I try to setup a SSO login via Authentik SAML, but it it fails with the following error:
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
Nextcloud Logs:
[user_saml] Error: Invalid issuer in the Assertion/Response (expected 'https://authentik.xyz.com/', got 'https://authentik.xyz.com')
POST /apps/user_saml/saml/acs
from 192.168.91.220 by -- at Dec 31, 2024, 2:59:17 PM
{"reqId":"IleLQSA6ZjDgq4x2Ldi4","level":3,"time":"2024-12-31T13:59:17+00:00","remoteAddr":"192.168.91.220","user":"--","app":"user_saml","method":"POST","url":"/apps/user_saml/saml/acs","message":"invalid_response","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","version":"30.0.4.1","data":{"app":"user_saml"},"id":"6773f92d3cf05"}
Any idea what could be wrong?
Is that "user":"--"
in the log normal, or is there perhaps a mapping issue?
I am pretty new to SSO, so maybe I miss just a basic thing.
Configuration
Nextcloud configs
The outout of `occ saml:config:get`:
``` :~/nextcloud# docker exec -u www-data nextcloud-nextcloud-1 php occ saml:config:get - 1: - general-uid_mapping: http://schemas.goauthentik.io/2021/02/saml/uid - general-idp0_display_name: authentik - idp-entityId: https://authentik.xyz.com/ - idp-singleSignOnService.url: https://authentik.xyz.com/application/saml/cloud-uray-io/sso/binding/redirect/ - idp-singleLogoutService.url: https://authentik.xyz.com/application/saml/cloud-uray-io/slo/binding/redirect/ - idp-x509cert: -----BEGIN CERTIFICATE----- MIIFVDCCAzygAwIBAgIRAJTGX1jfXE2zqqNovPwWdlowDQYJKoZIhvcNAQELBQAw HjEcMBoGA1UEAwwTYXV0aGVudGlrIDIwMjQuMTIuMTAeFw0yNDEyMjgxMTI3Mjla --snip-- JImoo8M2vM9WgG+JPvEeMnirSZolRGYlZjXK/qc6PZ9BGU8QKAYoX4owq0JCGvdc OVt82MhIZTxDPTuyL4K/y9x6bRUrQM2+ -----END CERTIFICATE----- - saml-attribute-mapping-displayName_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - saml-attribute-mapping-email_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - saml-attribute-mapping-group_mapping: http://schemas.xmlsoap.org/claims/Group - sp-name-id-format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified ```The output of `occ config:list system`:
``` { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "overwritehost": "cloud.xyz.io", "overwriteprotocol": "https", "overwrite.cli.url": "https:\/\/cloud.xyz.io", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "upgrade.disable-web": true, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "cloud.xyz.io" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "30.0.4.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "mail_smtpmode": "smtp", "mail_smtpsecure": "ssl", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "loglevel": 2 } } ```The output of `occ app:list`:
Enabled:
- activity: 3.0.0
- app_api: 4.0.3
- bruteforcesettings: 3.0.0
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contactsinteraction: 1.11.0
- dashboard: 7.10.0
- dav: 1.31.1
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_downloadlimit: 3.0.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- files_versions: 1.23.0
- firstrunwizard: 3.0.0
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud_announcements: 2.0.0
- notifications: 3.0.0
- oauth2: 1.18.1
- password_policy: 2.0.0
- photos: 3.0.2
- privacy: 2.0.0
- provisioning_api: 1.20.0
- recommendations: 3.0.0
- related_resources: 1.5.0
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- support: 2.0.0
- survey_client: 2.0.0
- systemtags: 1.20.0
- text: 4.1.0
- theming: 2.5.0
- twofactor_backupcodes: 1.19.0
- updatenotification: 1.20.0
- user_saml: 6.4.1
- user_status: 1.10.0
- viewer: 3.0.0
- weather_status: 1.10.0
- webhook_listeners: 1.1.0-dev
- workflowengine: 2.12.0
Disabled:
- admin_audit: 1.20.0
- encryption: 2.18.0
- files_external: 1.22.0
- suspicious_login: 8.0.0
- twofactor_nextcloud_notification: 4.0.0
- twofactor_totp: 12.0.0-dev
- user_ldap: 1.21.0
System:
Nextcloud version: Nextcloud Hub 9 (30.0.4)
Docker images:
nextcloud/nextcloud:3.0.4
traefik:3.2.3