eidota
commented
3 months ago Please let me know if more information is needed as this is a rather serious problem. We posted it here instead of the server-repo, as it seems closely related to the sso-implementation of user_saml.
joshtrichards
Steps to reproduce
Expected behaviour
The personal Cloud should be loaded
Actual behaviour
Sometimes you load into the cloud of a different user.
Description
This happens rather rarely, and we have not been able to reproduce it reliably.
What we have found out is that when loading the page, the "Logout" button is occasionally visible, which should not actually be there because of SSO. In this case, Nextcloud sets several unexpected cookies (nc_session_id, nc_token, nc_username) that are not normally present.
It seems that Nextcloud occasionally gets lost when checking the Shibboleth session and then loads in a local context. And in some of these cases people get loaded into another users cloud. We can also report that in the case of a correct session, the local cookies (nc_...) are also set when the page loading. These are then automatically removed again, presumably as soon as the shibboleth session has been verified. You only see a brief flicker of the cookies in the web tools before they disappear again.
On our IDP side, the requests and responses to Nextcloud look completely correct.
This problem occured first after we updated Nextcloud from 28.0.4 to 28.0.8 in the course of which user_saml was upgraded from 6.1.3 to 6.2.0
Server configuration
Description We have 2 Application Servers behind an HA-Proxy, the DB and redis are on its own servers. We use local nextcloud-accounts that are synchronised once a day via a custom script using occ-calls. Authentification is realised with user_saml (Shibboleth). This setup is up and running since April.
Operating system: Ubuntu 22.04.4 LTS
Web server: Apache/2.4.52 (Ubuntu)
Database: MariaDB 10.6.18
PHP version: 8.1.2
Nextcloud version: 28.0.8
Where did you install Nextcloud from: Manual install
List of activated apps:
Nextcloud configuration:
{ "system": { "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "instanceid": "REMOVED SENSITIVE VALUE", "trusted_domains": [ "localhost", "FQDN", "ALIAS" ], "trustedproxies": "REMOVED SENSITIVE VALUE", "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "mysql", "version": "28.0.8.1", "overwrite.cli.url": "https:\/\/cloud.xxx.de", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "default_phone_region": { "1": "DE" }, "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "25", "memcache.local": "\OC\Memcache\APCu", "redis": { "host": "REMOVED SENSITIVE VALUE", "port": "6379", "password": "REMOVED SENSITIVE VALUE", "timeout": 1.5, "read_timeout": 1.5 }, "onlyoffice": { "verify_peer_off": "true", "jwt_header": "XOCAuth" }, "memcache.locking": "\OC\Memcache\Redis", "memcache.distributed": "\OC\Memcache\Redis", "filelocking.enabled": "true", "enable_previews": "true", "enabledPreviewProviders": [ "OC\Preview\PNG", "OC\Preview\JPEG", "OC\Preview\GIF", "OC\Preview\BMP", "OC\Preview\XBitmap", "OC\Preview\Movie", "OC\Preview\PDF", "OC\Preview\MP3", "OC\Preview\TXT", "OC\Preview\MarkDown" ], "preview_max_x": "1024", "preview_max_y": "768", "preview_max_scale_factor": "1", "auth.bruteforce.protection.enabled": "true", "trashbin_retention_obligation": "auto,7", "skeletondirectory": "", "defaultapp": "files", "activity_expire_days": "14", "integrity.check.disabled": "false", "updater.release.channel": "stable", "forcessl": "true", "has_internet_connection": "true", "maintenance": false, "ldapUserCleanupInterval": "51", "singleuser": "false", "default_language": "de_DE", "allow_user_to_change_display_name": "false", "loglevel": 3, "simpleSignUpLink.shown": false, "maintenance_window_start": 2 } }
user_saml configuration
REMOTE_USER Mapped displayName and mail