Cannot complete login with Android app when SSO & SAML Authentication is enabled

[jecal22]

Steps to reproduce

1. Install, activate and configure SSO with Azure AD integration (possibly any others as well?)
2. Launch Nextcloud app on Android and authenticate to login

Expected behaviour

After logging in, the app should display a Grant Access page to authenticate the app with the Nextcloud instance.

Actual behaviour

The app completes authentication and then loads the standard Web interface of Nextcloud within the app's. The app is never authenticated. after restarting Nextcloud, it starts over at the initial login screen. Even if I login using Direct (ldap/local), the same issue occurs.

After disabling SSO & SAML, app authentication works normally using LDAP/local login. Since disabling SSO & SAML fixes logins with LDAP/local logins, I have to assume the issue is something with this app.

Server configuration

Operating system: Centos 7.9

Web server: Apache

Database: MySQL

PHP version: 7.4

Nextcloud version: (see Nextcloud admin page) 23.0.3, 23.0.4

Where did you install Nextcloud from: Manual install from Nextcloud.com

List of activated apps:

Enabled:

• accessibility: 1.9.0
• activity: 2.15.0
• admin_audit: 1.13.0
• analytics: 4.2.1
• apporder: 0.15.0
• auto_groups: 1.4.0
• breezedark: 23.2.1
• bruteforcesettings: 2.4.0
• calendar: 3.2.2
• carnet: 0.24.4
• cfg_share_links: 1.2.2
• checksum: 1.1.3
• circles: 23.1.1
• cloud_federation_api: 1.6.0
• comments: 1.13.0
• contacts: 4.1.0
• contactsinteraction: 1.4.0
• dashboard: 7.3.0
• dav: 1.21.0
• drawio: 1.0.2
• duplicatefinder: 0.0.13
• event_update_notification: 1.5.0
• external: 3.10.2
• extract: 1.3.3
• federatedfilesharing: 1.13.0
• federation: 1.13.0
• files: 1.18.0
• files_accesscontrol: 1.13.0
• files_automatedtagging: 1.13.0
• files_downloadactivity: 1.13.0
• files_downloadlimit: 1.0.1
• files_external: 1.15.0
• files_pdfviewer: 2.4.0
• files_photospheres: 1.23.0
• files_retention: 1.12.0
• files_rightclick: 1.2.0
• files_sharing: 1.15.0
• files_texteditor: 2.14.0
• files_trashbin: 1.13.0
• files_versions: 1.16.0
• files_videoplayer: 1.12.0
• firstrunwizard: 2.12.0
• flowupload: 1.1.3
• forms: 2.5.0
• group_everyone: 0.1.10
• groupfolders: 11.1.2
• groupquota: 0.1.8
• impersonate: 1.10.0
• integration_dropbox: 1.0.4
• integration_onedrive: 1.1.2
• integration_reddit: 1.0.3
• integration_twitter: 1.0.2
• logreader: 2.8.0
• lookup_server_connector: 1.11.0
• mail: 1.11.7
• metadata: 0.16.0
• news: 18.0.1
• nextcloud_announcements: 1.12.0
• notifications: 2.11.1
• oauth2: 1.11.0
• onlyoffice: 7.3.2
• password_policy: 1.13.0
• photos: 1.5.0
• previewgenerator: 4.0.0
• privacy: 1.7.0
• provisioning_api: 1.13.0
• quota_warning: 1.14.0
• recommendations: 1.2.0
• registration: 1.4.0
• serverinfo: 1.13.0
• settings: 1.5.0
• sharebymail: 1.13.0
• sharingpath: 0.4.4
• side_menu: 2.3.5
• sociallogin: 4.14.0
• socialsharing_email: 2.5.0
• socialsharing_facebook: 2.5.0
• support: 1.6.0
• survey_client: 1.11.0
• suspicious_login: 4.1.0
• systemtags: 1.13.0
• tasks: 0.14.4
• telephoneprovider: 1.0.3
• text: 3.4.1
• theming: 1.14.0
• twofactor_admin: 3.2.0
• twofactor_backupcodes: 1.12.0
• twofactor_email: 2.3.0
• twofactor_nextcloud_notification: 3.3.1
• twofactor_totp: 6.2.0
• twofactor_u2f: 6.3.0
• unroundedcorners: 1.0.3
• updatenotification: 1.13.0
• user_ldap: 1.13.1
• user_status: 1.3.1
• user_usage_report: 1.7.0
• viewer: 1.7.0
• weather_status: 1.3.0
• workflow_ocr: 1.23.2
• workflowengine: 2.5.0 Disabled:
• encryption: 2.11.0
• files_trackdownloads: 1.11.0
• gallery: 18.4.0
• music: 1.5.1
• twofactor_gateway: 0.19.0
• user_saml: 5.0.0

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Nextcloud configuration: { "system": { "debug": false, "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "nextcloud.caluette.com", "gtwn-nextcloud01.caluette.com" ], "trustedproxies": "REMOVED SENSITIVE VALUE", "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "23.0.4.1", "overwrite.cli.url": "https:\/\/nextcloud.caluette.com\/", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "memcache.distributed": "\OC\Memcache\Redis", "memcache.locking": "\OC\Memcache\Redis", "memcache.local": "\OC\Memcache\Redis", "filelocking.enabled": true, "redis": { "host": "REMOVED SENSITIVE VALUE", "port": "0", "timeout": 0 }, "htaccess.RewriteBase": "\/", "mail_smtpmode": "sendmail", "mail_smtpauthtype": "LOGIN", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_domain": "REMOVED SENSITIVE VALUE", "maintenance": false, "loglevel": 2, "cipher": "AES-256-CFB", "trashbin_retention_obligation": "auto, 30", "twofactor_enforced": "true", "twofactor_enforced_groups": [ "admin" ], "twofactor_enforced_excluded_groups": [], "app_install_overwrite": [ "onlyoffice", "files_photospheres", "keeporsweep", "telephoneprovider", "files_texteditor", "carnet" ], "onlyoffice": { "jwt_token": "0q4ZdXu0zoyAZa7A", "jwt_header": "AuthorizationJwt" }, "mail_sendmailmode": "smtp", "has_rebuilt_cache": true, "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\User_LDAP\LDAPProviderFactory", "ldapUserCleanupInterval": 60, "theme": "", "default_phone_region": "US", "allow_local_remote_servers": true, "preview_max_memory": 256, "enable_previews": true, "enabledPreviewProviders": [ "OC\Preview\Movie", "OC\Preview\PNG", "OC\Preview\JPEG", "OC\Preview\GIF", "OC\Preview\BMP", "OC\Preview\XBitmap", "OC\Preview\MP3", "OC\Preview\MP4", "OC\Preview\TXT", "OC\Preview\MarkDown", "OC\Preview\PDF" ], "updater.secret": "REMOVED SENSITIVE VALUE" } }

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Client configuration

Browser: Nextcloud Android App

Operating system: Android 12

Logs

Nextcloud log (data/owncloud.log)

Insert 
[nextcloud.log](https://github.com/nextcloud/user_saml/files/8564034/nextcloud.log)
your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[jecal22]

FYI, I have completely removed and re-installed the app. I have also changed settings in the SSO & SAML app to enable and disable other backend authentications (eg. LDAP). Have tried to enable and disable the option to use SAML authentication for desktop client.
The only way I am able to login and authenticate the Android app is to disable SSO & SAML App. As long as SSO & SAML is enabled, I am unable to succesfully authenticate via the app using any SSO/LDAP/local login due to it just loading the web interface and bypassing the "Grant Access" prompt.

• Desktop client works fine on Windows
• Web browser works fine as well.

[dasbaumwolltier]

I have the exact same problem: When a user wants to log in through OAuth and the user is not logged-in in the browser, it redirects to the Dashboard after the SSO flow is done. If the user was already logged-in in the browser, the grant flow works perfectly.

The only thing I noticed was that the RelayState URL had the wrong protocol http instead of https despite having overwriteprotocol enabled.

[dasbaumwolltier]

Ok I fixed the problem of the v2/flow not working for me by removing the two lines below in the app.php file. I can now successfully log into the Android, iOS and Desktop apps:

diff --git a/appinfo/app.php b/appinfo/app.php
index 35bf029..d72ffc0 100644
--- a/appinfo/app.php
+++ b/appinfo/app.php
@@ -116,9 +116,7 @@ if ($user !== null) {
 // redirected to the SAML login endpoint
 if (!$cli &&                                                                 )
        !$userSession->isLoggedIn() &&
-       (\OC::$server->getRequest()->getPathInfo() === '/login'
-               || \OC::$server->getRequest()->getPathInfo() === '/login/v2/flow'
-               || \OC::$server->getRequest()->getPathInfo() === '/login/flow') &&
+       \OC::$server->getRequest()->getPathInfo() === '/login' &&
        $type !== '') {
        try {
                $params = $request->getParams();

[jecal22]

I'll take a look at that in my deployment. I ended up discovering that I was able to get logged in using a QR Code for a app password while having SAML & SSO app enabled, but would like to be able to login normally w/o needing two devices to scan a QR code since you can't scan a QR code from the same device you are logging in

[gelexgaray]

@dasbaumwolltier submitted patch solves the issue. Will it be integrated?. Thank you guys

[CarlSchwan]

Hi, thanks for the report. If you stumbled on this issue, the patch from @dasbaumwolltier should help. I will look into it in the following days as this patch revert a change that was made to support kerberos based authentication on mobile and I need to find a solution to support both.

[jecal22]

Can confirm, solution provided by @dasbaumwolltier worked for me. Was able to authenticate and grant access using AzureAD SSO with no issue.

[PVince81]

these lines were added to actually make it work with login flow, strange that removing them makes it work again

@CarlSchwan

[ChristophWurst]

For reference https://github.com/nextcloud/user_saml/pull/578 was the PR that added those lines.

[ChristophWurst]

Revert is at https://github.com/nextcloud/user_saml/pull/614

[cc-cmarher]

I can confirm too. It is working with the submited patch of @dasbaumwolltier. Is there a timetable for a new release of the app?

[blizzz]

soon :tm: