SAML SSO and encryption

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • 31.0.5
• Operating system and version (e.g., Ubuntu 24.04):
  • not relevant
• Web server and version (e.g, Apache 2.4.25):
  • not relevant
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • not relevant
• PHP version (e.g, 8.3):
  • not relevant
• Is this the first time you’ve seen this error? (Yes / No):
  • Yes
• When did this problem seem to first start?
  • After enabling SAML SSO, user claims normal login works, but the message is not clear
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • docker container
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • not relevant

Summary of the issue you are facing:

I was tasked to enable SSO using Authentik so I chose SAML for SSO setup, after enabling SSO one user claimed that the private key is invalid there for need password. User claims normal login works but i am not sure if that is the case. I have both server side and default encryption enabled. How can I resolve this? Is this a bug?

Steps to replicate it (hint: details matter!):

1. Enable SSO, make sure the normal password and SSO password is different
2. Use SAML, OIDC can be also tested

Log entries

Nextcloud

{"reqId":"2iXdaSyz6qrV77456Xge","level":3,"time":"2025-06-13T17:04:57+00:00","remoteAddr":"113.211.40.128","user":"Vigneshwaran Ravichandran","app":"text","method":"PROPFIND","url":"/remote.php/dav/files/Vigneshwaran%20Ravichandran/","message":"multikeydecrypt with share key failed:error:1E08010C:DECODER routines::unsupported","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36","version":"31.0.5.1","exception":{"Exception":"OCA\\Encryption\\Exceptions\\MultiKeyDecryptException","Message":"multikeydecrypt with share key failed:error:1E08010C:DECODER routines::unsupported","Code":0,"Trace":[{"file":"/var/www/html/apps/encryption/lib/KeyManager.php","line":396,"function":"multiKeyDecrypt","class":"OCA\\Encryption\\Crypto\\Crypt","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/encryption/lib/Crypto/Encryption.php","line":130,"function":"getFileKey","class":"OCA\\Encryption\\KeyManager","type":"->","args":["/Vigneshwaran Ravichandran/files/Documents/Readme.md","Vigneshwaran Ravichandran",false,false]},{"file":"/var/www/html/lib/private/Files/Stream/Encryption.php","line":228,"function":"begin","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["/Vigneshwaran Ravichandran/files/Documents/Readme.md","Vigneshwaran Ravichandran","r",{"oc_encryption_module":"OC_DEFAULT_MODULE","cipher":"AES-256-CTR","signed":"true","useLegacyFileKey":"false","encoding":"binary"},{"users":["Vigneshwaran Ravichandran"],"public":false}]},{"function":"stream_open","class":"OC\\Files\\Stream\\Encryption","type":"->","args":["ocencryption://","r",0,null]},{"file":"/var/www/html/lib/private/Files/Stream/Encryption.php","line":156,"function":"fopen","args":["ocencryption://","r",false,null]},{"file":"/var/www/html/lib/private/Files/Stream/Encryption.php","line":131,"function":"wrapSource","class":"OC\\Files\\Stream\\Encryption","type":"::","args":[null,null,"ocencryption","OC\\Files\\Stream\\Encryption","r"]},{"file":"/var/www/html/lib/private/Files/Storage/Wrapper/Encryption.php","line":351,"function":"wrap","class":"OC\\Files\\Stream\\Encryption","type":"::","args":[null,"files/Documents/Readme.md","/Vigneshwaran Ravichandran/files/Documents/Readme.md",{"oc_encryption_module":"OC_DEFAULT_MODULE","cipher":"AES-256-CTR","signed":"true","useLegacyFileKey":"false","encoding":"binary"},"Vigneshwaran Ravichandran",{"__class__":"OCA\\Encryption\\Crypto\\Encryption"},{"__class__":"OC\\Files\\Storage\\Wrapper\\Quota","cache":null,"scanner":null,"watcher":null,"propagator":null,"updater":null},{"__class__":"OC\\Files\\Storage\\Wrapper\\Encryption","cache":null,"scanner":null,"watcher":null,"propagator":null,"updater":null},{"__class__":"OC\\Encryption\\Util"},{"__class__":"OC\\Encryption\\File"},"r",8424,136,8192,true]},{"file":"/var/www/html/lib/private/Files/Storage/Wrapper/Encryption.php","line":147,"function":"fopen","class":"OC\\Files\\Storage\\Wrapper\\Encryption","type":"->","args":["files/Documents/Readme.md","r"]},{"file":"/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php","line":122,"function":"file_get_contents","class":"OC\\Files\\Storage\\Wrapper\\Encryption","type":"->","args":["files/Documents/Readme.md"]},{"file":"/var/www/html/apps/files_accesscontrol/lib/StorageWrapper.php","line":153,"function":"file_get_contents","class":"OC\\Files\\Storage\\Wrapper\\Wrapper","type":"->","args":["files/Documents/Readme.md"]},{"file":"/var/www/html/lib/private/Files/View.php","line":1210,"function":"file_get_contents","class":"OCA\\FilesAccessControl\\StorageWrapper","type":"->","args":["files/Documents/Readme.md"]},{"file":"/var/www/html/lib/private/Files/View.php","line":554,"function":"basicOperation","class":"OC\\Files\\View","type":"->","args":["file_get_contents","/Vigneshwaran Ravichandran/files/Documents/Readme.md",["read"]]},{"file":"/var/www/html/lib/private/Files/Node/File.php","line":33,"function":"file_get_contents","class":"OC\\Files\\View","type":"->","args":["/Vigneshwaran Ravichandran/files/Documents/Readme.md"]},{"file":"/var/www/html/apps/text/lib/DAV/WorkspacePlugin.php","line":99,"function":"getContent","class":"OC\\Files\\Node\\File","type":"->","args":[]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\Text\\DAV\\{closure}","class":"OCA\\Text\\DAV\\WorkspacePlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/text/lib/DAV/WorkspacePlugin.php","line":89,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->","args":["{http://nextcloud.org/ns}rich-workspace",{"__class__":"Closure"}]},{"file":"/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"propFind","class":"OCA\\Text\\DAV\\WorkspacePlugin","type":"->","args":[{"__class__":"Sabre\\DAV\\PropFind"},{"__class__":"OC\\Files\\Node\\Folder"}]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->","args":["propFind",[{"__class__":"Sabre\\DAV\\PropFind"},{"__class__":"OCA\\DAV\\Connector\\Sabre\\Directory"}]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->","args":[{"__class__":"Sabre\\DAV\\PropFind"},{"__class__":"OCA\\DAV\\Connector\\Sabre\\Directory"}]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":1664,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->","args":["files/Vigneshwaran Ravichandran",["{DAV:}getcontentlength","{DAV:}getcontenttype","{DAV:}getetag","{DAV:}getlastmodified","{DAV:}creationdate","{DAV:}displayname","{DAV:}quota-available-bytes","{DAV:}resourcetype","{http://nextcloud.org/ns}has-preview","{http://nextcloud.org/ns}is-encrypted","{http://nextcloud.org/ns}mount-type","{http://owncloud.org/ns}comments-unread","{http://owncloud.org/ns}favorite","{http://owncloud.org/ns}fileid","{http://owncloud.org/ns}owner-display-name","{http://owncloud.org/ns}owner-id","{http://owncloud.org/ns}permissions","{http://owncloud.org/ns}size","{http://nextcloud.org/ns}hidden","{http://nextcloud.org/ns}is-mount-root","{http://nextcloud.org/ns}metadata-blurhash","{http://nextcloud.org/ns}metadata-files-live-photo","{http://nextcloud.org/ns}approval-state","{http://nextcloud.org/ns}reminder-due-date","{http://nextcloud.org/ns}note","{http://nextcloud.org/ns}sharees","{http://nextcloud.org/ns}hide-download","{http://nextcloud.org/ns}share-attributes","{http://owncloud.org/ns}share-types","{http://open-collaboration-services.org/ns}share-permissions","{http://nextcloud.org/ns}system-tags","{http://nextcloud.org/ns}rich-workspace","{http://nextcloud.org/ns}rich-workspace-file"],1]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":1649,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->","args":[{"__class__":"Sabre\\Xml\\Writer","elementMap":[],"contextUri":"/remote.php/dav/","namespaceMap":{"DAV:":"d","http://sabredav.org/ns":"s","http://owncloud.org/ns":"oc","http://nextcloud.org/ns":"nc"},"classMap":[]},{"__class__":"Generator"},false]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->","args":[{"__class__":"Generator"},false]},{"file":"/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->","args":[{"__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->","args":["method:PROPFIND",[{"__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]]},{"file":"/var/www/html/apps/dav/lib/Connector/Sabre/Server.php","line":49,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[{"__class__":"Sabre\\HTTP\\Request"},{"__class__":"Sabre\\HTTP\\Response"}]},{"file":"/var/www/html/apps/dav/lib/Server.php","line":400,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->","args":[]},{"file":"/var/www/html/apps/dav/appinfo/v2/remote.php","line":21,"function":"exec","class":"OCA\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/html/remote.php","line":145,"args":["/var/www/html/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/html/apps/encryption/lib/Crypto/Crypt.php","Line":613,"Hint":"multikeydecrypt with share key failed:error:1E08010C:DECODER routines::unsupported","message":"multikeydecrypt with share key failed:error:1E08010C:DECODER routines::unsupported","exception":[],"CustomMessage":"multikeydecrypt with share key failed:error:1E08010C:DECODER routines::unsupported"},"id":"684c5ab7803f0"}

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

PASTE HERE

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

• Use the preformatted text formatting option in the editor for all log entries and configuration output.
• If screenshots are useful, feel free to include them.
  • If possible, also include key error output in text form so it can be searched for.
• Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

Hello @vgnshlvnz,

welcome to the Nextcloud community!

• please spend some to fill the template and don’t forget to delete things you don’t fill - it’s really hard to find the 3 words you inserted but ignored everything else e.g. log files, screenshots etc.
• use search you will find many related topics
• don’t use SAML use OIDC.