Nextcloud LDAP + SAML SSO = Duplicating Useraccounts with Underscore and digits in name

hello all,

i’m new here and i’m writing because i have a problem in my nextcloud that unfortunately i can’t get fixed myself this time. info on the side: I’m using the newest version of nextcloud.

i am currently trying to find out why user accounts created in univention ldap via SSO/SAML simplePHP login are created twice in nextcloud. basically my case is similar to this one: Nextcloud & SSO appearing duplicate accounts for the same user, anyway to map/merge them?

but for me the whole thing looks like this:

Once the user is created - and the first login in nextcloud via SAML/SSO happens, the UID / accountname of the new generated user will be wrong in nextcloud . it gets a suffix with underscore and random numbers (but the mapped attributes like: displayname, emailaddress and groups are correct)

if that happens (account with suffix in name) I’ll find a duplicate of the same account in my nextcloud but with the correct UID / accountname (no suffix in name). the duplicate has the correct name, but misses all attributes that should be mapped due the first login (displayname, emailaddress and groups are empty) - see screenshots above

i have never had this problem until nextcloud 25 and have not reconfigured anything in my ldap and saml settings since then. does anyone has a hint for me on how to debug this? i am on the verge of despair with this problem.

even weirder: if i create 10 users in univention (with usernames that never existed before in ldap and nextcloud) then about 2 out of 10 users are created WITHOUT the error. i.e., UID, displayname, email and groupings match and no duplicate of the account will be created in nextcloud. How can this be? It seems like this error happens sporadically, but goes wrong more often than it works.

i wouldn’t care about the bug if the saml login logged into the user with the suffix, but it always logs into the user without the underscore with numbers, leaving the user without displayname, email and group mapping.

With the request for help

Thank you alot.

hi @nova welcome to the forum :handshake:

I would recommend you take closer look at the logs. you might need to adopt the log level.

  • review your logs
  • possibly adopt log levels
  • reproduce the issue
  • analyze the logs (compare good/bad cases)