SAML: Guide to SimpleSAMLphp or general debugging?

Hello all,

I’m using SimpleSAMLphp as my SP and Drupal as the idp, which is working with rocketchat and a few other apps.

However, I’m trying to figure out the settings for nextcloud and simply can’t. Currently, I get:


Not authenticated

The error in my logs is as follows:

May 5 08:13:48 core simplesamlphp[12396]: 5 STAT [2b0b29628d] saml20-idp-SSO https://nextcloud/apps/user_saml/saml/metadata serviceprovider NA
May 5 08:13:48 core simplesamlphp[12396]: 3 [2b0b29628d] Unable to generate NameID. Check the userid.attribute option.
May 5 08:13:48 core simplesamlphp[12396]: 4 [2b0b29628d] Falling back to transient NameID.

Here are my current settings:

No other settings are enabled.

Any thoughts?

Hello all,

While I have been waiting for a response, I’ve successfully setup SAML on, Moodle and others. I am still unable to figure out what the problem with nextcloud’s implementation of SAML is.

I have seen messages by others indicating similar issues after an upgrade.

Documentation relating to problems is poor, and there appears to be no way to debug the module, despite turning debugging to 0 and redirecting to syslog.

The SimpleSAMLphp logs show no problems and appear to be feeding Nextcloud appropriately.

@ConanMalone had the identical problem here, but didn’t report a fix for it. At that time, @LukasReschke reported it was likely a configuration error.

@LukasReschke: Could you comment on how I might further debug the module?

tarek : )

I just upgraded to Nextcloud 12.0 beta and the newest user_saml.

This helped tremendously. At the moment, I get the following error in the logs:

The assertion of the Response is not encrypted and the SP requires it

I have tried to enable encryption with no luck, but at least now I have a direction to work toward!

Any thoughts on what I might be doing wrong?

tarek : )

And finally, after more changes, now I am stuck on this error:

Signature validation failed. SAML Response rejected

Any thoughts on how I could troubleshoot this one?

Thank you,

tarek : )

This likely is related to the fact that we use the strict mode which performs some more sanity and security checks.

If you post a screenshot of your SAML configuration (excluding private keys ;)) and a link to your IDP I may tay a quick look to check if the configuration makes sense.

Hi Lukas!

Thank you for this. Here is a screenshot of the best shot at my settings:

The IDP is at:

Thank you for your help

tarek : )

Hi @LukasReschke. Any thoughts on the above?

tarek : )

Hi @tarek I am using simplesamlphp as service provider. Could you direct me on how I can make nextcloud use my existing simplesamlphp service provider instead its own service provider.

I tried looking in the documentation and got nothing and googled it but without any success.

Thank you in advance.

1 Like


I did end up getting things working with the settings above, except I removed the first line of the certificate, which seems to have fixed my problem. Also, I upgraded to 12.

I’m not sure what exactly the issue you’re having is. I believe that you can use SimpleSAMLphp as SP as well. You just have to fill out the SP section…

I have very little experience with SAML, but I’m happy to try to help if you post a more comprehensive question with your settings and the various config files (anonymized).

tarek : )

Hi @tarek thanks for the respond, I am new to nextcloud and SSO in general.
Here what I have:
my service provider is for example in
my CMS is for example in
When ever the user tries to access the our CMS he must be authenticated via our service provider

Now I want to do the same thing for nextcloud found for example in Whenever the user tries to access nextcloud he/she must be authenticated via our service provider in

So what I did is that I enabled the user_saml app in the nextcloud, but it seems that user_saml app it self is service provider, where I can define only idp data and certificates will be used by the service provider.
And everything works fine, I get connected to idp and user are authenticated successfully.

But what I want is a way in which the nextcloud connects to my service provider found in to authenticate users.

I attached the screen shot for user_saml configuration.

looking forward to hearing from you.

Hello Tarek,

This is my configuration (following your example)

But, at the bottom I’ve received a “Metadata Invalid” message.

It’s about the certificates? I am in the correct way?


Thanks for your help.

This is the log error when I press “Download metadata XML”