SAML SSO generates many "Login attempts" in audit.log

ℹ️ Support
, ,
1

I have Nextcloud 14.0.0.19 and 13.0.6.1 (stable) installed, a LDAP backend for user provisioning and a SAML 2.0 IDP for the authentication.

The problem is that when having user_saml activated it generates a lot of “Login attempt” entries in audit.log

I have to set ‘loglevel’ => 1 in config.php to be able to audit user events.

Example audit.log:

{“reqId”:“rPhmQ7ifPLYodXjRcYUH”,“level”:1,“time”:“2018-09-12T16:17:56+02:00”,“remoteAddr”:“192.168.0.100”,“user”:“user1”,“app”:“admin_audit”,“method”:“PROPFIND”,“url”:"/nextcloud/remote.php/dav/files/user1/Upload",“message”:"Login attempt: “user1"”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0”,“version”:“14.0.0.19”}

{“reqId”:“rPhmQ7ifPLYodXjRcYUH”,“level”:1,“time”:“2018-09-12T16:17:56+02:00”,“remoteAddr”:“192.168.0.100”,“user”:“user1”,“app”:“admin_audit”,“method”:“PROPFIND”,“url”:"/nextcloud/remote.php/dav/files/user1/Upload",“message”:"Login attempt: “user1"”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0”,“version”:“14.0.0.19”}

{“reqId”:“i9LxiFcpqEX6kHVcemOm”,“level”:1,“time”:“2018-09-12T16:17:56+02:00”,“remoteAddr”:“192.168.0.100”,“user”:“user1”,“app”:“admin_audit”,“method”:“GET”,“url”:"/nextcloud/index.php/apps/files/ajax/getstoragestats.php?dir=%2FUpload",“message”:"Login attempt: “user1"”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0”,“version”:“14.0.0.19”}

{“reqId”:“W4zx7zPxKr0on0bJgLMV”,“level”:1,“time”:“2018-09-12T16:17:56+02:00”,“remoteAddr”:“192.168.0.100”,“user”:“user1”,“app”:“admin_audit”,“method”:“GET”,“url”:"/nextcloud/index.php/apps/theming/img/core/filetypes/application-pdf.svg?v=19",“message”:"Login attempt: “user1"”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0”,“version”:“14.0.0.19”

Nextcloud version (eg, 12.0.2): 14.0.0.19, 13.0.6.1
SSO & SAML authentication: 1.6.2
Operating system and version (eg, Ubuntu 17.04): Ubuntu 16.04 LTS
Apache or nginx version (eg, Apache 2.4.25): Apache
PHP version (eg, 7.1): 7.0.30

2

Attaching to this issue and I’m seeing the same. If I put my log level to Info in LogViewer I can’t see any of the other messages and I’m inundated with login attempt for XXX.

3

Yes this is a huge problem for us.