Nextcloud version : 29.0.4
Operating system and version : Debian/GNU linux 12 bookworm
Apache or nginx version : Apache/2.4.61 (Debian)
PHP version : PHP 8.2.22
user_saml version : v6.2.0
keycloak version : 25.0.4
The issue you are facing :
I followed this tutorial to the letter and also added the nextcloudquota mapper as recommended in the update. Now what I get is a redirection from Nextcloud to the Keycloak URL, complete with a working login. When I try to log in with Keycloak credentials, it says “authentication redirect please wait,” but then it redirects me back to the interface with the choice of login type. In Keycloak, it shows in the session section that the user logged in through Nextcloud, but there is no user logged in with Keycloak on Nextcloud.
This is the XML of the requests and responses made.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_9cc5f19b9b4f2b2841856e529d942af71268dbdf"
Version="2.0"
IssueInstant="2024-08-30T14:28:05Z"
Destination="http://keycloak.local:8080/realms/Chronorix/protocol/saml"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://nextcloud.local:8082/apps/user_saml/saml/acs"
>
<saml:Issuer>http://nextcloud.local:8082/apps/user_saml/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
'''
'''
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://nextcloud.local:8082/apps/user_saml/saml/acs"
ID="ID_899a0303-3a88-42b2-844a-bedfc156ac5d"
InResponseTo="ONELOGIN_9cc5f19b9b4f2b2841856e529d942af71268dbdf"
IssueInstant="2024-08-30T14:28:13.761Z"
Version="2.0"
>
<saml:Issuer>http://keycloak.local:8080/realms/Chronorix</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_899a0303-3a88-42b2-844a-bedfc156ac5d">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>WtdJsRRMx8U0YANIhwqcJXWbADhJZvq2uYl0l9NwqWU=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>kqYw7fvhqtnx9Xi8q04qL9FfZVLzSw2FMjzPsb3hap7JKoWFrcCCo9m0Osq4UAGdpFm9X348J6ruFYUSOVehgXq0cqzzGFxf4vA16YUQoDW8++pGps9Lzp3fbS3oGAItPlsqe/cnFyVrGgam3ML2WPo5HSMsFCYQrzdYjgNrqDjUX7esmA4EvReY6DYZ4NcVx5lzfCsRkO//XLVhqoeiuHgX0r6Wi/vxFDYF44FU9x5C9dvCYr4cCfIakn3mo9aNYZbW7ZohD/LSJN57uM5RnU0UJguQngspdkgrBXKTGt27hjCRXkAbd6xhiHxy2kJ2fy0rJ24j9u6gFodGCx0f6A==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIICoTCCAYkCBgGRbuj8YDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlDaHJvbm9yaXgwHhcNMjQwODIwMDgyOTA4WhcNMzQwODIwMDgzMDQ4WjAUMRIwEAYDVQQDDAlDaHJvbm9yaXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCp6RO42sQL8nr/uGkGPTSbG1GPyJ5EArLfcPa+CLBW/FUYxVchUJYOeTBdHTZJn/R8fVM/tEc/MFrK3jihdYlKn5J/EbuID7YwBU8rdG8y4YhHDhKze2VfSD0z7RZAD7yMMqbGDXdoMWyCQ8rAf7FRZ3+c8X2fxTcVu1cn2srLvA/RkXRzIt+QYC3crbJXuAC9V4Hc7c9/6SZ9Nj8w1tA91nOH9TBxTcZ4a4JTP9/1mIKad0nQQ9XkcdfSAPEboM7UfBLb4NfLxMqmq/CwvPD3Ip7tUTeqbP4BC9yFdPtKzivEM/3V57tb/BHsvnMyYwY7DyLhS3+8gf3jjwpMApOHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEfj80om2deN5Tw5WO5Wruumue13Whz1JtytkB4Yq40HzjltS5eJ6wmxyOUBOWX89DKBBGJLY13zcOnPyOpZw23wxrCoVy4Vv4WMufzVXWEJBvmd1A4+MXJmWX2qE6gRCvOdaw3j82ZUwbnrsPAG2h4PU7EzRPwbI2C9BIvwMmSxuDyGqjoZBXJ5uMFL+UoITQMxiL6Y1DQD+hiauoOoEwravDAvRfyibw8hVw+QBAUkADN9gRNhWXlKV8I7oHYQP+wQLPJ39YZ3zjCuc6Wduo9yeXUsZjftb3ueqhqYHzLmdXg5p3BITdxxcdQWgykmOl3+mdnTuumhDdWPBU66u0Y=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_79f90526-c7aa-4891-aa19-6b334470d5f6"
IssueInstant="2024-08-30T14:28:13.761Z"
Version="2.0"
>
<saml:Issuer>http://keycloak.local:8080/realms/Chronorix</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_79f90526-c7aa-4891-aa19-6b334470d5f6">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>Zk6iuxZPdlwZoG31GpWFEbFQrA6Lz43/X3tyUAQOskE=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>Ktd/gaUrlceQj5Wcc7c8CQqqJKU6k5NoZ2VcrOZOPnT3Ru3mFB1mIRBVjreFzXXc9h9KgzYb6OQYkNA7MgfVYwIy7X8amYOZVnb9kQ7iSXXD/LrSV5XSmyAWm39Whftn1K7C5NvDGThjWJl28cgJTnku57j1zK20eddCGT5bT0GPTcfnd9FnKys6YfUJzPTqOt1tz7fOwH5dT0bqnwpnQczjgd0khHG2L58FAGlp+VdjuTjo46vOau+dHknkAbk+evxMkWG422WeZhj5ZjzLBUAL5TyxU96f9QQIMuPhQ2lOOcq/XTVGWEe1Kdrnn98m2TAddQQG36G07rnuBfsvVg==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIICoTCCAYkCBgGRbuj8YDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlDaHJvbm9yaXgwHhcNMjQwODIwMDgyOTA4WhcNMzQwODIwMDgzMDQ4WjAUMRIwEAYDVQQDDAlDaHJvbm9yaXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCp6RO42sQL8nr/uGkGPTSbG1GPyJ5EArLfcPa+CLBW/FUYxVchUJYOeTBdHTZJn/R8fVM/tEc/MFrK3jihdYlKn5J/EbuID7YwBU8rdG8y4YhHDhKze2VfSD0z7RZAD7yMMqbGDXdoMWyCQ8rAf7FRZ3+c8X2fxTcVu1cn2srLvA/RkXRzIt+QYC3crbJXuAC9V4Hc7c9/6SZ9Nj8w1tA91nOH9TBxTcZ4a4JTP9/1mIKad0nQQ9XkcdfSAPEboM7UfBLb4NfLxMqmq/CwvPD3Ip7tUTeqbP4BC9yFdPtKzivEM/3V57tb/BHsvnMyYwY7DyLhS3+8gf3jjwpMApOHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEfj80om2deN5Tw5WO5Wruumue13Whz1JtytkB4Yq40HzjltS5eJ6wmxyOUBOWX89DKBBGJLY13zcOnPyOpZw23wxrCoVy4Vv4WMufzVXWEJBvmd1A4+MXJmWX2qE6gRCvOdaw3j82ZUwbnrsPAG2h4PU7EzRPwbI2C9BIvwMmSxuDyGqjoZBXJ5uMFL+UoITQMxiL6Y1DQD+hiauoOoEwravDAvRfyibw8hVw+QBAUkADN9gRNhWXlKV8I7oHYQP+wQLPJ39YZ3zjCuc6Wduo9yeXUsZjftb3ueqhqYHzLmdXg5p3BITdxxcdQWgykmOl3+mdnTuumhDdWPBU66u0Y=</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ONELOGIN_9cc5f19b9b4f2b2841856e529d942af71268dbdf"
NotOnOrAfter="2024-08-30T14:33:11.761Z"
Recipient="http://nextcloud.local:8082/apps/user_saml/saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2024-08-30T14:28:11.761Z"
NotOnOrAfter="2024-08-30T14:29:11.761Z"
>
<saml:AudienceRestriction>
<saml:Audience>http://nextcloud.local:8082/apps/user_saml/saml/metadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2024-08-30T14:28:13.762Z"
SessionIndex="21a59cac-75e5-4a31-813f-9390654bad4d::87d729ea-5832-4d2a-9cec-dd82a181bfbb"
SessionNotOnOrAfter="2024-08-31T00:28:13.762Z"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>verify@chronorix.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="roles"
Name="Roles"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>view-realm</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>query-groups</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>view-users</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>view-profile</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>default-roles-chronorix</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-users</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>manage-account-links</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>query-users</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>uma_authorization</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>offline_access</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>