I wrote the following request to the lemonldapng mailing list and got the answer, that there seems to be a bug in nextcloud…
please help
Hello,
I tried now a lo and I do not know, how to resolve the issue.
Since several months I am using lemonldap-ng together with nextcloud with the user_saml plugin. I originally configured it according to the nice document from you
http://lemonldap-ng.org/documentation/1.9/applications/nextcloud
And it worked from the beginning.
But after the recent nextcloud upgrade 11.0.1 it does not work anymore.
I get always “invalid request”, “user not logged in”.
Looking at teh changelog it was clear, that they upgraded in this version onlogin saml_php and , what is even more important, I believe, enabled strict_mode. I believe, that they now require certificate in the nextcloud installation.
So I generated certificates, like discribed here:
http://lemonldap-ng.org/documentation/1.9/applications/simplesamlphp
with the following command line:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Thes I imported into nextcloud by cut and paste into the relevant fiels as service provider certificates.
When doing so, I get an lasso error in the lemonladng logs as follows:
[Sun Jan 22 21:30:57.320695 2017] [authz_core:debug] [pid 25:tid 140124744943360] mod_authz_core.c(809): [client 172.26.0.3:36340] AH01626: authorization result of Require all granted: granted
[Sun Jan 22 21:30:57.320729 2017] [authz_core:debug] [pid 25:tid 140124744943360] mod_authz_core.c(809): [client 172.26.0.3:36340] AH01626: authorization result of : granted
[Sun Jan 22 21:30:57.332144 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Now using configuration: 160
[Sun Jan 22 21:30:57.332312 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::Menu loaded
[Sun Jan 22 21:30:57.332450 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::Display loaded
[Sun Jan 22 21:30:57.332575 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::AuthDBI loaded
[Sun Jan 22 21:30:57.332991 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::UserDBDBI loaded
[Sun Jan 22 21:30:57.333448 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::PasswordDBDBI loaded
[Sun Jan 22 21:30:57.334007 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::RegisterDBNull loaded
[Sun Jan 22 21:30:57.334368 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Sun Jan 22 21:30:57.334409 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: [IssuerDB activation] Found path ^/saml/
[Sun Jan 22 21:30:57.334587 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: [IssuerDB activation] Path of current request is /saml/singleSignOn
[Sun Jan 22 21:30:57.334742 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Module Lemonldap::Portal::IssuerDBSAML loaded
[Sun Jan 22 21:30:57.334779 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: [IssuerDB activation] IssuerDB module SAML loaded
[Sun Jan 22 21:30:57.335036 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub controlUrlOrigin
[Sun Jan 22 21:30:57.335076 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub checkNotifBack
[Sun Jan 22 21:30:57.335119 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub controlExistingSession
[Sun Jan 22 21:30:57.335516 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Try to get session a6dbebe22000c4deb977635898b55ba3189e8226eb17c3749d8a26b00bcbf85a
[Sun Jan 22 21:30:57.338184 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Inform Apache about the user connected
[Sun Jan 22 21:30:57.338230 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Return session a6dbebe22000c4deb977635898b55ba3189e8226eb17c3749d8a26b00bcbf85a
[Sun Jan 22 21:30:57.338291 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub existingSession
[Sun Jan 22 21:30:57.338333 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub authForce
[Sun Jan 22 21:30:57.338382 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub checkNotification
[Sun Jan 22 21:30:57.338591 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub issuerDBInit
[Sun Jan 22 21:30:57.338675 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: SAML cache configuration: 160
[Sun Jan 22 21:30:57.338708 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Restore server from cache
[Sun Jan 22 21:30:57.341486 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Load SPs from cache
[Sun Jan 22 21:30:57.341570 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 245:
[Sun Jan 22 21:30:57.341599 2017] [perl:warn] [pid 25:tid 140124744943360] No IDP found in configuration
[Sun Jan 22 21:30:57.341860 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub authInit
[Sun Jan 22 21:30:57.341907 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: processing to sub issuerForAuthUser
[Sun Jan 22 21:30:57.341948 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Applying rule: 1
[Sun Jan 22 21:30:57.342368 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Evaluate expression: 1
[Sun Jan 22 21:30:57.342669 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Evaluation result: 1
[Sun Jan 22 21:30:57.342703 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: User wollo@lohwassers.de allowed to use IssuerDB SAML
[Sun Jan 22 21:30:57.343440 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: URL /saml/singleSignOn detected as an SSO request URL
[Sun Jan 22 21:30:57.343573 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: SAML method: HTTP-REDIRECT
[Sun Jan 22 21:30:57.343731 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: HTTP-REDIRECT: SAML Request SAMLRequest=nZJPbxoxEMXvfIrId%2FZv6QoLkGhoUyQKCEgPvaDBOwtWd23HY6fJt6%2FZJU0TqRw6B0ue8fvpvZFHBE1t%2BNS7k9rgg0dyvZtQT02tiLfDMfNWcQ0kiStokLgTfDv9tuBZlHBjtdNC1%2Byd7LoKiNA6qVUnm8%2FGbLX8vFjdzZf7YZ7D4UNWijSvysEhL6phMvyYH9I0A8BhkhZFlWei6KTf0VLgjFnAsl5HI%2FI4V%2BRAudAPgn6S9rNsl6U8T%2Fig%2BNFJZyGsVOBa%2Bck5QzyOIWwi%2BmkwKjE%2B54hJqmONW3lUq4vb9SXyJ6nKMLye9NA9Iv51t1v316vtroNMXzZwqxX5Bu0W7aMUeL9ZvJoRtfbli5sAwqfInEwMxlDsg37fOTwfIIhNWvLofOftEuzkP0gNOijBwSj%2BG%2FSKNnwZUs5na11L8dz2z%2FVF2wbcv5eRRmnbkWW%2Fap9yr8igkJXEkv3BTOta%2F7q1CA7HzFmP7Cae9HqdmbcfdfIb;RelayState=http%3A%2F%2Fcloud.my_domain.com%2Findex.php%2Fapps%2Fuser_saml%2Fsaml%2Flogin
[Sun Jan 22 21:30:57.343797 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Store U0FNTFJlcXVlc3Q9blpKUGJ4b3hFTVh2ZklySWQlMkZadjZRb0xrR2hvVXlRS0NFZ1B2YURCT3d0\nV2QyM0hZNmZKdDYlMkZaSlUwVHFSdzZCMHVlOGZ2cHZaRkhCRTF0JTJCTlM3azlyZ2cwZHl2WnRR\nVDAydGlMZkRNZk5XY1Ewa2lTdG9rTGdUZkR2OXR1QlpsSEJqdGROQzElMkJ5ZDdMb0tpTkE2cVZV\nbm04JTJGR2JMWDh2RmpkelpmN1laN0Q0VU5XaWpTdnlzRWhMNnBoTXZ5WUg5STBBOEJoa2haRmxX\nZWk2S1RmMFZMZ2pGbkFzbDVISSUyRkk0ViUyQlJBdWRBUGduNlM5ck5zbDZVOFQlMkZpZyUyQk5G\nSlp5R3NWT0JhJTJCY2s1UXp5T0lXd2klMkJta3dLakUlMkI1NGhKcW1PTlczbFVxNHZiOVNYeUo2\nbktNTHllOU5BOUl2NTF0MXYzMTZ2dHJvTk1Yelp3cXhYNUJ1MFc3YU1VZUw5WnZKb1J0ZmJsaTVz\nQXdxZkluRXdNeGxEc2czN2ZPVHdmSUloTld2TG9mT2Z0RXV6a1AwZ05PaWpCd1NqJTJCRyUyRlNL\nTm53WlVzNW5hMTFMOGR6MnolMkZWRjJ3YmN2NWVSUm1uYmtXVyUyRmFwOXlyOGlna0pYRWt2M0JU\nT3RhJTJGN3ExQ0E3SHpGbVA3Q2FlOUhxZG1iY2ZkZkliO1JlbGF5U3RhdGU9aHR0cCUzQSUyRiUy\nRmNsb3VkLmtwZS5kZSUyRmluZGV4LnBocCUyRmFwcHMlMkZ1c2VyX3NhbWwlMkZzYW1sJTJGbG9n\naW4=\n in hidden key lmhidden_SAMLRequest
[Sun Jan 22 21:30:57.343838 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Store NA==\n in hidden key lmhidden_Method
[Sun Jan 22 21:30:57.343869 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Store aHR0cDovL2Nsb3VkLmtwZS5kZS9pbmRleC5waHAvYXBwcy91c2VyX3NhbWwvc2FtbC9sb2dpbg==\n in hidden key lmhidden_RelayState
[Sun Jan 22 21:30:57.343957 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Loading Session dump: \n\n<saml:NameID xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>_84652A0316F4177670B65CC34B0E7209</saml:NameID>\n\n
[Sun Jan 22 21:30:57.344052 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Lasso Session loaded
[Sun Jan 22 21:30:57.344432 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Found entityID https://cloud.my_domain.com/index.php/apps/user_saml/saml/metadata in SAML message
[Sun Jan 22 21:30:57.344464 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: https://cloud.my_domain.com/index.php/apps/user_saml/saml/metadata match cloud.my_domain.com SP in configuration
[Sun Jan 22 21:30:57.344901 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Lasso error code -113: Invalid signature algorithm.
[Sun Jan 22 21:30:57.344936 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/IssuerDBSAML.pm 1324:
[Sun Jan 22 21:30:57.344962 2017] [perl:error] [pid 25:tid 140124744943360] Signature is not valid
[Sun Jan 22 21:30:57.345345 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::Portal::SharedConf: Display type standardform
[Sun Jan 22 21:30:57.360570 2017] [deflate:debug] [pid 25:tid 140124744943360] mod_deflate.c(855): [client 172.26.0.3:36340] AH01384: Zlib: Compressed 5619 to 2421 : URL /saml/singleSignOn
so:
Lasso error code -113: Invalid signature algorithm.
I tried also to force utf8 on or off in lemonldapng, but no success either.
Or am I doing something completely stupid?
Any idea? Please help, as my users currently cannot login anymore, or I hve to revert to previous version, but some point in time I waill have to upgrade anyhow…
Hello,
I tried to decode the SAML request but it does not appear to be a valid XML content. Seems like Nextcloud has encoded “SAMLRequest=” at the beginning of the string, which is a bug on their side.