Trouble with SSO - Nextcloud <-> SAML <-> Keycloak

ℹ️ Support
1

Nextcloud 20.0.0:
Ubuntu 18.04 + Docker
nginx 1.19.3
PHP 7.4.11

Hi,

I am trying to enable SSO on my clean Nextcloud installation. I am using a keycloak server in order to centrally authenticate users imported from an LDAP (authentication in keycloak is working properly).

I get an error about x.509 certs handling which prevent authentication

[PHP] Error: Error: openssl_x509_export(): cannot get cert from parameter 1 at /var/www/html/custom_apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php#366 at <<closure>>

 0. <<closure>>
    OC\Log\ErrorHandler::onError(2, "openssl_x509_ex ... 1", "/var/www/html/c ... p", 366, {key: "-----BEGI ... l})
 1. /var/www/html/custom_apps/user_saml/3rdparty/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php line 366
    openssl_x509_export(false, null)
 2. /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php line 1463
    RobRichards\XMLSecLibs\XMLSecurityKey->loadKey("-----BEGIN CERT ... n", false, true)
 3. /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php line 426
    OneLogin\Saml2\Utils::validateSign(DOMDocument {}, "-----BEGIN CERT ... n", "", "sha1", "/samlp:Response/ds:Signature", ["-----BEGIN CER ... "])
 4. /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php line 237
    OneLogin\Saml2\Response->isValid("ONELOGIN_80276e ... b")
 5. /var/www/html/custom_apps/user_saml/lib/Controller/SAMLController.php line 320
    OneLogin\Saml2\Auth->processResponse("ONELOGIN_80276e ... b")
 6. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 169
    OCA\User_SAML\Controller\SAMLController->assertionConsumerService()
 7. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\User_SAML\Co ... {}, "assertionConsumerService")
 8. /var/www/html/lib/private/AppFramework/App.php line 152
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\User_SAML\Co ... {}, "assertionConsumerService")
 9. /var/www/html/lib/private/Route/Router.php line 308
    OC\AppFramework\App::main("OCA\\User_SAML\ ... r", "assertionConsumerService", OC\AppFramework\ ... {}, {action: null,_r ... "})
10. /var/www/html/lib/base.php line 1009
    OC\Route\Router->match("/apps/user_saml/saml/acs")
11. /var/www/html/index.php line 37
    OC::handleRequest()

POST /apps/user_saml/saml/acs
from 172.18.0.1 at 2020-10-22T06:29:23+00:00

Here is my keycloak configuration for the client :

support_1
support_11234×1592 142 KB

Here is my configuration in Gitlab :

support_2
support_21002×1894 167 KB

Any ideas ?