search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.54k stars 843 forks source link

Nextcloud SAML: Found an Attribute element with duplicated Name #10504

Open jkirkcaldy opened 1 month ago

jkirkcaldy commented 1 month ago

Describe the bug When trying to login to nextcloud using the SAML config the error message: "Found an Attribute element with duplicated Name" appears.

This is occurring on an existing install that was working. and a brand new install with a clean database etc.

To Reproduce Steps to reproduce the behavior:

Install nextcloud Nextcloud Hub 8 (29.0.3) and log in with SAML

Expected behavior To be able to login

Logs

Technical details
Remote Address: 10.254.100.72
Request ID: GdCoBLRzUQ4zWHRMagfg
Type: OneLogin\Saml2\ValidationError
Code: 41
Message: Found an Attribute element with duplicated Name
File: /config/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php
Line: 828

Trace
#0 /config/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php(789): OneLogin\Saml2\Response->_getAttributesByKeyName()
#1 /config/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php(239): OneLogin\Saml2\Response->getAttributes()
#2 /config/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php(360): OneLogin\Saml2\Auth->processResponse()
#3 /config/www/nextcloud/apps/user_saml/lib/Helper/TXmlHelper.php(38): OCA\User_SAML\Controller\SAMLController->OCA\User_SAML\Controller\{closure}()
#4 /config/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php(359): OCA\User_SAML\Controller\SAMLController->callWithXmlEntityLoader()
#5 /app/www/public/lib/private/AppFramework/Http/Dispatcher.php(232): OCA\User_SAML\Controller\SAMLController->assertionConsumerService()
#6 /app/www/public/lib/private/AppFramework/Http/Dispatcher.php(138): OC\AppFramework\Http\Dispatcher->executeController()
#7 /app/www/public/lib/private/AppFramework/App.php(184): OC\AppFramework\Http\Dispatcher->dispatch()
#8 /app/www/public/lib/private/Route/Router.php(338): OC\AppFramework\App::main()
#9 /app/www/public/lib/base.php(1050): OC\Route\Router->match()
#10 /app/www/public/index.php(49): OC::handleRequest()
#11 {main}

Version and Deployment (please complete the following information):

acausbu419 commented 1 month ago

I ran into this while moving nextcloud to another authentik instance yesterday and saw this while I was searching.

If it helps, for me, the issue was I had the groups claim specified twice on the default groups in authentik in the nextcloud SAML Provider > Advanced protocol settings > Property mappings, and another property mapping rule I had made for adding the admin group to the claim from the authentik documentation. I'm not sure if it's related but I had also set the name ID as the username field since the UID was in the original claim, but once I removed removed the second groups claim I could complete the sign in from authentik.