What about using a Yubikey as your MFA Hardware token ? I have my Nextcloud sent up to use U2F an have registered my Yubikey to allow MFA login. Keeps Duo out of the equation. Not that there is anything wrong with Duo…
As they provide detailed setup guides and other products managed to implement this, it should be possible. What I really don’t know is how much effort is still needed to fully support this. Possibly 90% of the work is done… Ideally, it needs a developer using this system.
Swapping entirely is not an option but I do recall seeing Yubikey supported by Duo. Ill have to look for it again but I’m about 90% sure I read that somewhere in Duo documentation.
If that is the answer, it’d be hard to get management to buy off on another purchase but im quickly running out of options.
Duo does support Yubikeys. The only reason for suggesting the Yubikey with Nextcloud is that the (free) U2F Plugin for Nextcloud supports the Yubikey out of the box. Pretty easy. List price for the U2F Yubikey is $20, $40 for the multi function Yubikey.
I get your point about “buying something else”.
how about using SAML in nextcloud? I have some experience with duo, although its been a few years. But on allt he authentication front, I would suggest using federative authentication like SAML.
If you have a Windows AD, i would suggest using ADFS and connect duo on that, Florian wrote a great article on this:
https://rephlex.de/blog/2018/04/05/how-to-connect-nextcloud-to-active-directory-using-ad-fs-without-losing-your-mind/
You are so awesome. I had another person suggest this one a different post through another community site and was looking into it. Thank you for the article. I will try that this weekend!
I got this up and going through the SAML solution. This has been an acceptable solution for our needs! thank you so much everyone for your help. The article provided by dennis helped tremendously.
He seguido ese articulo y no me va no paso del error de cuenta no provisionada alguna idea?
Please post replies in English unless it’s the https://help.nextcloud.com/c/international category.
I have a issue with sso nextcloud
Protocol Name:
Saml
Relying Party:
https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity mydomain\admin for relying party trust https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List1 additionalClaims)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
More information for the event entry with Instance ID 06d1220c-331f-4a25-906e-310dcf05a2b3. There may be more events with the same Instance ID with more information.
Instance ID:
06d1220c-331f-4a25-906e-310dcf05a2b3
Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2020-01-23T16:53:04.397Z
http://schemas.microsoft.com/claims/authnmethodsproviders
WindowsAuthentication
http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore
notevaluated
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn
admin@mydomain.com
http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore
AD AUTHORITY
http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
It looks like you have it talking correctly so certs and all that is right. However, based on the error it isn’t relating the call to an identity (user).
I know I had some issues setting this up around the identity as well and it was because the instructions were not in English and clear. In that link above, there is a part immediately after setting this: https://nextcloud.testdomain.local/nextcloud/index.php/apps/user_saml/saml/acs
which has a series of pictures but no text; you are editing the claims rules here. In that section, you are setting two different claim rules. make sure that is right. I overlooked that my first time since it wasn’t supper clear and threw everything into one rule.
I had to walk through step by step and compare to the guide. I recommend doing the same and ensuring everything is exact. When everything is right it worked like a charm.
Thanks I can resolved the issue
In case there is still any interest in Duo two-factor auth, I just got this working on our system (version 18.0.1) using the app from @ChristophWurst and am pretty pleased with it. I took some rough notes on what I did to get this to work. It requires a bit of fiddling around with things, but once it works its pretty nice. Below is a link to my notes, I don’t claim that what I did is correct by any measure (or even good) only that it works for me currently. I also don’t make any promises that I did not forget to note something that I did, but I believe it is pretty complete, and I thought I would share it just in case it might be helpful to someone else.
https://aldentorchfinancial.box.com/s/142jx3ej9cxprmgcrh1fqmohaf0s9wu2
Thanks for the notes, they were a great help in getting Duo 2FA working here 
!
ok, I tried this with NC19 and got it working up to the point after entering the password, where the duo challenge is supposed to start
- but no duo challenge is sent and not even logged in the duo security backend…
@perler, it seems like there is an error that is preventing the iFrame from being generated with the Duo challenge, which is why you only see the blank area for the challenge and nothing on the Duo logs.
I would recommend that you check the Nextcloud log file for errors, maybe searching on twoFactor_duo or TwoFactorDuo. It should give you an indication of what the error(s) are, which would point you in the direction of what to look into.
Thank you @kbundy or the notes! I wish this would have been documented like you did in the first place.
@perler check your Application Key (akey), if you look at the source code of your page, it probably states that your key is not 40 characters (minimum). I had the same problem and it went away by extending the akey (value doesn’t matter).
Now I only have one problem left, is an auto-log out after 5 minutes. Did you also experience this?
I’ve set this up following the instructionshere
I’m seeing the exact same thing as @perler
Getting a blank duo screen with nothing being sent or logged on duo’s end.
Extending the AKEY to 40 characters gives me an authentication error. I’m currently using the IKEY value as the AKEY value. I tried swapping the SKEY value in there since it’s 40 characters and get the same authentication error. So went back to the IKEY.
Checking the logs as suggested by @kbundy and searching for twoFactor_duo and TwoFactorDuo come up with nothing, although searching for just “Duo” does return this for a result.
{"reqId":"Y6KnLqaPuRWQVn2S5ffe","level":0,"time":"November 06, 2021 14:30:07","remoteAddr":"IPADDRESS","user":"USER","app":"files_sharing","method":"GET","url":"/index.php/login/challenge/duo","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40","version":"21.0.1.1"}
{"reqId":"iuCFFpRWTa2At1ku9ig6","level":3,"time":"November 06, 2021 14:32:52","remoteAddr":"IPADDRESS","user":"USERNAME","app":"core","method":"GET","url":"/index.php/login/selectchallenge?redirect_url=/index.php/apps/dashboard/","message":"two-factor auth provider 'duo' failed to load","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Edg/95.0.1020.40","version":"21.0.1.1"}
From my understanding the deprecated error is simply a warning for the dev and doesn’t affect functionality.
The other, “failed to load” doesn’t really give me much to go off of as to why or why not.
Any tips?