[Solved] Nextcloud <-(SAML)->Keycloak as identity provider issues

Hi,

I’ve followed this blog on configuring Newcloud as a service provider of Keycloak (as identity provider) using SAML based SSO. I am using Newcloud AMI image here: https://aws.amazon.com/marketplace/pp/B06ZZXYKWY

Things seem to work, in that I redirect the keycloak sign in, but after I authenticate with keycloak, I get redirected to a newcloud page that just says

“Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.”

There are various “patches” on the internet, but they are old, and I have checked and the php file paths that people modify are not even the same on my system.

Does anyone know how to debug this “Account not provisioned” issue? I call it an issue because I know the account exists and I was able to authenticate using the keycloak UI.

Thanks

You likely haven’t configured the proper attribute for the UUID mapping. Also set 'debug' => true, in your config.php as the errors will be more verbose then.

The debug flag helped.
Once I flipped that on, I got this error in GUI:

error is: Invalid issuer in the Assertion/Response (expected ‘https://BASEURL/auth/realms/public/protocol/saml’, got ‘https://BASEURL/auth/realms/public’)

SO I went back into SSO config and changed “Identifier of IdP entity” to match the expected above.

But now I when I log back in, I get past original problem and now get an Internal Server error dumped to screen:

Internal Server Error
The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

Technical details
Remote Address: 162.158.75.25
Request ID: UBvgfYXYW6luIWcLGlcL
Type: OneLogin_Saml2_ValidationError
Code: 41
Message: Found an Attribute element with duplicated Name
File: /var/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/lib/Saml2/Response.php
Line: 709

Trace
#0 /var/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/lib/Saml2/Auth.php(177): OneLogin_Saml2_Response->getAttributes()
#1 /var/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php(192): OneLogin_Saml2_Auth->processResponse(‘ONELOGIN_37cefa…’)
#2 [internal function]: OCA\User_SAML\Controller\SAMLController->assertionConsumerService()
#3 /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php(160): call_user_func_array(Array, Array)
#4 /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php(90): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\User_SAML\Controller\SAMLController), ‘assertionConsum…’)
#5 /var/www/nextcloud/lib/private/AppFramework/App.php(114): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\User_SAML\Controller\SAMLController), ‘assertionConsum…’)
#6 /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php(47): OC\AppFramework\App::main(‘OCA\User_SAML\C…’, ‘assertionConsum…’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
#7 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
#8 /var/www/nextcloud/lib/private/Route/Router.php(299): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
#9 /var/www/nextcloud/lib/base.php(1000): OC\Route\Router->match(’/apps/user_saml…’)
#10 /var/www/nextcloud/index.php(40): OC::handleRequest()
#11 {main}

Do you know what I can do with this?

I have commented out this code as some suggest for this problem on internet:
FILE: apps/user_saml/3rdparty/vendor/onelogin/php-saml/lib/Saml2/Response.php

/*
        if (in_array($attributeName, array_keys($attributes))) {
            throw new OneLogin_Saml2_ValidationError(
                "Found an Attribute element with duplicated Name",
                OneLogin_Saml2_ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND
            );
        }
*/

Now things seem to be working. But I do not trust blindly commenting out code like this, so any suggestion will be much appreciated.

I had the exactly same problem and could solve it thanks to you…

Did you find any further informations? Did you fill a bug report?

if anybody is interested in it…
The problem was the role mapping in keycloak.
Delete it, or activate “Single Role Attribute” for it.

1 Like

Well, old thread, but still valid. I’ve tried nextcloud 13.0.4 with keycloak 4.0.0.Final (like described at https://stackoverflow.com/questions/48400812/sso-with-saml-keycloak-and-nextcloud ) and I get the same old ‘duplicated Name’ error (see also https://stackoverflow.com/questions/51011422/is-there-a-way-to-filter-avoid-duplicate-attribute-names-in-keycloak-saml-assert).

Interestingly, I couldn’t fix the problem with keycloaks role mapping ‘single role attribute’ or anything. However, commenting out the line giving the error like bigk did fixes the problem.

I had another try with the keycloak ‘single role attribute’ switch and now it has worked!

In keycloak 4.0.0.Final the option is a bit hidden under:
(Realm) -> Client Scopes -> role_list (saml) -> Mappers tab -> role list -> ‘Single Role Attribute’.

1 Like

I know this one is quite old, but its one of the threads you stumble across when looking for this problem. There is a better option than the proposed one! The proposed option changes the role_list for every Client within the Realm. It is better to override the setting on client level to make sure it only impacts the Nextcloud client.

For this. edit your client, go to Client Scopes and remove role_list from the Assigned Default Client Scopes.

Next, create a new Mapper to actually map the Role List:

  • Name: anything you like
  • Mapper Type: Role List
  • Role Attribute name: Role
  • Friendly Name: Anything you like
  • SAML Attribute Name Format: Basic
  • Single Role Attribute: ON

Hope this helps someone.