User_saml gives invalid_response after upgrade from 11.0.0 to 11.0.1, potential bug?

ℹ️ Support
1

Today I upgrade my nextcloud instance from 11.0.0 to 11.0.1
I am using user_saml to authenticate against lemonldap-ng
I followed in the past the following guide

http://lemonldap-ng.org/documentation/1.9/applications/nextcloud

for setting this up and it worked in nextcloud 10 and 11
After the update I am getting:

invalid_response

Not authenticated

How can I resolve this? I suppose, that it is due to the upgrade saml library within nextcloud 11.0.1
I already reconfigured everything according to the above linked guide. I deleted my sessions and my browser cache.
But all I get after authenticating to my lemonldap-ng is the above error, when I am transferred to the link
https://my_domain.com/index.php/apps/user_saml/saml/acs

So MY USERS CANNOT login anymore

Btw:
Nothing in the nextcloud logs

2

I wrote the following request to the lemonldapng mailing list and got the answer, that there seems to be a bug in nextcloud…
please help

Hello,

I tried now a lo and I do not know, how to resolve the issue.

Since several months I am using lemonldap-ng together with nextcloud with the user_saml plugin. I originally configured it according to the nice document from you
http://lemonldap-ng.org/documentation/1.9/applications/nextcloud

And it worked from the beginning.

But after the recent nextcloud upgrade 11.0.1 it does not work anymore.

I get always “invalid request”, “user not logged in”.

Looking at teh changelog it was clear, that they upgraded in this version onlogin saml_php and , what is even more important, I believe, enabled strict_mode. I believe, that they now require certificate in the nextcloud installation.

So I generated certificates, like discribed here:
http://lemonldap-ng.org/documentation/1.9/applications/simplesamlphp

with the following command line:
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Thes I imported into nextcloud by cut and paste into the relevant fiels as service provider certificates.

When doing so, I get an lasso error in the lemonladng logs as follows:

[Sun Jan 22 21:30:57.320695 2017] [authz_core:debug] [pid 25:tid 140124744943360] mod_authz_core.c(809): [client 172.26.0.3:36340] AH01626: authorization result of Require all granted: granted
[Sun Jan 22 21:30:57.320729 2017] [authz_core:debug] [pid 25:tid 140124744943360] mod_authz_core.c(809): [client 172.26.0.3:36340] AH01626: authorization result of : granted
[Sun Jan 22 21:30:57.332144 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Now using configuration: 160
[Sun Jan 22 21:30:57.332312 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::Menu loaded
[Sun Jan 22 21:30:57.332450 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::Display loaded
[Sun Jan 22 21:30:57.332575 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::AuthDBI loaded
[Sun Jan 22 21:30:57.332991 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::UserDBDBI loaded
[Sun Jan 22 21:30:57.333448 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::PasswordDBDBI loaded
[Sun Jan 22 21:30:57.334007 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::RegisterDBNull loaded
[Sun Jan 22 21:30:57.334368 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Sun Jan 22 21:30:57.334409 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: [IssuerDB activation] Found path ^/saml/
[Sun Jan 22 21:30:57.334587 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: [IssuerDB activation] Path of current request is /saml/singleSignOn
[Sun Jan 22 21:30:57.334742 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Module Lemonldap::ng::Portal::IssuerDBSAML loaded
[Sun Jan 22 21:30:57.334779 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: [IssuerDB activation] IssuerDB module SAML loaded
[Sun Jan 22 21:30:57.335036 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub controlUrlOrigin
[Sun Jan 22 21:30:57.335076 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub checkNotifBack
[Sun Jan 22 21:30:57.335119 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub controlExistingSession
[Sun Jan 22 21:30:57.335516 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Try to get session a6dbebe22000c4deb977635898b55ba3189e8226eb17c3749d8a26b00bcbf85a
[Sun Jan 22 21:30:57.338184 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Inform Apache about the user connected
[Sun Jan 22 21:30:57.338230 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Return session a6dbebe22000c4deb977635898b55ba3189e8226eb17c3749d8a26b00bcbf85a
[Sun Jan 22 21:30:57.338291 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub existingSession
[Sun Jan 22 21:30:57.338333 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub authForce
[Sun Jan 22 21:30:57.338382 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub checkNotification
[Sun Jan 22 21:30:57.338591 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub issuerDBInit
[Sun Jan 22 21:30:57.338675 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: SAML cache configuration: 160
[Sun Jan 22 21:30:57.338708 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Restore server from cache
[Sun Jan 22 21:30:57.341486 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Load SPs from cache
[Sun Jan 22 21:30:57.341570 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 245:
[Sun Jan 22 21:30:57.341599 2017] [perl:warn] [pid 25:tid 140124744943360] No IDP found in configuration
[Sun Jan 22 21:30:57.341860 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub authInit
[Sun Jan 22 21:30:57.341907 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: processing to sub issuerForAuthUser
[Sun Jan 22 21:30:57.341948 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Applying rule: 1
[Sun Jan 22 21:30:57.342368 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Evaluate expression: 1
[Sun Jan 22 21:30:57.342669 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Evaluation result: 1
[Sun Jan 22 21:30:57.342703 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: User wollo@lohwassers.de allowed to use IssuerDB SAML
[Sun Jan 22 21:30:57.343440 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: URL /saml/singleSignOn detected as an SSO request URL
[Sun Jan 22 21:30:57.343573 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: SAML method: HTTP-REDIRECT
[Sun Jan 22 21:30:57.343731 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: HTTP-REDIRECT: SAML Request SAMLRequest=nZJPbxoxEMXvfIrId%2FZv6QoLkGhoUyQKCEgPvaDBOwtWd23HY6fJt6%2FZJU0TqRw6B0ue8fvpvZFHBE1t%2BNS7k9rgg0dyvZtQT02tiLfDMfNWcQ0kiStokLgTfDv9tuBZlHBjtdNC1%2Byd7LoKiNA6qVUnm8%2FGbLX8vFjdzZf7YZ7D4UNWijSvysEhL6phMvyYH9I0A8BhkhZFlWei6KTf0VLgjFnAsl5HI%2FI4V%2BRAudAPgn6S9rNsl6U8T%2Fig%2BNFJZyGsVOBa%2Bck5QzyOIWwi%2BmkwKjE%2B54hJqmONW3lUq4vb9SXyJ6nKMLye9NA9Iv51t1v316vtroNMXzZwqxX5Bu0W7aMUeL9ZvJoRtfbli5sAwqfInEwMxlDsg37fOTwfIIhNWvLofOftEuzkP0gNOijBwSj%2BG%2FSKNnwZUs5na11L8dz2z%2FVF2wbcv5eRRmnbkWW%2Fap9yr8igkJXEkv3BTOta%2F7q1CA7HzFmP7Cae9HqdmbcfdfIb;RelayState=http%3A%2F%2Fcloud.my_domain.com%2Findex.php%2Fapps%2Fuser_saml%2Fsaml%2Flogin
[Sun Jan 22 21:30:57.343797 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Store U0FNTFJlcXVlc3Q9blpKUGJ4b3hFTVh2ZklySWQlMkZadjZRb0xrR2hvVXlRS0NFZ1B2YURCT3d0\nV2QyM0hZNmZKdDYlMkZaSlUwVHFSdzZCMHVlOGZ2cHZaRkhCRTF0JTJCTlM3azlyZ2cwZHl2WnRR\nVDAydGlMZkRNZk5XY1Ewa2lTdG9rTGdUZkR2OXR1QlpsSEJqdGROQzElMkJ5ZDdMb0tpTkE2cVZV\nbm04JTJGR2JMWDh2RmpkelpmN1laN0Q0VU5XaWpTdnlzRWhMNnBoTXZ5WUg5STBBOEJoa2haRmxX\nZWk2S1RmMFZMZ2pGbkFzbDVISSUyRkk0ViUyQlJBdWRBUGduNlM5ck5zbDZVOFQlMkZpZyUyQk5G\nSlp5R3NWT0JhJTJCY2s1UXp5T0lXd2klMkJta3dLakUlMkI1NGhKcW1PTlczbFVxNHZiOVNYeUo2\nbktNTHllOU5BOUl2NTF0MXYzMTZ2dHJvTk1Yelp3cXhYNUJ1MFc3YU1VZUw5WnZKb1J0ZmJsaTVz\nQXdxZkluRXdNeGxEc2czN2ZPVHdmSUloTld2TG9mT2Z0RXV6a1AwZ05PaWpCd1NqJTJCRyUyRlNL\nTm53WlVzNW5hMTFMOGR6MnolMkZWRjJ3YmN2NWVSUm1uYmtXVyUyRmFwOXlyOGlna0pYRWt2M0JU\nT3RhJTJGN3ExQ0E3SHpGbVA3Q2FlOUhxZG1iY2ZkZkliO1JlbGF5U3RhdGU9aHR0cCUzQSUyRiUy\nRmNsb3VkLmtwZS5kZSUyRmluZGV4LnBocCUyRmFwcHMlMkZ1c2VyX3NhbWwlMkZzYW1sJTJGbG9n\naW4=\n in hidden key lmhidden_SAMLRequest
[Sun Jan 22 21:30:57.343838 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Store NA==\n in hidden key lmhidden_Method
[Sun Jan 22 21:30:57.343869 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Store aHR0cDovL2Nsb3VkLmtwZS5kZS9pbmRleC5waHAvYXBwcy91c2VyX3NhbWwvc2FtbC9sb2dpbg==\n in hidden key lmhidden_RelayState
[Sun Jan 22 21:30:57.343957 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Loading Session dump: \n\n<saml:NameID xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:transient”>_84652A0316F4177670B65CC34B0E7209</saml:NameID>\n\n
[Sun Jan 22 21:30:57.344052 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Lasso Session loaded
[Sun Jan 22 21:30:57.344432 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Found entityID https://cloud.my_domain.com/index.php/apps/user_saml/saml/metadata in SAML message
[Sun Jan 22 21:30:57.344464 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: https://cloud.my_domain.com/index.php/apps/user_saml/saml/metadata match cloud.my_domain.com SP in configuration
[Sun Jan 22 21:30:57.344901 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Lasso error code -113: Invalid signature algorithm.
[Sun Jan 22 21:30:57.344936 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/IssuerDBSAML.pm 1324:
[Sun Jan 22 21:30:57.344962 2017] [perl:error] [pid 25:tid 140124744943360] Signature is not valid
[Sun Jan 22 21:30:57.345345 2017] [perl:debug] [pid 25:tid 140124744943360] CGI.pm(115): Lemonldap::ng::Portal::SharedConf: Display type standardform
[Sun Jan 22 21:30:57.360570 2017] [deflate:debug] [pid 25:tid 140124744943360] mod_deflate.c(855): [client 172.26.0.3:36340] AH01384: Zlib: Compressed 5619 to 2421 : URL /saml/singleSignOn

so:
Lasso error code -113: Invalid signature algorithm.

I tried also to force utf8 on or off in lemonldapng, but no success either.
Or am I doing something completely stupid?

Any idea? Please help, as my users currently cannot login anymore, or I hve to revert to previous version, but some point in time I waill have to upgrade anyhow…

Hello,

I tried to decode the SAML request but it does not appear to be a valid XML content. Seems like Nextcloud has encoded “SAMLRequest=” at the beginning of the string, which is a bug on their side.

3

SAML stopped working for us after the upgrade to 11.0.1

We reverted back to 11.0.0 and everything appears to be working again.

Error when attempting to login is as follows:
{"reqId":"0cQdyRVhpPFEGdfpcq4j","remoteAddr":"93.89.131.252","app":"index","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"The SPNameQualifier value mistmatch the SP entityID value.\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/files\\\/public_html\\\/apps\\\/user_saml\\\/3rdparty\\\/vendor\\\/onelogin\\\/php-saml\\\/lib\\\/Saml2\\\/Response.php(480): OneLogin_Saml2_Response->getNameIdData()\\n#1 \\\/home\\\/files\\\/public_html\\\/apps\\\/user_saml\\\/3rdparty\\\/vendor\\\/onelogin\\\/php-saml\\\/lib\\\/Saml2\\\/Auth.php(135): OneLogin_Saml2_Response->getNameId()\\n#2 \\\/home\\\/files\\\/public_html\\\/apps\\\/user_saml\\\/lib\\\/Controller\\\/SAMLController.php(179): OneLogin_Saml2_Auth->processResponse('ONELOGIN_d27328...')\\n#3 [internal function]: OCA\\\\User_SAML\\\\Controller\\\\SAMLController->assertionConsumerService()\\n#4 \\\/home\\\/files\\\/public_html\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(160): call_user_func_array(Array, Array)\\n#5 \\\/home\\\/files\\\/public_html\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(90): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\User_SAML\\\\Controller\\\\SAMLController), 'assertionConsum...')\\n#6 \\\/home\\\/files\\\/public_html\\\/lib\\\/private\\\/AppFramework\\\/App.php(114): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\User_SAML\\\\Controller\\\\SAMLController), 'assertionConsum...')\\n#7 \\\/home\\\/files\\\/public_html\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('SAMLController', 'assertionConsum...', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#8 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#9 \\\/home\\\/files\\\/public_html\\\/lib\\\/private\\\/Route\\\/Router.php(299): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#10 \\\/home\\\/files\\\/public_html\\\/lib\\\/base.php(1010): OC\\\\Route\\\\Router->match('\\\/apps\\\/user_saml...')\\n#11 \\\/home\\\/files\\\/public_html\\\/index.php(40): OC::handleRequest()\\n#12 {main}\",\"File\":\"\\\/home\\\/files\\\/public_html\\\/apps\\\/user_saml\\\/3rdparty\\\/vendor\\\/onelogin\\\/php-saml\\\/lib\\\/Saml2\\\/Response.php\",\"Line\":461}","level":3,"time":"2017-02-01T16:46:24+00:00","method":"POST","url":"\/apps\/user_saml\/saml\/acs","user":"--","version":"11.0.1.2"}

Signing/Encryption is not used in our configuration.

4

Post your configuration. This is likely the cause because the entityID specified in your configuration is different from what your SP sends. In 11.0.1 this is now properly checked as officially intended :wink:

5

When correcting the entityID I no longer have any errors in the log and instead when trying to login have a page with:
invalid_response

Not authenticated

Possibly the log extract I provided isn’t relevant.

6

Same issue here. After 11.01 update our users can’t login using AD FS/ SAML anymore.

"invalid_response

Not authenticated"

7

On github I found the hint, that PHP-mcrypt is needed. I will set up a test system and try again

8

We disabled this security setting…

img.jpg1033×56 40.8 KB

It’s working again. :smile: