CSRF check failed when using IDP-initiated SLO

Nextcloud version (eg, 10.0.2): 11.0.2
SimpleSAMLphp: 1.14.11
Operating system and version (eg, Ubuntu 16.04): Debian 8.7
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.10
PHP version (eg, 5.6): 7.0.16
Is this the first time you’ve seen this error?: Since configuration

Can you reliably replicate it? (If so, please outline steps):
When using IDP-initiated Single Log Off (SLO) to logout of Nextcloud, I get the following message on screen:
“Access forbidden
CSRF check failed”

Log Off Steps:

  1. https://portal.xxxx.xxxx/sp/module.php/core/as_logout.php?AuthId=dan-sso-sp&ReturnTo=https%3A%2F%2Fportal.xxxx.xxxx%2F

  2. https://sso.xxxx.xxxx/idp/saml2/idp/SingleLogoutService.php?SAMLRequest=…&RelayState=…”

  3. https://sso.xxxx.xxxx/idp/module.php/core/idp/resumelogout.php?id=…”

  4. https://clouddev.xxxx.xxxx/index.php/apps/user_saml/saml/sls?SAMLRequest=…&RelayState=…”

SAML Settings:

  • Attribute: uid
  • Only allow authentication if an account is existent on some other backend. (e.g. LDAP)
  • Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)
  • SP Certificates set.
  • IdP Links and certificate set.
  • Security settings:
  • Nothing checked.

The output of your Nextcloud log in Admin > Logging:
OneLogin_Saml2_Error: Invalid array settings: idp_cert_or_fingerprint_not_found_and_required
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/apps/user_saml/lib/Controller/SAMLController.php - line 154: OneLogin_Saml2_Settings->__construct(Array)

[internal function] OCA\User_SAML\Controller\SAMLController->getMetadata()
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Http/Dispatcher.php - line 160: call_user_func_array(Array, Array)

/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Http/Dispatcher.php - line 90: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\User_SAML\Controller\SAMLController), ‘getMetadata’)

/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/App.php - line 114: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\User_SAML\Controller\SAMLController), ‘getMetadata’)

/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main(‘OCA\User_SAML\C…’, ‘getMetadata’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)

[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/private/Route/Router.php - line 299: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)

/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/lib/base.php - line 1010: OC\Route\Router->match(’/apps/user_saml…’)

/var/www/vhosts/xxxx.xxxx/xxxx.xxxx.xxxx/index.php - line 40: OC handleRequest()

{main}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
$CONFIG = array (
‘instanceid’ => ‘’,
‘passwordsalt’ => ‘’,
‘secret’ => ‘’,
‘trusted_domains’ =>
array (
0 => ‘’,
),
‘datadirectory’ => ‘’,
‘overwrite.cli.url’ => ‘’,
‘dbtype’ => ‘mysql’,
‘version’ => ‘11.0.2.7’,
‘dbname’ => ‘’,
‘dbhost’ => ‘localhost’,
‘dbport’ => ‘’,
‘dbtableprefix’ => ‘oc_’,
‘dbuser’ => ‘’,
‘dbpassword’ => ‘’,
‘logtimezone’ => ‘UTC’,
‘installed’ => true,
‘updater.release.channel’ => ‘beta’,
‘ldapIgnoreNamingRules’ => false,
‘ldapProviderFactory’ => ‘\OCA\User_LDAP\LDAPProviderFactory’,
‘maintenance’ => false,
);

The output of your Apache/nginx/system log in /var/log/____:
Code: 412 GET /index.php/apps/user_saml/saml/sls?SAMLRequest=…&RelayState=… HTTP/1.1

Hi,
I have the same problem (also with nextcloud 11.0.2)
-> if the IDP-initiated SLO request I get an failure: CSRF check failed.

Are there any news to this related issue?
Did you solved this issue in your environment?

Hi,
no I’m sorry I haven’t solved the issue yet…

Hi,
we have found a workaround for us - described at github:
https://github.com/nextcloud/user_saml/issues/112

I have the same issue and at least implemented a workaround for this error. I added the @nocsrfrequired attribute to the singleLogoutService in apps/user_saml/lib/Controller/SAMLController.php. Like this:

/**

  • @NoAdminRequired
  • @NoCSRFRequired
    */
    public function singleLogoutService() {
    $auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
    $returnTo = null;
    $parameters = array();
    $nameId = $this->session->get(‘user_saml.samlNameId’);
    $sessionIndex = $this->session->get(‘user_saml.samlSessionIndex’);
    $this->userSession->logout();
    $auth->logout($returnTo, $parameters, $nameId, $sessionIndex);
    }
    I think a CSRF check is not needed for this type of functionality - the user just gets logged out. Are there any security concerns or is this the proper way to do it?