User_saml always gives 500 to unauthenticated user

Keen to try out the new saml-integration, I went on enabling and configuring the app.
After putting in the right URLs and public certificate, the metadata generates properly.
Added Nextcloud as a sp to PHPSimpleSAML as I’ve did many more applications.
When accessing the Nextcloud-URL, I get a nice redirect, but no (SAML) login request. The server only shows a 500-error, see the following lines from the webserver-log:

IP - - [06/Jul/2016:14:02:39 +0200] “GET /apps/user_saml/js/preauth.js HTTP/1.1” 200 185 “-” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
IP - - [06/Jul/2016:14:02:39 +0200] “GET /index.php/apps/theming/styles.css?v=0 HTTP/1.1” 500 9185 “-” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
IP - - [06/Jul/2016:14:02:39 +0200] “GET /index.php/apps/user_saml/saml/login?requesttoken=JygLViwHT3dhHUMCGnEzHU4tGigPeA4GMmwxQgtBLy4%3D%3AEp82Brd9Q225M6TJ6yikw%2Fa4HTpra4Mgx6tpNg8twqc%3D HTTP/1.1” 500 9185 “-” "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
IP - - [06/Jul/2016:14:02:40 +0200] “GET /index.php/apps/theming/styles.css?v=0 HTTP/1.1” 500 9185 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0”

So it doesn’t even get to the SAML-request.

Also, when I try to get the metadata-file (https://DOMAIN/index.php/apps/user_saml/saml/metadata) as an unauthenticated user, I get the above problem.
When I try to get this file as an already authenticated user (authenticated before user_saml was enabled), I can actually get this file.

FInal remark: the user_ldap-module is enabled as well. I’m not sure if that should lead to problems, but I think that the user_saml and user_ldap should co-exist, as they have different uses.

I’ve seen this topic, but that doesn’t really seem to be the same problem: How does the user_saml app work?

Is what I describe a known problem, or just a (possibly stupid) configuration error?

Can you share your complete configuration with us as well as your Nextcloud and PHP error log? That may help. :wink:

Also you may need to apply https://github.com/nextcloud/user_saml/pull/20. Seems like a small problem sneaked in that made it incompatible with some DBs.

Sorry for that!

You’re ofcourse right.

nextcloud.log (this shows actually twice per ‘try’):

{
“reqId”: “V3zzX2ycOl-Hp7R5dfiyjQAAAAM”,
“remoteAddr”: “IP”,
“app”: “index”,
“message”: “Exception: {“Exception”:“Doctrine\\DBAL\\Exception\\InvalidFieldNameException”,“Message”:“An exception occurred while executing ‘SELECT token FROM oc_user_saml_users WHERE uid = ? LIMIT 1’ with params [null]:\n\nSQLSTATE[42S22]: Column not found: 1054 Unknown column ‘token’ in ‘field list’”,“Code”:0,“Trace”:”#0 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/doctrine\/dbal\/lib\/Doctrine\/DBAL\/DBALException.php(116): Doctrine\\DBAL\\Driver\\AbstractMySQLDriver->convertException(‘An exception oc…’, Object(Doctrine\\DBAL\\Driver\\PDOException))\n#1 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/doctrine\/dbal\/lib\/Doctrine\/DBAL\/Connection.php(836): Doctrine\\DBAL\\DBALException::driverExceptionDuringQuery(Object(Doctrine\\DBAL\\Driver\\PDOMySql\\Driver), Object(Doctrine\\DBAL\\Driver\\PDOException), ‘SELECT token …’, Array)\n#2 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/db\/connection.php(184): Doctrine\\DBAL\\Connection->executeQuery(‘SELECT token …’, Array, Array, NULL)\n#3 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/doctrine\/dbal\/lib\/Doctrine\/DBAL\/Query\/QueryBuilder.php(206): OC\\DB\\Connection->executeQuery(‘SELECT token …’, Array, Array)\n#4 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/db\/querybuilder\/querybuilder.php(141): Doctrine\\DBAL\\Query\\QueryBuilder->execute()\n#5 \/var\/www\/html\/nextcloud-9.0.52\/apps\/user_saml\/lib\/userbackend.php(74): OC\\DB\\QueryBuilder\\QueryBuilder->execute()\n#6 \/var\/www\/html\/nextcloud-9.0.52\/apps\/user_saml\/lib\/userbackend.php(206): OCA\\User_SAML\\UserBackend->userExistsInDatabase(NULL)\n#7 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/user\/manager.php(138): OCA\\User_SAML\\UserBackend->userExists(NULL)\n#8 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/group.php(130): OC\\User\\Manager->get(NULL)\n#9 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/user.php(363): OC_Group::inGroup(NULL, ‘admin’)\n#10 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/dependencyinjection\/dicontainer.php(416): OC_User::isAdminUser(NULL)\n#11 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/dependencyinjection\/dicontainer.php(331): OC\\AppFramework\\DependencyInjection\\DIContainer->isAdminUser()\n#12 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/pimple\/pimple\/src\/Pimple\/Container.php(113): OC\\AppFramework\\DependencyInjection\\DIContainer->OC\\AppFramework\\DependencyInjection\\{closure}(Object(OC\\AppFramework\\DependencyInjection\\DIContainer))\n#13 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/dependencyinjection\/dicontainer.php(356): Pimple\\Container->offsetGet(‘SecurityMiddlew…’)\n#14 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/pimple\/pimple\/src\/Pimple\/Container.php(113): OC\\AppFramework\\DependencyInjection\\DIContainer->OC\\AppFramework\\DependencyInjection\\{closure}(Object(OC\\AppFramework\\DependencyInjection\\DIContainer))\n#15 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/dependencyinjection\/dicontainer.php(311): Pimple\\Container->offsetGet(‘MiddlewareDispa…’)\n#16 \/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/pimple\/pimple\/src\/Pimple\/Container.php(113): OC\\AppFramework\\DependencyInjection\\DIContainer->OC\\AppFramework\\DependencyInjection\\{closure}(Object(OC\\AppFramework\\DependencyInjection\\DIContainer))\n#17 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/app.php(102): Pimple\\Container->offsetGet(‘Dispatcher’)\n#18 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/appframework\/routing\/routeactionhandler.php(45): OC\\AppFramework\\App::main(‘SAMLController’, ‘login’, Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#19 [internal function]: OC\\AppFramework\\routing\\RouteActionHandler->__invoke(Array)\n#20 \/var\/www\/html\/nextcloud-9.0.52\/lib\/private\/route\/router.php(276): call_user_func(Object(OC\\AppFramework\\routing\\RouteActionHandler), Array)\n#21 \/var\/www\/html\/nextcloud-9.0.52\/lib\/base.php(967): OC\\Route\\Router->match(’\/apps\/user_saml…’)\n#22 \/var\/www\/html\/nextcloud-9.0.52\/index.php(39): OC::handleRequest()\n#23 {main}",“File”:"\/var\/www\/html\/nextcloud-9.0.52\/3rdparty\/doctrine\/dbal\/lib\/Doctrine\/DBAL\/Driver\/AbstractMySQLDriver.php",“Line”:71}",
“level”: 3,
“time”: “2016-07-06T12:02:40+00:00”,
“method”: “GET”,
“url”: “/index.php/apps/user_saml/saml/login?requesttoken=JygLViwHT3dhHUMCGnEzHU4tGigPeA4GMmwxQgtBLy4%3D%3AEp82Brd9Q225M6TJ6yikw%2Fa4HTpra4Mgx6tpNg8twqc%3D”,
“user”: “–”
}

The user_saml config:

“user_saml”,“enabled”,“yes”
“user_saml”,“general-require_provisioned_account”,“0"
“user_saml”,“general-uid_mapping”,“saml:AttributeNameID”
“user_saml”,“idp-entityId”,“https://IDP/saml/saml2/idp/metadata.php
“user_saml”,“idp-singleLogoutService.url”,“https://IDP/saml/saml2/idp/SingleLogoutService.php
“user_saml”,“idp-singleSignOnService.url”,“https://IDP/saml/saml2/idp/SSOService.php
“user_saml”,“idp-x509cert”,”-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----"
“user_saml”,“installed_version”,"1.0.1"
“user_saml”,“security-authnRequestsSigned”,"0"
“user_saml”,“security-logoutRequestSigned”,"0"
“user_saml”,“security-logoutResponseSigned”,"0"
“user_saml”,“security-nameIdEncrypted”,"1"
“user_saml”,“security-wantAssertionsEncrypted”,"0"
“user_saml”,“security-wantAssertionsSigned”,"1"
“user_saml”,“security-wantMessagesSigned”,"0"
“user_saml”,“security-wantNameId”,"0"
“user_saml”,“security-wantNameIdEncrypted”,"0"
“user_saml”,“security-wantXMLValidation”,"0"
“user_saml”,“types”,“authentication”

This specific error should be just patched with https://github.com/nextcloud/user_saml/pull/20, can you retry with that patch applied? That would be utmostly appreciated! :rocket:

1 Like

Saw you message right after I posted it.
This fixes the problem. Thanks!

Great!

If you have any feature requests or bug reports, please file them at https://github.com/nextcloud/user_saml/issues. That would be very helpful :slight_smile: