Nextcloud version (eg, 10.0.2): 11.0.2
SimpleSAMLphp: 1.14.11
Operating system and version (eg, Ubuntu 16.04): Debian 8.7
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.10
PHP version (eg, 5.6): 7.0.16
Is this the first time you’ve seen this error?: Since configuration
Can you reliably replicate it? (If so, please outline steps):
When using IDP-initiated Single Log Off (SLO) to logout of Nextcloud, I get the following message on screen:
“Access forbidden
CSRF check failed”
Log Off Steps:
-
“https://sso.xxxx.xxxx/idp/saml2/idp/SingleLogoutService.php?SAMLRequest=…&RelayState=…”
-
“https://sso.xxxx.xxxx/idp/module.php/core/idp/resumelogout.php?id=…”
-
“https://clouddev.xxxx.xxxx/index.php/apps/user_saml/saml/sls?SAMLRequest=…&RelayState=…”
SAML Settings:
- Attribute: uid
- Only allow authentication if an account is existent on some other backend. (e.g. LDAP)
- Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)
- SP Certificates set.
- IdP Links and certificate set.
- Security settings:
- Nothing checked.
The output of your Nextcloud log in Admin > Logging:
OneLogin_Saml2_Error: Invalid array settings: idp_cert_or_fingerprint_not_found_and_required
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/apps/user_saml/lib/Controller/SAMLController.php - line 154: OneLogin_Saml2_Settings->__construct(Array)
[internal function] OCA\User_SAML\Controller\SAMLController->getMetadata()
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Http/Dispatcher.php - line 160: call_user_func_array(Array, Array)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Http/Dispatcher.php - line 90: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\User_SAML\Controller\SAMLController), ‘getMetadata’)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/App.php - line 114: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\User_SAML\Controller\SAMLController), ‘getMetadata’)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main(‘OCA\User_SAML\C…’, ‘getMetadata’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/Route/Router.php - line 299: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/base.php - line 1010: OC\Route\Router->match(’/apps/user_saml…’)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/index.php - line 40: OC handleRequest()
{main}
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
$CONFIG = array (
‘instanceid’ => ‘’,
‘passwordsalt’ => ‘’,
‘secret’ => ‘’,
‘trusted_domains’ =>
array (
0 => ‘’,
),
‘datadirectory’ => ‘’,
‘overwrite.cli.url’ => ‘’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘11.0.2.7’,
‘dbname’ => ‘’,
‘dbhost’ => ‘localhost’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘’,
‘dbpassword’ => ‘’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
‘updater.release.channel’ => ‘beta’,
‘ldapIgnoreNamingRules’ => false,
‘ldapProviderFactory’ => ‘\OCA\User_LDAP\LDAPProviderFactory’,
‘maintenance’ => false,
);
The output of your Apache/nginx/system log in /var/log/____:
Code: 412 GET /index.php/apps/user_saml/saml/sls?SAMLRequest=…&RelayState=… HTTP/1.1