IDP Initiated SAML ( instead of SP initiated SAML) failed with a "null" error from ACS enpoint

[gdurifw]

Steps to reproduce

1. Setup SAML with IDP (es: Provided by ORACLE OAM)
2. Idp initiated SAML ( instead of SP initiated SAML) session failed when the nextcloud ACS endpoint check the SamlResponse whith an error "null"

Expected behaviour

A valid SamlReponse provided by Idp initiated SAML ( es: from a Oracle OAM SDK) should be validate from the nextcloud ACS endpoint without a "null" error. If the SamlReponse is valid, Nextcloud should be grant access to the session.

Actual behaviour

Tell us what happens instead

We would like to use the IDP initiated SAML (instead of the native Login Flow & SP Initiated SAML) because of the Oracle OAM integration provided by SDK OAM Oracle integration, but we have an «null» error when we submit the saml response to the ACS EndPoint.

Is IDP initiated SAML, instead of SP initiated SAML, supported at all ?

Server configuration

Operating system: Officiale Docker Netcloud:13.04

Web server: Officiale Docker Netcloud:13.04

Database: Officiale Docker Netcloud:13.04

PHP version:Officiale Docker Netcloud:13.04

Nextcloud version: Officiale Docker Netcloud:13.04

Where did you install Nextcloud from:Officiale Docker Netcloud:13.04

List of activated apps:

$ ./occ app:list Enabled:

• activity: 2.6.1
• admin_audit: 1.3.0
• comments: 1.3.0
• dav: 1.4.7
• federatedfilesharing: 1.3.1
• federation: 1.3.0
• files: 1.8.0
• files_sharing: 1.5.0
• files_texteditor: 2.5.1
• files_trashbin: 1.3.0
• files_versions: 1.6.0
• files_videoplayer: 1.2.0
• firstrunwizard: 2.2.1
• gallery: 18.0.0
• logreader: 2.0.0
• lookup_server_connector: 1.1.0
• nextcloud_announcements: 1.2.0
• notifications: 2.1.2
• oauth2: 1.1.1
• password_policy: 1.3.0
• provisioning_api: 1.3.0
• serverinfo: 1.3.0
• sharebymail: 1.3.0
• survey_client: 1.1.0
• systemtags: 1.3.0
• theming: 1.4.5
• twofactor_backupcodes: 1.2.3
• updatenotification: 1.3.0
• user_saml: 1.4.2
• workflowengine: 1.3.0 Disabled:
• encryption
• files_external
• files_pdfviewer
• user_external
• user_ldap

Nextcloud configuration:

$ ./occ config:list system { "system": { "debug": false, "log_type": "owncloud", "logfile": "\/var\/www\/html\/nextcloud.log", "loglevel": "1", "auth.bruteforce.protection.enabled": false, "logtimezone": "Europe\/Rome", "skeletondirectory": "\/config\/userskeleton", "knowledgebaseenabled": true, "log_rotate_size": 0, "logdateformat": "F d, Y H:i:s", "datadirectory": "REMOVED SENSITIVE VALUE", "updatechecker": false, "check_for_working_htaccess": false, "check_data_directorypermissions": false, "asset-pipeline.enabled": false, "assetdirectory": "\/var\/www\/html\/data", "dbtype": "mysql", "filelocking.enabled": true, "filelocking.ttl": 3600, "integrity.check.disabled": true, "version": "13.0.4.0", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbtableprefix": "oc", "dbuser": "REMOVED SENSITIVE VALUE", "mysql.utf8mb4": true, "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": true }, { "path": "\/var\/www\/html\/apps", "url": "\/apps-appstore", "writable": true } ], "trusted_domains": [ "REMOVED SENSITIVE VALUE", "*" ], "instanceid": "REMOVED SENSITIVE VALUE", "overwrite.cli.url": "REMOVED SENSITIVE VALUE", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory" } }

[va1entin]

I'm encountering the same issue with simplesamlphp. Haven't dug deeper but it seems to me that NC reuqires some sort of own request token, which is not supplied by IdP-initiated SSO.

[pete-hawdon]

I'm encountering the same issue using Okta as the IDP.

Operating system: Official Docker nextcloud:14.03 Web server: Official Docker nextcloud:14.03 Database: Official Docker nextcloud:14.03 (SQLLite) PHP version:Official Docker nextcloud:14.03 Nextcloud version: Official Docker nextcloud:14.03

Where did you install Nextcloud from: Docker Hub - nextcloud:14.03

List of activated apps:

$ ./occ app:list Enabled:

• accessibility: 1.0.1
• activity: 2.7.0
• cloud_federation_api: 0.0.1
• comments: 1.4.0
• dav: 1.6.0
• federatedfilesharing: 1.4.0
• federation: 1.4.0
• files: 1.9.0
• files_antivirus: 1.4.2
• files_pdfviewer: 1.3.2
• files_sharing: 1.6.2
• files_texteditor: 2.6.0
• files_trashbin: 1.4.1
• files_versions: 1.7.1
• files_videoplayer: 1.3.0
• firstrunwizard: 2.3.0
• gallery: 18.1.0
• logreader: 2.0.0
• lookup_server_connector: 1.2.0
• nextcloud_announcements: 1.3.0
• notifications: 2.2.1
• oauth2: 1.2.1
• password_policy: 1.4.0
• provisioning_api: 1.4.0
• serverinfo: 1.4.0
• sharebymail: 1.4.0
• support: 1.0.0
• survey_client: 1.2.0
• systemtags: 1.4.0
• theming: 1.5.0
• twofactor_backupcodes: 1.3.1
• updatenotification: 1.4.1
• user_saml: 2.1.0
• workflowengine: 1.4.0 Disabled:
• admin_audit
• encryption
• files_external
• user_external
• user_ldap

Nextcloud configuration:

$ ./occ config:list system { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\OC\Memcache\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "**.eu-west-2.compute.amazonaws.com:8080" ], "datadirectory": "**REMOVED SENSITIVE VALUE", "dbtype": "sqlite3", "version": "14.0.3.0", "overwritehost": ".eu-west-2.compute.amazonaws.com:8080", "overwrite.cli.url": ".eu-west-2.compute.amazonaws.com:8080", "installed": true, "maintenance": false } } { "system": { "htaccess.RewriteBase": "\/", "memcache.local": "\OC\Memcache\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "**.eu-west-2.compute.amazonaws.com:8080" ], "datadirectory": "**REMOVED SENSITIVE VALUE", "dbtype": "sqlite3", "version": "14.0.3.0", "overwritehost": ".eu-west-2.compute.amazonaws.com:8080", "overwrite.cli.url": ".eu-west-2.compute.amazonaws.com:8080", "installed": true, "maintenance": false } }

[chancerollins]

I likewise today hit the same issue. SP initiated SAML works properly but IDP initiated SAML i am left with a null response. It would be really nice having this work in both directions.

[tohcnam]

Same issue here. My workaround with this (for Okta):

• Rename app to Nextcloud SP-initiated
• Select checkboxes, that App won't be shown in Dashboard and mobile
• Create new App: Bookmark App
• Rename App to Nextcloud and add as destination your Nextcloud URL

Now if the user clicks on the bookmark, Okta will just call Nextcloud and Nextcloud will be doing a SP-initiated flow. It is no IdP-initiated flow, but for the user it doesn't matter if it works ;)

[shivank1234]

Hey Everyone A beginner here.. Can somebody help me as of how to initiate SAML Connection from Nextcloud (SP) side to my Idp ? I don't have any login URL/SAML Button etc in Nextcloud...