User_SAML - Account not provisioned

Nextcloud version: 12.0.0
Operating system and version: Ubuntu Server
Apache or nginx version (eg, Apache 2.4.25): 16.04.2_amd64
PHP version: 7.0.18
Is this the first time you’ve seen this error?: No

Can you reliably replicate it? (If so, please outline steps):

  1. Login using LDAPUser
  2. Connects fine
  3. Go into apps and enable User_SAML
  4. Connect to NextCloud and get forwarded to IDP for login
  5. Login using same account
  6. Get error: Account not provisioned. Your account is not provisioned, access to this service is thus not possible.

The issue you are facing:
I am trying to config Centrify IDP for SAML authentication and while I know Centrify isn’t officially supported, SAML is SAML and should be able to work. We have LDAP configured through Active Directory and the authentication works fine using the SamAccountName. I current have the Uuid setup as the “Username” when I view users in NextCloud but have also changed it to the SamAccountName name with the same issue. When sending the SAML assertion the ID is passed as:
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">BC######-#BEF-41EB-BC##-F#CECB#####C</NameID>
In NextCloud I have the “Attribute to map the uuid to” set to “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” and have verified the uuid being passed matches the account “Username” in “Users” within NextCloud.

Any ideas on what could be causing the issue? Thanks!

1 Like

Figured it out. The subject field was not able to be used as a UID identifier. I added another attribute to the SAML assertion and had it use that for the UID and its working. Now my SMB mounts don’t work though but I’ll open another case for that issue.

1 Like

@karmakaze - could you provide a bit more detail on how you a) worked out what the problem was; and b) resolved this issue. I am also trying to get SAML working with Centrify and I am getting the same “account is not provisioned” error.

1 Like

Thank you for sharing the solution but still can you please elaborate for a noob like me cause I’ve wasted so many hours for this issue and can’t able to understand what’s causing this error. can you provide me a link where you followed to add nextcloud for keylcoak that’d be great. Thanks in Advance.

I know this is long dead but just for documentation’s sake:

In Settings > LDAP / AD integration:

In ADFS’ MMC > Relying Party Trusts > [relyingparty] > Edit Claim Issuance Policy…:
(…or whatever your IdP if not ADFS)

In Settings > SSO & SAML authentication > Attribute to map the UID to.:

I’m far from a federation expert, but, it seems the trick is matching a given value in as many places as possible. I guess you could use sAMAccountName as well but the UPN is supposed to be unique…ish. At least unique enough unlike the sAMAccountName but much easier than the UUID that no user knows or will ever know about himself/herself–the default on Nextcloud.

It’s odd that this plugin is not documented.

:slight_smile:

1 Like

@karmakaze could you provide some more details.
Thanks in Advance.

I use Authentik as SSO and hit the same issue after upgrade to NC 27.0.1.
@karmakaze any idea to fix that?

I do not have changes for the authentik side and I saw such errors in NC logging,

{“reqId”:“bvPuSB4j9bW59jl1r9xU”,“level”:4,“time”:“2023-07-20T23:06:28+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“–”,“app”:“user_saml”,“method”:“POST”,“url”:“/apps/user_saml/saml/acs”,“message”:“Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“user_saml”},“id”:“64b9be7f0d58d”}
{“reqId”:“bvPuSB4j9bW59jl1r9xU”,“level”:4,“time”:“2023-07-20T23:06:28+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“–”,“app”:“user_saml”,“method”:“POST”,“url”:“/apps/user_saml/saml/acs”,“message”:“invalid_response”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“user_saml”},“id”:“64b9be7f0d5a5”}
{“reqId”:“bvPuSB4j9bW59jl1r9xU”,“level”:3,“time”:“2023-07-20T23:06:28+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“–”,“app”:“PHP”,“method”:“POST”,“url”:“/apps/user_saml/saml/acs”,“message”:“DOMDocument::schemaValidate(): Invalid Schema at /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php#153”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“PHP”},“id”:“64b9be7f0d5b4”}
{“reqId”:“EUvoyCCKojn9LV8X9zzi”,“level”:3,“time”:“2023-07-20T23:05:56+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“admin”,“app”:“index”,“method”:“GET”,“url”:“/apps/user_saml/saml/metadata?idp=1”,“message”:“Invalid SP metadata: invalid_xml”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“exception”:{“Exception”:“OneLogin\Saml2\Error”,“Message”:“Invalid SP metadata: invalid_xml”,“Code”:3,“Trace”:[{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:230,“function”:“getMetadata”,“class”:“OCA\User_SAML\Controller\SAMLController”,“type”:“->”,“args”:[1]},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:137,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[[“OCA\User_SAML\Controller\SAMLController”],“getMetadata”]},{“file”:“/var/www/html/lib/private/AppFramework/App.php”,“line”:183,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[[“OCA\User_SAML\Controller\SAMLController”],“getMetadata”]},{“file”:“/var/www/html/lib/private/Route/Router.php”,“line”:315,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:“::”,“args”:[“OCA\User_SAML\Controller\SAMLController”,“getMetadata”,[“OC\AppFramework\DependencyInjection\DIContainer”],[“user_saml.SAML.getMetadata”]]},{“file”:“/var/www/html/lib/base.php”,“line”:1071,“function”:“match”,“class”:“OC\Route\Router”,“type”:“->”,“args”:[“/apps/user_saml/saml/metadata”]},{“file”:“/var/www/html/index.php”,“line”:36,“function”:“handleRequest”,“class”:“OC”,“type”:“::”,“args”:}],“File”:“/var/www/html/custom_apps/user_saml/lib/Controller/SAMLController.php”,“Line”:297,“CustomMessage”:“–”},“id”:“64b9be7f0d5ea”}
{“reqId”:“EUvoyCCKojn9LV8X9zzi”,“level”:3,“time”:“2023-07-20T23:05:56+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“admin”,“app”:“PHP”,“method”:“GET”,“url”:“/apps/user_saml/saml/metadata?idp=1”,“message”:“DOMDocument::schemaValidate(): Invalid Schema at /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php#153”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“PHP”},“id”:“64b9be7f0d5f8”}
{“reqId”:“EUvoyCCKojn9LV8X9zzi”,“level”:3,“time”:“2023-07-20T23:05:56+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“admin”,“app”:“PHP”,“method”:“GET”,“url”:“/apps/user_saml/saml/metadata?idp=1”,“message”:“DOMDocument::schemaValidate(): Invalid Schema at /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php#153”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“PHP”},“id”:“64b9be7f0d5f8”}
{“reqId”:“YKOfySZtVuOYdRbDq0DG”,“level”:3,“time”:“2023-07-20T23:05:47+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“admin”,“app”:“index”,“method”:“GET”,“url”:“/apps/user_saml/saml/metadata?idp=1”,“message”:“Invalid SP metadata: invalid_xml”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“exception”:{“Exception”:“OneLogin\Saml2\Error”,“Message”:“Invalid SP metadata: invalid_xml”,“Code”:3,“Trace”:[{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:230,“function”:“getMetadata”,“class”:“OCA\User_SAML\Controller\SAMLController”,“type”:“->”,“args”:[1]},{“file”:“/var/www/html/lib/private/AppFramework/Http/Dispatcher.php”,“line”:137,“function”:“executeController”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[[“OCA\User_SAML\Controller\SAMLController”],“getMetadata”]},{“file”:“/var/www/html/lib/private/AppFramework/App.php”,“line”:183,“function”:“dispatch”,“class”:“OC\AppFramework\Http\Dispatcher”,“type”:“->”,“args”:[[“OCA\User_SAML\Controller\SAMLController”],“getMetadata”]},{“file”:“/var/www/html/lib/private/Route/Router.php”,“line”:315,“function”:“main”,“class”:“OC\AppFramework\App”,“type”:“::”,“args”:[“OCA\User_SAML\Controller\SAMLController”,“getMetadata”,[“OC\AppFramework\DependencyInjection\DIContainer”],[“user_saml.SAML.getMetadata”]]},{“file”:“/var/www/html/lib/base.php”,“line”:1071,“function”:“match”,“class”:“OC\Route\Router”,“type”:“->”,“args”:[“/apps/user_saml/saml/metadata”]},{“file”:“/var/www/html/index.php”,“line”:36,“function”:“handleRequest”,“class”:“OC”,“type”:“::”,“args”:}],“File”:“/var/www/html/custom_apps/user_saml/lib/Controller/SAMLController.php”,“Line”:297,“CustomMessage”:“–”},“id”:“64b9be7f0d62f”}
{“reqId”:“YKOfySZtVuOYdRbDq0DG”,“level”:3,“time”:“2023-07-20T23:05:47+00:00”,“remoteAddr”:“121.7.56.39”,“user”:“admin”,“app”:“PHP”,“method”:“GET”,“url”:“/apps/user_saml/saml/metadata?idp=1”,“message”:“DOMDocument::schemaValidate(): Invalid Schema at /var/www/html/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php#153”,“userAgent”:“Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0”,“version”:“27.0.1.2”,“data”:{“app”:“PHP”},“id”:“64b9be7f0d63f”}

I’ve come across the same issue, costing quite some time. This is a new issue and fix is on the way: SSO broken after upgrade from 26.0.3.2 to 26.0.4.2. Invalid metadata · Issue #755 · nextcloud/user_saml · GitHub

When it will be available in the app store?