Open DesertCookie opened 9 months ago
Expected behaviour
Following this guide and some experimentation, I expected logging out to work with one of these options as
URL Location of IdP where the SP will send the SLO Request
:
https://auth.myurl.com/if/session-end/nextcloud/
https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/
Actual behaviour
I encountered a
Bad gateway
error that I cannot track down. With (1) the error appears with this URL in the browser:https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx
. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with aBad Request: The SAML request payload is missing.
from Authentik. Furthermore, the Nextcloud web log showsOC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist
within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to
cloud.myurl.com
it briefly shows Authentik'sRedirecting to Nextcloud...
which it does not show when a Nextcloud session is still active (as happens with (2) and (3)). Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.Configuration
Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager
Proxy Configuration
- Nginx Proxy Manager is first in line. Enabled:
Websockets Support
,Force SSL
,HTTP/2 Support
,HSTS Enabled
,HSTS Subdomains
. It redirects tomy.servers.ipv4.address:11000
.- Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
- No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.
Did you ever get this figured out? This is happening to me now. I notice it only happens if i dont have the option selected in SAML to allow multiple backend logins, like LDAP users.. If i keep that unchecked i get the gateway error on logout. If i have it selected and logout i get taken back to the proper authentik page with options.
Expected behaviour
Following this guide and some experimentation, I expected logging out to work with one of these options as
URL Location of IdP where the SP will send the SLO Request
:https://auth.myurl.com/if/session-end/nextcloud/
https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/
Actual behaviour
I encountered a
Bad gateway
error that I cannot track down. With (1) the error appears with this URL in the browser:https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx
. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with aBad Request: The SAML request payload is missing.
from Authentik.Furthermore, the Nextcloud web log shows
OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist
within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to
cloud.myurl.com
it briefly shows Authentik'sRedirecting to Nextcloud...
which it does not show when a Nextcloud session is still active (as happens with (2) and (3)).Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.
Configuration
Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager
Proxy Configuration
Websockets Support
,Force SSL
,HTTP/2 Support
,HSTS Enabled
,HSTS Subdomains
. It redirects tomy.servers.ipv4.address:11000
.