I’m using SimpleSAMLphp as my SP and Drupal as the idp, which is working with rocketchat and a few other apps.
However, I’m trying to figure out the settings for nextcloud and simply can’t. Currently, I get:
invalid_response
Not authenticated
The error in my logs is as follows:
May 5 08:13:48 core simplesamlphp[12396]: 5 STAT [2b0b29628d] saml20-idp-SSO https://nextcloud/apps/user_saml/saml/metadata serviceprovider NA
May 5 08:13:48 core simplesamlphp[12396]: 3 [2b0b29628d] Unable to generate NameID. Check the userid.attribute option.
May 5 08:13:48 core simplesamlphp[12396]: 4 [2b0b29628d] Falling back to transient NameID.
While I have been waiting for a response, I’ve successfully setup SAML on Rocket.chat, Moodle and others. I am still unable to figure out what the problem with nextcloud’s implementation of SAML is.
Documentation relating to problems is poor, and there appears to be no way to debug the module, despite turning debugging to 0 and redirecting to syslog.
The SimpleSAMLphp logs show no problems and appear to be feeding Nextcloud appropriately.
@ConanMalone had the identical problem here, but didn’t report a fix for it. At that time, @LukasReschke reported it was likely a configuration error.
@LukasReschke: Could you comment on how I might further debug the module?
This likely is related to the fact that we use the strict mode which performs some more sanity and security checks.
If you post a screenshot of your SAML configuration (excluding private keys ;)) and a link to your IDP I may tay a quick look to check if the configuration makes sense.
Hi @tarek I am using simplesamlphp as service provider. Could you direct me on how I can make nextcloud use my existing simplesamlphp service provider instead its own service provider.
I tried looking in the documentation and got nothing and googled it but without any success.
I did end up getting things working with the settings above, except I removed the first line of the certificate, which seems to have fixed my problem. Also, I upgraded to 12.
I’m not sure what exactly the issue you’re having is. I believe that you can use SimpleSAMLphp as SP as well. You just have to fill out the SP section…
I have very little experience with SAML, but I’m happy to try to help if you post a more comprehensive question with your settings and the various config files (anonymized).
Hi @tarek thanks for the respond, I am new to nextcloud and SSO in general.
Here what I have:
my service provider is for example in mydomain.de/simplesamlphp
my CMS is for example in mydomain.de/drupal
When ever the user tries to access the our CMS he must be authenticated via our service provider mydomain.de/simplesamlphp.
Now I want to do the same thing for nextcloud found for example in mydomain.de/nextcloud. Whenever the user tries to access nextcloud he/she must be authenticated via our service provider in mydomain.de/simplesamlphp
So what I did is that I enabled the user_saml app in the nextcloud, but it seems that user_saml app it self is service provider, where I can define only idp data and certificates will be used by the service provider.
And everything works fine, I get connected to idp and user are authenticated successfully.
But what I want is a way in which the nextcloud connects to my service provider found in mydomain.de/simplesamlphp to authenticate users.
I attached the screen shot for user_saml configuration.