Hello Everyone,
We’ve been struggling to get Nextcloud working properly with SAML/LDAP using DUO SSO/SAML
We have spent a ton of time troubleshooting and have scoured the Internet with not much luck. I am hoping to find some answers here.
Nextcloud Version 23.0
PHP 8.0
Apache
NGINX Reverse Proxy SSL/HTTPS
We seem to have the DUO portion working properly as we can get it to authenticate if we uncheck the option “Only allow authentication if an account exists on some other backend. (e.g. LDAP)” DUO SSO will prompt us, we approve it, we login right in… However, this is one of the issues. a NEW account is getting created. It is not using the existing backend LDAP account that we have been using for the past year.
We currently are using LDAP for direct login without any issues. So we know for certain our LDAP is working fine as we use it daily… These are the current UID’s we have set and have been testing with…
(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))(|(displayName=%uid))))
Our goal is to use Email Address as the username which we use for a bunch of other SSO/SAML/DUO stuff through DUO Central without issue.
Currently our config in Nextcloud SAML. We have tried every kind of combination we can think of.
we are mapping the IdP to user.email (we have tried user.username, user.mail, samaccountname,displayname etc… ) They all fail… We have even tried the advanced and expert LDAP settings to hardcode the desired UID we want… No luck.
In DUO We map IdP to Email Address to > user.email which matches the SAML in NC…
Everytime we go to authenticate DUO we get this error.
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
We have some kind of mismatch somewhere that we can’t seem to figure out the right Combo to get this to sync up properly. We have tried just about every solution we have found… Nothing is working…
Anyone have any guidance on proper IdP settings for UID Mappings or whatever we may be missing would be great… Thank you!