SAML authentication with NextCloud

By: Conan Malone user 12 Apr 2017 at 6:47 a.m. CDT

4 Responses
Conan Malone gravatar
Trying to get SAML/SSO authentication working on NextCloud using Gluu as the IdP but running into some trouble.. I have configured the SP side on NextCloud and have downloaded my metadata and when I create a TR on Gluu I am getting the following error.. ``` schema_reference.4: Failed to read schema document 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>. ``` Note I have changed the ```services.properties``` file and restarted ```idp``` as I have seen this is causing problems with others using shibboleth on V3. Also getting these warnings in ```idp-process.log``` but have looked these up and have added SAML2SSO relaying party and left defaults so not sure why I am still getting these errors.. ``` 2017-04-12 12:44:48,073 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/browser is not available for relying party configuration shibboleth.UnverifiedRelyingParty 2017-04-12 12:44:48,079 - WARN [org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred while processing the request: InvalidProfileConfiguration ```
CentOS72
closed

Answers

By Aliaksandr Samuseu staff 12 Apr 2017 at 9:13 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Conan. Could you share metadata of this SP with us? >have added SAML2SSO relaying party and left defaults so not sure why I am still getting these errors There may be several causes to these. Like you still may need to clear all cookies in your browser, restart `identity`, then `idp` services (note that Shibboleth doesn't re-load changed configuration files right away, up to 5 minutes may pass first, restarting `idp` service helps to make sure new configuration is loaded; restarting `identity` should force it to re-render templates and generate updated configuration files for IdP). But in your case it's more likely that this TR is not in active state due to errors you mentioned before: ``` schema_reference.4: Failed to read schema document 'http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>. ``` So no element for this SP is added to IdP's conf files on disk yet, indeed. You should be able to see status of this TR on the TR summary page of web UI where all TRs are listed, it must be "Active". Until it's active, it won't be pushed into configuration files, please check the status.

By William Lowe user 12 Apr 2017 at 10:38 a.m. CDT

Copy
William Lowe gravatar
Conan, It would be easier to use [oxd](http://oxd.gluu.org) and our [nextcloud plugin](https://gluu.org/docs/oxd/plugin/nextcloud/). Thanks, Will

By Aliaksandr Samuseu staff 13 Apr 2017 at 9:17 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Conan. As we've got another similar ticket, here is one thing I've just thought about: you may need to ensure that it's possible to contact external Internet from within the container. Check that you can do `# ping google.com` from inside container successfully. May be some naming resolution or connectivity issues prevent it from completing certain metadata validation steps?

By Conan Malone user 19 Apr 2017 at 9:27 a.m. CDT

Copy
Conan Malone gravatar
Thanks it turns out it was connectivity issues.

Post an answer