Authentik SAML SSO Login: Account not provisioned

I try to setup a SSO login via Authentik SAML, but it it fails with the following error:

Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.

Nextcloud Logs:

[user_saml] Error: Invalid issuer in the Assertion/Response (expected 'https://authentik.xyz.com/', got 'https://authentik.xyz.com')
	POST /apps/user_saml/saml/acs
	from 192.168.91.220 by -- at Dec 31, 2024, 2:59:17 PM


{"reqId":"IleLQSA6ZjDgq4x2Ldi4","level":3,"time":"2024-12-31T13:59:17+00:00","remoteAddr":"192.168.91.220","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"invalid_response","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","version":"30.0.4.1","data":{"app":"user_saml"},"id":"6773f92d3cf05"}

Any idea what could be wrong?
Is that "user":"--" in the log normal, or is there perhaps a mapping issue?
I am pretty new to SSO, so maybe I miss just a basic thing.

Configuration

Nextcloud configs

The outout of `occ saml:config:get`: ``` :~/nextcloud# docker exec -u www-data nextcloud-nextcloud-1 php occ saml:config:get - 1: - general-uid_mapping: http://schemas.goauthentik.io/2021/02/saml/uid - general-idp0_display_name: authentik - idp-entityId: https://authentik.xyz.com/ - idp-singleSignOnService.url: https://authentik.xyz.com/application/saml/cloud-uray-io/sso/binding/redirect/ - idp-singleLogoutService.url: https://authentik.xyz.com/application/saml/cloud-uray-io/slo/binding/redirect/ - idp-x509cert: -----BEGIN CERTIFICATE----- MIIFVDCCAzygAwIBAgIRAJTGX1jfXE2zqqNovPwWdlowDQYJKoZIhvcNAQELBQAw HjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjQuMTIuMTAeFw0yNDEyMjgxMTI3Mjla --snip-- JImoo8M2vM9WgG+JPvEeMnirSZolRGYlZjXK/qc6PZ9BGU8QKAYoX4owq0JCGvdc OVt82MhIZTxDPTuyL4K/y9x6bRUrQM2+ -----END CERTIFICATE----- - saml-attribute-mapping-displayName_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - saml-attribute-mapping-email_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - saml-attribute-mapping-group_mapping: http://schemas.xmlsoap.org/claims/Group - sp-name-id-format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified ```
The output of `occ config:list system`: ``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "overwritehost": "cloud.xyz.io", "overwriteprotocol": "https", "overwrite.cli.url": "https:\/\/cloud.xyz.io", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "upgrade.disable-web": true, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "cloud.xyz.io" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "30.0.4.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "mail_smtpmode": "smtp", "mail_smtpsecure": "ssl", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "loglevel": 2 } } ```
The output of `occ app:list`:

Enabled:

  • activity: 3.0.0
  • app_api: 4.0.3
  • bruteforcesettings: 3.0.0
  • circles: 30.0.0
  • cloud_federation_api: 1.13.0
  • comments: 1.20.1
  • contactsinteraction: 1.11.0
  • dashboard: 7.10.0
  • dav: 1.31.1
  • federatedfilesharing: 1.20.0
  • federation: 1.20.0
  • files: 2.2.0
  • files_downloadlimit: 3.0.0
  • files_pdfviewer: 3.0.0
  • files_reminders: 1.3.0
  • files_sharing: 1.22.0
  • files_trashbin: 1.20.1
  • files_versions: 1.23.0
  • firstrunwizard: 3.0.0
  • logreader: 3.0.0
  • lookup_server_connector: 1.18.0
  • nextcloud_announcements: 2.0.0
  • notifications: 3.0.0
  • oauth2: 1.18.1
  • password_policy: 2.0.0
  • photos: 3.0.2
  • privacy: 2.0.0
  • provisioning_api: 1.20.0
  • recommendations: 3.0.0
  • related_resources: 1.5.0
  • serverinfo: 2.0.0
  • settings: 1.13.0
  • sharebymail: 1.20.0
  • support: 2.0.0
  • survey_client: 2.0.0
  • systemtags: 1.20.0
  • text: 4.1.0
  • theming: 2.5.0
  • twofactor_backupcodes: 1.19.0
  • updatenotification: 1.20.0
  • user_saml: 6.4.1
  • user_status: 1.10.0
  • viewer: 3.0.0
  • weather_status: 1.10.0
  • webhook_listeners: 1.1.0-dev
  • workflowengine: 2.12.0

Disabled:

  • admin_audit: 1.20.0
  • encryption: 2.18.0
  • files_external: 1.22.0
  • suspicious_login: 8.0.0
  • twofactor_nextcloud_notification: 4.0.0
  • twofactor_totp: 12.0.0-dev
  • user_ldap: 1.21.0

System:

Nextcloud version: Nextcloud Hub 9 (30.0.4)

Docker images:

nextcloud/nextcloud:3.0.4
traefik:3.2.3

Best guess - The error message suggests the URL is different:

(expected 'https://authentik.xyz.com/', got 'https://authentik.xyz.com')

Your user_saml config has:

idp-entityId: https://authentik.xyz.com/

And also check the docs you linked to:

  • Identifier of the IdP entity (must be a URI): https://authentik.company

(the slash at the end)