search

nextcloud / user_saml

:lock: App for authenticating Nextcloud users using SAML https://apps.nextcloud.com/apps/user_saml
https://portal.nextcloud.com/article/configuring-single-sign-on-10.html
GNU Affero General Public License v3.0
95 stars 75 forks source link

SAML: Invalid base URL #189

Open mkiehl opened 6 years ago

mkiehl commented 6 years ago

Steps to reproduce

  1. Install Nextcloud from Ubuntu Snap
  2. Reverse proxy (incl. adding SSL) using Apache so that it is served from https://www.example.com/files This involves properly setting up the following configuration values: 
    root@server:/var/snap/nextcloud/current/nextcloud/config# nextcloud.occ config:system:get overwritehost
www.example.com
root@server:/var/snap/nextcloud/current/nextcloud/config# nextcloud.occ config:system:get overwritewebroot
/files
root@server:/var/snap/nextcloud/current/nextcloud/config# nextcloud.occ config:system:get overwriteprotocol
https
root@server:/var/snap/nextcloud/current/nextcloud/config# nextcloud.occ config:system:get overwrite.cli.url
https://www.example.com/files
root@server:/var/snap/nextcloud/current/nextcloud/config# nextcloud.occ config:system:get htaccess.RewriteBase
/files
  3. Enable and configure the SAML/SSO App. In my case, Apereo CAS is the IdP

Expected behaviour

The users should be able to login using SAML/SSO

Actual behaviour

Error Message: Your account is not provisioned, access to this service is thus not possible.

Logged error:

The response was received at https://www.example.com/index.php/apps/user_saml/saml/acs instead of https://www.example.com/files/index.php/apps/user_saml/saml/acs

Note that the "received at" URL does not include "/files" which does not make any sense as Nextcloud is not reachable at this URL.

Server configuration

Latest Ubuntu 16.04 with Nextcloud installed today from snap List of activated apps:

Only the SAML/SSO App

Nextcloud configuration:

{
    "system": {
        "apps_paths": [
            {
                "path": "\/snap\/nextcloud\/current\/htdocs\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/snap\/nextcloud\/current\/nextcloud\/extra-apps",
                "url": "\/extra-apps",
                "writable": true
            }
        ],
        "supportedDatabases": [
            "mysql"
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/tmp\/sockets\/redis.sock",
            "port": 0
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "www.example.com"
        ],
        "datadirectory": "\/var\/snap\/nextcloud\/common\/nextcloud\/data",
        "overwrite.cli.url": "https:\/\/www.example.com\/files",
        "dbtype": "mysql",
        "version": "12.0.5.3",
        "dbname": "nextcloud",
        "dbhost": "localhost:\/tmp\/sockets\/mysql.sock",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "removed",
        "overwritewebroot": "\/files",
        "overwriteprotocol": "https",
        "overwritehost": "www.example.com",
        "htaccess.RewriteBase": "\/files"
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.5.2",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "13"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "logging"
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "installedat": "1520332458.1067",
            "lastcron": "1520343808",
            "lastupdatedat": "1520332458.1365",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "scss.variables": "dee9f5859c72e10315ab472254fafcd5",
            "vendor": "nextcloud"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "1.3.1",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.7.2",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "yes",
            "installed_version": "2.4.1",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.5.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "1.1.0",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "2.1",
            "types": "logging"
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "17.0.0",
            "types": ""
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "ocsid": "170871",
            "types": ""
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": "authentication"
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.1",
            "pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.0.5",
            "types": "authentication"
        },
        "password_policy": {
            "enabled": "yes",
            "installed_version": "1.2.2",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "prevent_group_restriction"
        },
        "serverinfo": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "survey_client": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": ""
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "logging"
        },
        "theming": {
            "cachebuster": "2",
            "enabled": "yes",
            "installed_version": "1.3.0",
            "name": "Cloud",
            "types": "logging",
            "url": "https:\/\/www.example.com\/files\/"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": ""
        },
        "user_saml": {
            "enabled": "no",
            "general-uid_mapping": "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
            "general-use_saml_auth_for_desktop": "1",
            "idp-entityId": "https:\/\/idp.example.com\/cas\/idp\/",
            "idp-singleLogoutService.url": "https:\/\/idp.example.com\/cas\/idp\/profile\/SAML2\/Redirect\/SLO",
            "idp-singleSignOnService.url": "https:\/\/idp.example.com\/cas\/idp\/profile\/SAML2\/Redirect\/SSO",
            "idp-x509cert": "removed",
            "installed_version": "1.4.2",
            "security-nameIdEncrypted": "0",
            "sp-x509cert": "",
            "type": "saml",
            "types": "authentication"
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        }
    }
}

Client configuration

Latest Chrome, Windows 10

Logs

Nextcloud log (data/owncloud.log)

The response was received at https://www.example.com/index.php/apps/user_saml/saml/acs instead of https://www.example.com/files/index.php/apps/user_saml/saml/acs```

#### Browser log

-



Thank you in advance for any help!
jerrywaller commented 6 years ago

I have the same (or a similar) issue, wherein the sub-directory configured in my apache2 configs seems to be ignored by nextcloud.