AD FS and SAML/ Account not provisioned

Nextcloud version 25.0.6
Operating system and version: Ubuntu 22.04

nginx version : 1.18.0
PHP version : 8.1

Is this the first time you’ve seen this error? (Y):

Steps to replicate it:

  1. Login using LDAPUser
  2. Connects fine
  3. Go into apps and enable User_SAML
  4. Connect to NextCloud and get forwarded to IDP for login
  5. Login using same account
  6. Get error: Account not provisioned. Your account is not provisioned, access to this service is thus not possible.

The output of your Nextcloud log in Admin > Logging:

IDP parameter for the UID not found. Possible parameters are: []

SSO & SAML authentication not working using Microsoft AD FS 2022 iDP. LDAP authentication works correctly

Error when logging in Account not provisioned

In Chrome Developer Tools the following SAMLResponce data:

<samlp:Response ID="_5cb7817a-ee03-4190-b4e5-ac1e30cc35d1" Version="2.0" IssueInstant="2023-05-11T03:05:10.623Z" Destination="https://nextcloud/index.php/apps/user_saml/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_ad6a24cdd9f93643a669696bb15791d1d705f8fb" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADFS/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_8540e7de-978b-42ba-95c3-ec477acca4c3" IssueInstant="2023-05-11T03:05:10.623Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://ADFS/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8540e7de-978b-42ba-95c3-ec477acca4c3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>EcuCsu6mbeXLd25n5DAmY6+gGsKuRJuxmqbnngeccL8=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>rzqD...</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>MIIE3..</ds:X509Certificate></ds:X509Data>
</KeyInfo></ds:Signature>
<Subject>
<NameID>my_sAMAccountName</NameID> - Correct
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="ONELOGIN_ad6a24cdd9f93643a669696bb15791d1d705f8fb" NotOnOrAfter="2023-05-11T03:10:10.623Z" Recipient="https://nextcloud/index.php/apps/user_saml/saml/acs"/>
</SubjectConfirmation></Subject>
<Conditions NotBefore="2023-05-11T03:05:09.998Z" NotOnOrAfter="2023-05-11T04:05:09.998Z">
<AudienceRestriction>
<Audience>https://nextcloud/index.php/apps/user_saml/saml/metadata</Audience>
</AudienceRestriction></Conditions>
<AuthnStatement AuthnInstant="2023-05-11T03:03:21.825Z" SessionIndex="_8540e7de-978b-42ba-95c3-ec477acca4c3">
<AuthnContext>
<AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
</AuthnContext></AuthnStatement></Assertion></samlp:Response>

Settings iDP:

Name – Nextcloud
Endpoint - https://nextcloud-domain/index.php/apps/user_saml/saml/acs

Settings LDAP
Internal Username Attribute: sAMAccountName

Settings user_saml

Used many options for specifying attributes: userPrincipalName, UPN, NameIdentifier

1 Like

Did you ever get this to work?

1 Like

Hello,

We have the exact same issue.
If someone have an idea, will be welcome.
SAML response is successful but nextcloud answer that user is not provisionned.
The SAML debugger give us the same response as indicate in this subjet.
Thanks

1 Like

I have the same issue in that moment of life, then…

In the rule instead of “Name ID” write sAMAccountName, put the raw reference of the LDAP attribute and done.

image

and the setting in “user_saml” is correct.

Check this guide with google translator: Windows, SQL and other: Nextcloud SSO ADFS

Regards.

1 Like