ad6a24cdd9f93643a669696bb15791d1d705f8fb" NotOnOrAfter="2023-05-11T03:10:10.623Z" Recipient="https://nextcloud/index.php/apps/user_saml/saml/acs"/>
</SubjectConfirmation></Subject>
<Conditions NotBefore="2023-05-11T03:05:09.998Z" NotOnOrAfter="2023-05-11T04:05:09.998Z">
<AudienceRestriction>
<Audience>https://nextcloud/index.php/apps/user_saml/saml/metadata</Audience>
</AudienceRestriction></Conditions>
<AuthnStatement AuthnInstant="2023-05-11T03:03:21.825Z" SessionIndex="_8540e7de-978b-42ba-95c3-ec477acca4c3">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext></AuthnStatement></Assertion></samlp:Response>
Settings iDP:
Name – Nextcloud
Endpoint - https://nextcloud-domain/index.php/apps/user_saml/saml/acs
Settings LDAP
Internal Username Attribute: sAMAccountName
Settings user_saml
Used many options for specifying attributes: userPrincipalName, UPN, NameIdentifier