Nextcloud, LDAP, and Duo -- Help

Also to reply to your comment, I’ve seen the PHP library documentation. Its what I was referring to here “One other path I looked into was to edit Nextcloud configuration to play with Duo. Duo has some documentation on snippits to put into web pages, but I can’t figure out Nextclouds code to figure out where to put it”

Do you know where I would place those code lines at? I spent roughly a day trying to figure out that part before proceeding to the LDAP proxy route. I am having a rough time deciphering how the code is working for nextcloud since the functions are all over the place and refer to a bunch of different files.

What about using a Yubikey as your MFA Hardware token ? I have my Nextcloud sent up to use U2F an have registered my Yubikey to allow MFA login. Keeps Duo out of the equation. Not that there is anything wrong with Duo…

As they provide detailed setup guides and other products managed to implement this, it should be possible. What I really don’t know is how much effort is still needed to fully support this. Possibly 90% of the work is done… Ideally, it needs a developer using this system.

Swapping entirely is not an option but I do recall seeing Yubikey supported by Duo. Ill have to look for it again but I’m about 90% sure I read that somewhere in Duo documentation.

If that is the answer, it’d be hard to get management to buy off on another purchase but im quickly running out of options.

Duo does support Yubikeys. The only reason for suggesting the Yubikey with Nextcloud is that the (free) U2F Plugin for Nextcloud supports the Yubikey out of the box. Pretty easy. List price for the U2F Yubikey is $20, $40 for the multi function Yubikey.

I get your point about “buying something else”.

how about using SAML in nextcloud? I have some experience with duo, although its been a few years. But on allt he authentication front, I would suggest using federative authentication like SAML.

If you have a Windows AD, i would suggest using ADFS and connect duo on that, Florian wrote a great article on this:
https://rephlex.de/blog/2018/04/05/how-to-connect-nextcloud-to-active-directory-using-ad-fs-without-losing-your-mind/

You are so awesome. I had another person suggest this one a different post through another community site and was looking into it. Thank you for the article. I will try that this weekend!

I got this up and going through the SAML solution. This has been an acceptable solution for our needs! thank you so much everyone for your help. The article provided by dennis helped tremendously.

He seguido ese articulo y no me va no paso del error de cuenta no provisionada alguna idea?

Please post replies in English unless it’s the https://help.nextcloud.com/c/international category.

I have a issue with sso nextcloud
Protocol Name:
Saml

Relying Party:
https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata

Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity mydomain\admin for relying party trust https://nextcloud.mydomain/index.php/apps/user_saml/saml/metadata.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, List1 additionalClaims)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

More information for the event entry with Instance ID 06d1220c-331f-4a25-906e-310dcf05a2b3. There may be more events with the same Instance ID with more information.

Instance ID:
06d1220c-331f-4a25-906e-310dcf05a2b3

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2020-01-23T16:53:04.397Z
http://schemas.microsoft.com/claims/authnmethodsproviders
WindowsAuthentication
http://schemas.microsoft.com/ws/2017/04/identity/claims/riskscore
notevaluated
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/implicitupn
admin@mydomain.com
http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore
AD AUTHORITY
http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

@Dennis_J_y_M

It looks like you have it talking correctly so certs and all that is right. However, based on the error it isn’t relating the call to an identity (user).

I know I had some issues setting this up around the identity as well and it was because the instructions were not in English and clear. In that link above, there is a part immediately after setting this: https://nextcloud.testdomain.local/nextcloud/index.php/apps/user_saml/saml/acs

which has a series of pictures but no text; you are editing the claims rules here. In that section, you are setting two different claim rules. make sure that is right. I overlooked that my first time since it wasn’t supper clear and threw everything into one rule.

I had to walk through step by step and compare to the guide. I recommend doing the same and ensuring everything is exact. When everything is right it worked like a charm.

Please post your problems at https://help.nextcloud.com/c/apps/user-saml.

Thanks I can resolved the issue

In case there is still any interest in Duo two-factor auth, I just got this working on our system (version 18.0.1) using the app from @ChristophWurst and am pretty pleased with it. I took some rough notes on what I did to get this to work. It requires a bit of fiddling around with things, but once it works its pretty nice. Below is a link to my notes, I don’t claim that what I did is correct by any measure (or even good) only that it works for me currently. I also don’t make any promises that I did not forget to note something that I did, but I believe it is pretty complete, and I thought I would share it just in case it might be helpful to someone else.

https://aldentorchfinancial.box.com/s/142jx3ej9cxprmgcrh1fqmohaf0s9wu2

Thanks for the notes, they were a great help in getting Duo 2FA working here :grinning:!

ok, I tried this with NC19 and got it working up to the point after entering the password, where the duo challenge is supposed to start

- but no duo challenge is sent and not even logged in the duo security backend…

@perler, it seems like there is an error that is preventing the iFrame from being generated with the Duo challenge, which is why you only see the blank area for the challenge and nothing on the Duo logs.

I would recommend that you check the Nextcloud log file for errors, maybe searching on twoFactor_duo or TwoFactorDuo. It should give you an indication of what the error(s) are, which would point you in the direction of what to look into.

Thank you @kbundy or the notes! I wish this would have been documented like you did in the first place.

@perler check your Application Key (akey), if you look at the source code of your page, it probably states that your key is not 40 characters (minimum). I had the same problem and it went away by extending the akey (value doesn’t matter).

Now I only have one problem left, is an auto-log out after 5 minutes. Did you also experience this?