Nextcloud, LDAP, and Duo -- Help

Hi all,
I have been battling nextcloud for the past two weeks and am feeling beyond hopeless at this point. My bosses have given me a series of requirements: Get Nextcloud installed into our network, and integrate Duo onto it. We have individuals we occasionally contract out into SCIFs so Duo needs to play with the hardware tokens as an option for those that can’t push to their phone for 2FA.

As some of you know, nextcloud and duo don’t exactly play well. I’ve seen Chris’ experiment and tried installing it but it doesn’t do anything upon installing the patch. The Login page never prompts for the duo. I assume this is because it’s over a year old and just outdated.

So I tested the Totp thing and Duo alows me to scan the barcode and use as a third party app, but does not work for the people that need to prompt hardware tokens.

Finally I tried the LDAP proxy solution. I already had LDAP sync workings with nextcloud so figured it’d be the best solution. And it is so close to being the best solution. It auto-pushes with the option to add the hardware token to the password with whichever delimiter I choose (and i tested it and it worked!). I thought it was perfect and I was done. Until I started messing with my profile and realized that I started getting Duo prompts about every 5 minutes. Which means that Nextcloud LDAP sync is reauthenticating and prompting the Duo authentication. Which also means the SCIF individuals would be kicked off nextcloud for failure to authenticate after 5 minutes of being logged in since they won’t see the push.

Some people may suggest using another platform in either department. My company is insisting on needing Nextcloud. It is a solution for large data transfers (to large for email) between our contracting companies that doesn’t require them needing accounts into our network. Duo is something we are to far invested into at this point to just start buying some other companies hardware tokens or to just swap 2FA providers. My company choose to go with them to meet 2FA for NIST reasons prior to me being employed and has it integrated in nearly everything at this point as well as purchasing their hardware tokens…

So here I am, out of options. I can go many paths with this but need help whichever path. I have hit my breaking point and maximum capabilities for me.

Option 1: I need help installing Chris’ experimental solution. Has someone else got his working recently? Am I doing something wrong? Or is it just outdated and doesn’t work on the newer nextclouds?

Option 2: I keep my current LDAPS solution but somehow fix the nextcloud/ldap to not prompt duo every 5 minutes. Whether its stopping nextcloud from reauthenticating so often, or some kind of cookie state/credential saving so it doesn’t prompt my LDAP server (above my experience/knowledge)

Option 3: something new entirely. One other path I looked into was to edit Nextcloud configuration to play with Duo. Duo has some documentation on snippits to put into web pages, but I can’t figure out Nextclouds code to figure out where to put it.

I could go down any path as long as I get something that works in the end.

What are you actually referring to?

That’s the one! I tried installing it with no luck. The patch takes and everything (verified it), but the duo window never prompts at login.

I would check logfiles if I can find anything interesting which can be fixed easily. If that does not work, you probably need to work on the app directly. In theory, duo gives some documentation about their solution, a number of pages implemented their solution:

@ChristophWurst can perhaps estimate how much time it would take to fully implement this. Or can give you some hints when you want to implement it yourself.

Thanks for your assistance thus far. I currently don’t have Chris’ solution installed because I wasn’t having any luck and went pursuing other routes. His solution was the first solution I tried. I can try reinstalling it if that seems to be the best route and recommendation of the people here.

My current setup is the Duo LDAPS Proxy which is working great except for 1 small factor. I log into Nextcloud with my Active Directory (AD) account which is configured to push to my DUO LDAP proxy. The Proxy authenticates to the Active Directory and if accepted, pushes to Duo for a auto-push or hardware token acceptance if the password had the delimiter. When user accepts (or if hardware token is correct) duo accepts and sends back to proxy which sends back to Nextcloud.

This is all functioning correctly. The 1 small factor is that after I log in, it apparently periodically re-requests authorization. So I will be working within Nextcloud and all the sudden get a prompt for Duo from the LDAP proxy. It will not load the file/page until I accept. This leads me to believe that nextcloud is resending authorization packets periodically which triggers the whole authentication process again, and since the user has no option to add a delimiter on the auto authentication, it auto-pushes to the phone. Which is an issue for SCIF people. They can’t re-authenticate and therefore will be kicked off.

Is there any way of configuring Nextcloud to not re-request authorization until the user logs off? Or to use some kind of cookie so it at least doesn’t go to the LDAP proxy for re-authorization? Would a single sign on solution be the answer here? Or is there a way to use the LDAP proxy for initial login and the actual AD for reauthentication requests?

I’ve looked on Duo’s end to not send the authorization after X minutes but the option does not exist for LDAP authentication.

Also to reply to your comment, I’ve seen the PHP library documentation. Its what I was referring to here “One other path I looked into was to edit Nextcloud configuration to play with Duo. Duo has some documentation on snippits to put into web pages, but I can’t figure out Nextclouds code to figure out where to put it”

Do you know where I would place those code lines at? I spent roughly a day trying to figure out that part before proceeding to the LDAP proxy route. I am having a rough time deciphering how the code is working for nextcloud since the functions are all over the place and refer to a bunch of different files.

What about using a Yubikey as your MFA Hardware token ? I have my Nextcloud sent up to use U2F an have registered my Yubikey to allow MFA login. Keeps Duo out of the equation. Not that there is anything wrong with Duo…

As they provide detailed setup guides and other products managed to implement this, it should be possible. What I really don’t know is how much effort is still needed to fully support this. Possibly 90% of the work is done… Ideally, it needs a developer using this system.

Swapping entirely is not an option but I do recall seeing Yubikey supported by Duo. Ill have to look for it again but I’m about 90% sure I read that somewhere in Duo documentation.

If that is the answer, it’d be hard to get management to buy off on another purchase but im quickly running out of options.

Duo does support Yubikeys. The only reason for suggesting the Yubikey with Nextcloud is that the (free) U2F Plugin for Nextcloud supports the Yubikey out of the box. Pretty easy. List price for the U2F Yubikey is $20, $40 for the multi function Yubikey.

I get your point about “buying something else”.

how about using SAML in nextcloud? I have some experience with duo, although its been a few years. But on allt he authentication front, I would suggest using federative authentication like SAML.

If you have a Windows AD, i would suggest using ADFS and connect duo on that, Florian wrote a great article on this:
https://rephlex.de/blog/2018/04/05/how-to-connect-nextcloud-to-active-directory-using-ad-fs-without-losing-your-mind/

You are so awesome. I had another person suggest this one a different post through another community site and was looking into it. Thank you for the article. I will try that this weekend!

I got this up and going through the SAML solution. This has been an acceptable solution for our needs! thank you so much everyone for your help. The article provided by dennis helped tremendously.

He seguido ese articulo y no me va no paso del error de cuenta no provisionada alguna idea?

Please post replies in English unless it’s the https://help.nextcloud.com/c/international category.

I have a issue with sso nextcloud
Protocol Name:
Saml

Relying Party:
https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata

Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity mydomain\admin for relying party trust https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List1 additionalClaims)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

More information for the event entry with Instance ID 06d1220c-331f-4a25-906e-310dcf05a2b3. There may be more events with the same Instance ID with more information.

Instance ID:
06d1220c-331f-4a25-906e-310dcf05a2b3

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2020-01-23T16:53:04.397Z
http://schemas.microsoft.com/claims/authnmethodsproviders
WindowsAuthentication
http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore
notevaluated
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn
admin@mydomain.com
http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore
AD AUTHORITY
http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

@Dennis_J_y_M

It looks like you have it talking correctly so certs and all that is right. However, based on the error it isn’t relating the call to an identity (user).

I know I had some issues setting this up around the identity as well and it was because the instructions were not in English and clear. In that link above, there is a part immediately after setting this: https://nextcloud.testdomain.local/nextcloud/index.php/apps/user_saml/saml/acs

which has a series of pictures but no text; you are editing the claims rules here. In that section, you are setting two different claim rules. make sure that is right. I overlooked that my first time since it wasn’t supper clear and threw everything into one rule.

I had to walk through step by step and compare to the guide. I recommend doing the same and ensuring everything is exact. When everything is right it worked like a charm.

Please post your problems at https://help.nextcloud.com/c/apps/user-saml.

Thanks I can resolved the issue