SAML Authentication broken after upgrade to Nextcloud 27.0.1

[agrimal]

Issue

SAML authentication is broken after update. I'm using goauthentik as SAML Provider.

Server configuration

Operating system: Debian GNU/Linux 12 (bookworm)

Web server: Server version: Apache/2.4.57 (Debian) Server built: 2023-04-13T03:26:51

Database: mariadb Ver 15.1 Distrib 10.11.3-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper

PHP version: PHP 8.2.7 (cli) (built: Jun 9 2023 07:38:17) (NTS) Copyright (c) The PHP Group Zend Engine v4.2.7, Copyright (c) Zend Technologies with Zend OPcache v8.2.7, Copyright (c), by Zend Technologies

Nextcloud version: (see Nextcloud admin page) 27.0.1.2

List of activated apps: Enabled:

• activity: 2.19.0
• calendar: 4.4.3
• circles: 27.0.1
• cloud_federation_api: 1.10.0
• comments: 1.17.0
• contacts: 5.3.2
• contactsinteraction: 1.8.0
• dashboard: 7.7.0
• dav: 1.27.0
• federatedfilesharing: 1.17.0
• federation: 1.17.0
• files: 1.22.0
• files_pdfviewer: 2.8.0
• files_rightclick: 1.6.0
• files_sharing: 1.19.0
• files_trashbin: 1.17.0
• files_versions: 1.20.0
• firstrunwizard: 2.16.0
• logreader: 2.12.0
• lookup_server_connector: 1.15.0
• nextcloud_announcements: 1.16.0
• notifications: 2.15.0
• oauth2: 1.15.1
• photos: 2.3.0
• privacy: 1.11.0
• provisioning_api: 1.17.0
• quota_warning: 1.17.0
• recommendations: 1.6.0
• related_resources: 1.2.0
• richdocuments: 8.1.0
• serverinfo: 1.17.0
• settings: 1.9.0
• sharebymail: 1.17.0
• support: 1.10.0
• systemtags: 1.17.0
• text: 3.8.0
• theming: 2.2.0
• twofactor_backupcodes: 1.16.0
• updatenotification: 1.17.0
• user_saml: 5.2.1
• user_status: 1.7.0
• viewer: 2.1.0
• weather_status: 1.7.0
• workflowengine: 2.9.0 Disabled:
• admin_audit: 1.17.0
• bruteforcesettings: 2.7.0
• encryption: 2.15.0
• files_external: 1.19.0
• mail: 3.2.4 (installed 3.2.4)
• password_policy: 1.17.0 (installed 1.17.0)
• survey_client: 1.15.0 (installed 1.15.0)
• suspicious_login: 5.0.0
• twofactor_totp: 9.0.0
• user_ldap: 1.17.0 (installed 1.17.0)

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxxxxxxxxxxxxxx"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "http:\/\/share.grimsys.fr",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "FR",
        "htaccess.RewriteBase": "\/",
        "default_language": "fr",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "filelocking.enabled": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "0",
            "timeout": 0
        },
        "overwriteprotocol": "https",
        "lost_password_link": "disabled",
        "auth.bruteforce.protection.enabled": true,
        "blacklisted_files": [
            ".htaccess",
            "Thumbs.db",
            "thumbs.db"
        ],
        "proxy": "proxy.xxxxxx:3128",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "enable_previews": true,
        "preview_max_x": 1024,
        "preview_max_y": 1024,
        "preview_max_scale_factor": 4,
        "enabledPreviewProviders": [
            "OC\\Preview\\Image",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MKV",
            "OC\\Preview\\MP4",
            "OC\\Preview\\AVI"
        ],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "26",
        "mail_smtpsecure": "",
        "mail_smtpauth": false,
        "maintenance": false,
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "updater.secret": "***REMOVED SENSITIVE VALUE***",
        "theme": ""
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.19.0",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "368"
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "4.4.3",
            "types": ""
        },
        "circles": {
            "enabled": "yes",
            "installed_version": "27.0.1",
            "loopback_tmp_scheme": "http",
            "maintenance_run": "0",
            "maintenance_update": "{\"3\":1689966223,\"2\":1689968923,\"1\":1689969223}",
            "migration_22": "1",
            "migration_run": "0",
            "types": "filesystem,dav"
        },
        "cloud_federation_api": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "filesystem"
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "5.3.2",
            "types": "dav"
        },
        "contactsinteraction": {
            "enabled": "yes",
            "installed_version": "1.8.0",
            "types": "dav"
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "emailTestSuccessful": "1",
            "installedat": "1688904564.1184",
            "lastcron": "1689969223",
            "lastupdateResult": "{\"version\":\"27.0.1.2\",\"versionstring\":\"Nextcloud 27.0.1\",\"url\":\"https:\\\/\\\/download.nextcloud.com\\\/server\\\/releases\\\/nextcloud-27.0.1.zip\",\"web\":\"https:\\\/\\\/docs.nextcloud.com\\\/server\\\/27\\\/admin_manual\\\/maintenance\\\/upgrade.html\",\"changes\":\"https:\\\/\\\/updates.nextcloud.com\\\/changelog_server\\\/?version=27.0.1\",\"autoupdater\":\"1\",\"eol\":\"0\"}",
            "lastupdatedat": "0",
            "moveavatarsdone": "yes",
            "oc.integritycheck.checker": "[]",
            "previewsCleanedUp": "1",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "updater.secret.created": "1689967946",
            "vendor": "nextcloud"
        },
        "dashboard": {
            "enabled": "yes",
            "installed_version": "7.7.0",
            "types": ""
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "1.27.0",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "authentication"
        },
        "files": {
            "enabled": "yes",
            "installed_version": "1.22.0",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "2.8.0",
            "types": ""
        },
        "files_rightclick": {
            "enabled": "yes",
            "installed_version": "1.6.0",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.19.0",
            "types": "filesystem"
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "filesystem,dav"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.20.0",
            "types": "filesystem,dav"
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "2.16.0",
            "types": "logging"
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.12.0",
            "types": ""
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.15.0",
            "types": "authentication"
        },
        "mail": {
            "enabled": "no",
            "installed_version": "3.2.4",
            "types": ""
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.16.0",
            "notification_groups": "[\"admin\"]",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "2.15.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.15.1",
            "types": "authentication"
        },
        "password_policy": {
            "enabled": "no",
            "installed_version": "1.17.0",
            "types": "authentication"
        },
        "photos": {
            "enabled": "yes",
            "installed_version": "2.3.0",
            "lastPlaceMappedUser": "admin",
            "lastPlaceMappingDone": "true",
            "types": "dav,authentication"
        },
        "privacy": {
            "enabled": "yes",
            "installed_version": "1.11.0",
            "types": ""
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "prevent_group_restriction"
        },
        "quota_warning": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "filesystem"
        },
        "recommendations": {
            "enabled": "yes",
            "installed_version": "1.6.0",
            "types": ""
        },
        "related_resources": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "richdocuments": {
            "canonical_webroot": "",
            "disable_certificate_verification": "",
            "enabled": "yes",
            "installed_version": "8.1.0",
            "public_wopi_url": "https:\/\/xxxxxxxxxxxxxxxxxxxx",
            "types": "prevent_group_restriction",
            "wopi_url": "https:\/\/xxxxxxxxxxxxxxxxxxxxxxxx"
        },
        "richdocumentscode": {
            "enabled": "no",
            "installed_version": "23.5.104",
            "types": ""
        },
        "serverinfo": {
            "cached_count_filecache": "406",
            "cached_count_storages": "6",
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": ""
        },
        "settings": {
            "enabled": "yes",
            "installed_version": "1.9.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "filesystem"
        },
        "support": {
            "enabled": "yes",
            "installed_version": "1.10.0",
            "types": "session"
        },
        "survey_client": {
            "enabled": "no",
            "installed_version": "1.15.0",
            "types": ""
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "1.17.0",
            "types": "logging"
        },
        "text": {
            "enabled": "yes",
            "installed_version": "3.8.0",
            "types": "dav"
        },
        "theming": {
            "enabled": "yes",
            "installed_version": "2.2.0",
            "types": "logging"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.16.0",
            "types": ""
        },
        "updatenotification": {
            "core": "27.0.1.2",
            "enabled": "yes",
            "installed_version": "1.17.0",
            "notify_groups": "[\"admin\"]",
            "types": "",
            "update_check_errors": "0"
        },
        "user_saml": {
            "enabled": "yes",
            "installed_version": "5.2.1",
            "type": "saml",
            "types": "authentication"
        },
        "user_status": {
            "enabled": "yes",
            "installed_version": "1.7.0",
            "types": ""
        },
        "viewer": {
            "enabled": "yes",
            "installed_version": "2.1.0",
            "types": ""
        },
        "weather_status": {
            "enabled": "yes",
            "installed_version": "1.7.0",
            "types": ""
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "2.9.0",
            "types": "filesystem"
        }
    }
}

Logs

Nextcloud log (data/owncloud.log)

{
  "reqId": "xxxxxxxxxxxxxxxxxxxxx",
  "level": 3,
  "time": "2023-07-17T21:40:33+00:00",
  "remoteAddr": "1.2.3.4",
  "user": "--",
  "app": "files",
  "method": "POST",
  "url": "/apps/user_saml/saml/acs",
  "message": "Backends provided no user object for ",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
  "version": "27.0.0.8",
  "exception": {
    "Exception": "OC\\User\\NoUserException",
    "Message": "Backends provided no user object",
    "Code": 0,
    "Trace": [
      {
        "function": "getUserFolder",
        "class": "OC\\Files\\Node\\Root",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/Node/LazyFolder.php",
        "line": 73,
        "function": "call_user_func_array"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/Node/LazyRoot.php",
        "line": 40,
        "function": "__call",
        "class": "OC\\Files\\Node\\LazyFolder",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/files_versions/lib/Listener/FileEventsListener.php",
        "line": 339,
        "function": "getUserFolder",
        "class": "OC\\Files\\Node\\LazyRoot",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/files_versions/lib/Listener/FileEventsListener.php",
        "line": 204,
        "function": "getPathForNode",
        "class": "OCA\\Files_Versions\\Listener\\FileEventsListener",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/files_versions/lib/Listener/FileEventsListener.php",
        "line": 102,
        "function": "write_hook",
        "class": "OCA\\Files_Versions\\Listener\\FileEventsListener",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php",
        "line": 86,
        "function": "handle",
        "class": "OCA\\Files_Versions\\Listener\\FileEventsListener",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
        "line": 251,
        "function": "__invoke",
        "class": "OC\\EventDispatcher\\ServiceEventListener",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
        "line": 73,
        "function": "callListeners",
        "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php",
        "line": 87,
        "function": "dispatch",
        "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php",
        "line": 99,
        "function": "dispatch",
        "class": "OC\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/Node/HookConnector.php",
        "line": 112,
        "function": "dispatchTyped",
        "class": "OC\\EventDispatcher\\EventDispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/OC_Hook.php",
        "line": 105,
        "function": "write",
        "class": "OC\\Files\\Node\\HookConnector",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/View.php",
        "line": 586,
        "function": "emit",
        "class": "OC_Hook",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/View.php",
        "line": 629,
        "function": "emit_file_hooks_pre",
        "class": "OC\\Files\\View",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Files/Node/File.php",
        "line": 73,
        "function": "file_put_contents",
        "class": "OC\\Files\\View",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/OC_Util.php",
        "line": 257,
        "function": "putContent",
        "class": "OC\\Files\\Node\\File",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/OC_Util.php",
        "line": 248,
        "function": "copyr",
        "class": "OC_Util",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/OC_Util.php",
        "line": 216,
        "function": "copyr",
        "class": "OC_Util",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/apps/user_saml/lib/UserBackend.php",
        "line": 165,
        "function": "copySkeleton",
        "class": "OC_Util",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/apps/user_saml/lib/UserBackend.php",
        "line": 151,
        "function": "initializeHomeDir",
        "class": "OCA\\User_SAML\\UserBackend",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php",
        "line": 159,
        "function": "createUserIfNotExists",
        "class": "OCA\\User_SAML\\UserBackend",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/nextcloud/apps/user_saml/lib/Controller/SAMLController.php",
        "line": 378,
        "function": "autoprovisionIfPossible",
        "class": "OCA\\User_SAML\\Controller\\SAMLController",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 230,
        "function": "assertionConsumerService",
        "class": "OCA\\User_SAML\\Controller\\SAMLController",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
        "line": 137,
        "function": "executeController",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/AppFramework/App.php",
        "line": 183,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Route/Router.php",
        "line": 315,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/lib/base.php",
        "line": 1064,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/index.php",
        "line": 36,
        "function": "handleRequest",
        "class": "OC",
        "type": "::"
      }
    ],
    "File": "/var/www/nextcloud/lib/private/Files/Node/Root.php",
    "Line": 368,
    "message": "Backends provided no user object for ",
    "exception": {},
    "CustomMessage": "Backends provided no user object for "
  }
}

{
  "reqId": "xxxxxxxxxxxxxxxxx",
  "level": 3,
  "time": "2023-07-21T19:33:36+00:00",
  "remoteAddr": "1.2.3.4",
  "user": "--",
  "app": "PHP",
  "method": "POST",
  "url": "/apps/user_saml/saml/acs",
  "message": "DOMDocument::schemaValidate(): Invalid Schema at /var/www/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php#153",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
  "version": "27.0.1.2",
  "data": {
    "app": "PHP"
  }
}

{
  "reqId": "xxxxxxxxxxxxxxxxxxxxxxxxx",
  "level": 4,
  "time": "2023-07-21T19:33:36+00:00",
  "remoteAddr": "1.2.3.4",
  "user": "--",
  "app": "user_saml",
  "method": "POST",
  "url": "/apps/user_saml/saml/acs",
  "message": "invalid_response",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
  "version": "27.0.1.2",
  "data": {
    "app": "user_saml"
  }
}

{
  "reqId": "xxxxxxxxxxxxxxxxxxxxxxxx",
  "level": 4,
  "time": "2023-07-21T19:33:36+00:00",
  "remoteAddr": "1.2.3.4",
  "user": "--",
  "app": "user_saml",
  "method": "POST",
  "url": "/apps/user_saml/saml/acs",
  "message": "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
  "version": "27.0.1.2",
  "data": {
    "app": "user_saml"
  }
}

[solracsf]

Uninstall the app and install (manually, not from the app store) the v5.2.0 https://github.com/nextcloud/user_saml/releases/tag/v5.2.0

This will isolate the problem to either the app version or the server version.

[blizzz]

dup of #755