Issue with Keycloak / SAML2 SSO "Found an Attribute element with duplicated Name"

I have installed Nextcloud 11 on CentOS 7.3. I also have Keycloak (2.2.1 Final) installed on a different CentOS 7.3 machine. Both Nextcloud and Keycloak work individually.

I followed this helpful tutorial to attempt to have Nextcloud make use of Keycloak for SAML2 auth:
http://www.cloudforms-blog.com/2016/10/nextcloud-and-keycloak-saml.html

After doing that, when I try to log into Nextcloud it does route me through Keycloak. After logging into Keycloak I am sent back to Nextcloud. However, at that point I get an error message on Nextcloud:

Internal Server Error

The server encountered an internal error and was unable to complete your request.

Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.

More details can be found in the server log.

So I look in the Nextcloud log file and find this exception:

{“reqId”:“WFL8evFFZnnmN7PP808mWAAAAAc”,“remoteAddr”:“10.137.3.8”,“app”:“index”,“message”:“Exception: {“Exception”:“Exception”,“Message”:“Found an Attribute element with duplicated Name|Role|Array\n(\n [email2] => Array\n (\n [0] => bob@example\n )\n\n [Role] => Array\n (\n [0] => view-profile\n )\n\n)\n|”,“Code”:0,“Trace”:”#0 \/var\/www\/html\/nextcloud\/apps\/user_saml\/3rdparty\/vendor\/onelogin\/php-saml\/lib\/Saml2\/Auth.php(127): OneLogin_Saml2_Response->getAttributes()\n#1 \/var\/www\/html\/nextcloud\/apps\/user_saml\/lib\/Controller\/SAMLController.php(179): OneLogin_Saml2_Auth->processResponse(‘ONELOGIN_db49d4…’)\n#2 [internal function]: OCA\\User_SAML\\Controller\\SAMLController->assertionConsumerService()\n#3 \/var\/www\/html\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(160): call_user_func_array(Array, Array)\n#4 \/var\/www\/html\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(90): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OCA\\User_SAML\\Controller\\SAMLController), ‘assertionConsum…’)\n#5 \/var\/www\/html\/nextcloud\/lib\/private\/AppFramework\/App.php(114): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OCA\\User_SAML\\Controller\\SAMLController), ‘assertionConsum…’)\n#6 \/var\/www\/html\/nextcloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(47): OC\\AppFramework\\App::main(‘SAMLController’, ‘assertionConsum…’, Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#7 [internal function]: OC\\AppFramework\\Routing\\RouteActionHandler->__invoke(Array)\n#8 \/var\/www\/html\/nextcloud\/lib\/private\/Route\/Router.php(299): call_user_func(Object(OC\\AppFramework\\Routing\\RouteActionHandler), Array)\n#9 \/var\/www\/html\/nextcloud\/lib\/base.php(1010): OC\\Route\\Router->match(’\/apps\/user_saml…’)\n#10 \/var\/www\/html\/nextcloud\/index.php(40): OC::handleRequest()\n#11 {main}",“File”:"\/var\/www\/html\/nextcloud\/apps\/user_saml\/3rdparty\/vendor\/onelogin\/php-saml\/lib\/Saml2\/Response.php",“Line”:551}",“level”:3,“time”:“2016-12-15T20:26:34+00:00”,“method”:“POST”,“url”:"/nextcloud/index.php/apps/user_saml/saml/acs",“user”:"–",“version”:“11.0.0.10”}

NOTE that everything between the 3 pipes after “Found an Attribute element with duplicated Name” is from a print_r() showing which entry was being cycled through when the exception was thrown (“Role”). The second set of data is a print_r of the $attributes var.

This doesn’t mean much to me, it’s just the result of me trying to trace down what I found in the exception report.

HOWEVER, if I block out the following if block in apps/user_saml/3rdparty/vendor/onelogin/php-saml/lib/Saml2/Response.php, then the process seems to work:

if (in_array($attributeName, array_keys($attributes))) {

I tried it with several newly generated Keycloak users, and Nextcloud will faithfully create new users when the above code is blocked out.

SO, my question is… did I do something wrong during config, or is this a Nextcloud issue? Is my workaround safe or no?

Thanks!

I think I found the right fix for the “duplicate attribute” problem.
Go to your keycloak admin console, select the correct realm and
Configure -> Client. Select your nexcloud SP here. Now switch
to the “Mappers” tab and click on “role list”. Now toggle
"Single Role Attribute" to On and save.

Similiar thread: [Solved] Nextcloud <-(SAML)->Keycloak as identity provider issues

Adding something here as the forum software believes this is too similar to the update I posted to the other thread. I hope this is still okay, especially as it’s quite old, but it took me some time to figure it out. The proposed solution changes the role_list for every Client within the Realm. It is better to override the setting on client level to make sure it only impacts the Nextcloud client.

For this. edit your client, go to Client Scopes and remove role_list from the Assigned Default Client Scopes.

Next, create a new Mapper to actually map the Role List:

  • Name: anything you like
  • Mapper Type: Role List
  • Role Attribute name: Role
  • Friendly Name: Anything you like
  • SAML Attribute Name Format: Basic
  • Single Role Attribute: ON

Hope this helps someone.