Nextcloud 23.0 LDAP/SAML and DUO/SSO SAML Issues

Hello Everyone,
We’ve been struggling to get Nextcloud working properly with SAML/LDAP using DUO SSO/SAML

We have spent a ton of time troubleshooting and have scoured the Internet with not much luck. I am hoping to find some answers here.

Nextcloud Version 23.0
PHP 8.0
Apache
NGINX Reverse Proxy SSL/HTTPS

We seem to have the DUO portion working properly as we can get it to authenticate if we uncheck the option “Only allow authentication if an account exists on some other backend. (e.g. LDAP)” DUO SSO will prompt us, we approve it, we login right in… However, this is one of the issues. a NEW account is getting created. It is not using the existing backend LDAP account that we have been using for the past year.

We currently are using LDAP for direct login without any issues. So we know for certain our LDAP is working fine as we use it daily… These are the current UID’s we have set and have been testing with…

(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(displayName=%uid))))

Our goal is to use Email Address as the username which we use for a bunch of other SSO/SAML/DUO stuff through DUO Central without issue.

Currently our config in Nextcloud SAML. We have tried every kind of combination we can think of.

we are mapping the IdP to user.email (we have tried user.username, user.mail, samaccountname,displayname etc… ) They all fail… We have even tried the advanced and expert LDAP settings to hardcode the desired UID we want… No luck.

In DUO We map IdP to Email Address to > user.email which matches the SAML in NC…

Everytime we go to authenticate DUO we get this error.

Account not provisioned.

Your account is not provisioned, access to this service is thus not possible.

We have some kind of mismatch somewhere that we can’t seem to figure out the right Combo to get this to sync up properly. We have tried just about every solution we have found… Nothing is working…

Anyone have any guidance on proper IdP settings for UID Mappings or whatever we may be missing would be great… Thank you!

Hello,

did you ever find a solutions for the DUO SAML? I’d like to do the same for myself, but I’m not even sure if I’ve put all the values in the right places.

Bye, Sascha

OK, now I’m as far as you are. Getting the same message. If I can get it working I’ll post it here.

Bye, Sascha

so, yes, we got it resolved… It seems there was an issue with the Docker version on ubuntu (although it was probably ok after figuring out the below) As soon as we spun up another instance of nextcloud on Debian 11 without Docker, SAML worked flawlessly… The root cause of the issue seemed to be when you sync your users via LDAP they get thrown into the database with a UUID. That UUID seems to overwrite all the parameters you put in with SAML for username. Before we did a fresh sync with LDAP we configured nextcloud to make sure UUID was not created in the database…

Under LDAP/AD integration under the Expert tab we set the Internal username attribute to mail and the UUID Attribute for users to mail. Then we did a LDAP Sync… This then created all the users with email addresses only, NO UUID… Once we had that proper in nextcloud the DUO SSO/SAML worked perfectly because it could properly match the mail attribute for username…

You could try to blow away your LDAP Users and resync with the new attributes… We found it was easier to setup a new instance and migrate the data because we obviously couldn’t delete live user accounts and rebuild them…

OK, I found a solution that works for me.

In DUO I entered the following under “Map attributes”.

And in Nextcloud I have deposited the following

After that it works

Great, thanks for the response. Luckily, I had this attitude right from the start. That’s why it worked for me now.