By: Boris Budini user 27 Aug 2020 at 1:06 p.m. CDT

15 Responses
Boris Budini gravatar
Hi there! We're currently trying to setup a SSO system using Gluu. After some research, it seems that the Gluu plugin is no longer maintained, and we'd prefer to use SAML for this integration. One more thing I need to mention is that this should be SP-initiated, and not IdP, as Nextcloud seems to be having some problems with IdP right now Right, so we started by installing https://apps.nextcloud.com/apps/user_saml **We configured it with these values:** * Attribute to map UID to: uid * For the IdP entity we set: https://gluu-url/idp/shibboleth * URL Target of the IdP where the SP will send the Authentication Request Message: https://gluu-url/idp/profile/SAML2/Redirect/SSO (based on https://gluu.org/docs/gluu-server/3.1.1/integration/saas/salesforce/) * We also set the CA for the IdP. This allows us to download the metadata XML (Yay) **Over at Gluu, this is the configuration we're doing:** * Entity type: Single SP * Sp Metadata URL: https://nextcloud-url/apps/user_saml/saml/metadata?idp=1 Attributes passed: Display Name,Email,Username The behavior so far: We go to nextcloud, click on login with Gluu, are redirected there, login into Gluu and... Nextcloud shows us: Message: Found an Attribute element with duplicated Name The url where this error is shown is: /apps/user_saml/saml/acs We've tried tweaking a couple settings, however, since this is our first time implementing SSO solutions, we might be configuring it wrong. Your help would be greatly appreciated!

By Michael Schwartz Account Admin 27 Aug 2020 at 1:44 p.m. CDT

Michael Schwartz gravatar
We use Nextcloud with the SAML plugin at Gluu too. Ganesh can help you.

By Ganesh Dutt Sharma staff 28 Aug 2020 at 6:38 a.m. CDT

Ganesh Dutt Sharma gravatar
Hello Boris, You're quite near. Can you try the setup as below: Configure Your settings as: Identifier of Idp entry: https://gluu-url/idp/shibboleth URL target of Idp where SP will send request: https://gluu-url/idp/profile/SAML2/Redirect/SSO SLO URL: https://gluu-url/idp/Authn/oxAuth/logout The certificate is retrieved from shibboleth link in first entry. The screenshot is attached herewith.

By Ganesh Dutt Sharma staff 28 Aug 2020 at 6:43 a.m. CDT

Ganesh Dutt Sharma gravatar
The TR portion on gluu-server looks like the screenshot attached here. The metadata has to be uploaded here during creation. This metadata file can be downloaded from the nextcloud saml page where you'll configure the entries.

By Boris Budini user 28 Aug 2020 at 6:49 a.m. CDT

Boris Budini gravatar
Hi there. Thank you for your help with this! I configured the settings the way you sent them over, but I'm afraid there's still some stuff to finalize. I think that `Message: Found an Attribute element with duplicated Name is caused` because the SAML response looks like this ```xml <saml2:AttributeStatement> <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>Boris Budini</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Boris Budini</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>boris@cloud68.co</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">boris@cloud68.co</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>kominoshja</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">kominoshja</saml2:AttributeValue> </saml2:Attribute> ``` Maybe Nextcloud is confused by the duplicate values? Also, I'm not quite sure what I should set at "Configure Relying Party"

By Boris Budini user 28 Aug 2020 at 9:54 a.m. CDT

Boris Budini gravatar
Hi again Ganesh! I'm fairly sure that the problem seems to come from SAML2SSO, but I'm not sure how to configure it in a way that it doesn't respond with the same attribute twice (as below) ```xml <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>boris@cloud68.co</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">boris@cloud68.co</saml2:AttributeValue> </saml2:Attribute> ``` I tried unchecking `Support Unspecified NameIdFormat? `, but after saving it it's reactivated automatically, even though i have selected `SAML:2.0:nameid-format:transient` Am I misconfiguring it?

By Michael Schwartz Account Admin 28 Aug 2020 at 10:10 a.m. CDT

Michael Schwartz gravatar
Anything interesting in `/opt/gluu/jetty/idp/logs` ? Can you past the screenshots for the attribute mapping in Nextcloud? Or any other config in Nextcloud that might be interesting. And also the screenshot for the "Configure Relying Party" popup?

By Boris Budini user 28 Aug 2020 at 10:21 a.m. CDT

Boris Budini gravatar
Nothing really going on in the logs.. Nextcloud config: ![](https://nextcloudgluu.cloud68.co/apps/files_sharing/publicpreview/dePmycs7sH4SxyN?x=1367&y=380&a=true&file=Screenshot_2020-08-28%2520Settings%2520-%2520Nextcloud.png&scalingup=0) Gluu configs: https://nextcloudgluu.cloud68.co/s/Y3mLRgH93MqtLnC

By Michael Schwartz Account Admin 28 Aug 2020 at 11:39 a.m. CDT

Michael Schwartz gravatar
Ganesh will take a look. One quick note: you should always sign assertions.

By Ganesh Dutt Sharma staff 28 Aug 2020 at 11:40 a.m. CDT

Ganesh Dutt Sharma gravatar
Screenshot is not clearly visible. Can you please send clearer image?

By Boris Budini user 28 Aug 2020 at 11:52 a.m. CDT

Boris Budini gravatar
@Michael.Schwartz Good point! @Ganesh.Dutt Sharma https://nextcloudgluu.cloud68.co/s/nsPb3z27ZQTeYxs

By Ganesh Dutt Sharma staff 28 Aug 2020 at 1:23 p.m. CDT

Ganesh Dutt Sharma gravatar
Thanks Boris. Your config looks alright. We come back to you after setting similar environment to check why two same attributes, when one is released.

By Ganesh Dutt Sharma staff 08 Sep 2020 at 1:17 p.m. CDT

Ganesh Dutt Sharma gravatar
Hello, We've tested the authentication in our environment. Upto 4.1.1 it's working. But for 4.2.1, the bug is appearing exactly as you described. The bug is listed here: https://github.com/GluuFederation/oxShibboleth/issues/75 The resolution is under way.

By Ganesh Dutt Sharma staff 09 Oct 2020 at 9:37 a.m. CDT

Ganesh Dutt Sharma gravatar
Hello Boris, The bug has been fixed in latest stable version of gluu-server 4.2.1: https://repo.gluu.org/ubuntu/pool/main/bionic/gluu-server_4.2.1~ubuntu18.04_amd64.deb Can you please try the newer version? The nameID config has changed as per attached screenshots. Another screenshot has been attached for TR example. --- Thanks Ganesh

By Philipp Zykov user 21 May 2021 at 5:57 p.m. CDT

Philipp Zykov gravatar
Hello! i'am trying to integrate Nextcloud Hub 21 and Gluu 4.1 i used settings from this thread, but when i press Download Metadata XML i see this in nextcloud log: {"reqId":"YKg5lBIGNlzu0Rh45l7lvgAAAAE","level":3,"time":"2021-05-21T22:52:04+00:00","remoteAddr":"ip-addres_hiden for_security_reason","user":"--","app":"index","method":"GET","url":"/index.php/apps/user_saml/saml/metadata","message":{"Exception":"OneLogin\\Saml2\\Error","Message":"Invalid array settings: idp_cert_or_fingerprint_not_found_and_required","Code":2,"Trace":[{"file":"/var/www/html/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":247,"function":"__construct","class":"OneLogin\\Saml2\\Settings","type":"->","args":[{"strict":true,"debug":false,"baseurl":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml","security":{"nameIdEncrypted":false,"authnRequestsSigned":false,"logoutRequestSigned":false,"logoutResponseSigned":false,"signMetadata":false,"0":"And 9 more entries, set log level to debug to see all entries"},"sp":{"entityId":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/metadata","assertionConsumerService":{"url":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/acs"},"NameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified","singleLogoutService":{"url":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/sls"}},"0":"And 1 more entries, set log level to debug to see all entries"}]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":218,"function":"getMetadata","class":"OCA\\User_SAML\\Controller\\SAMLController","type":"->","args":[null]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":127,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\User_SAML\\Controller\\SAMLController"},"getMetadata"]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\User_SAML\\Controller\\SAMLController"},"getMetadata"]},{"file":"/var/www/html/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\User_SAML\\Controller\\SAMLController","getMetadata",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"user_saml.SAML.getMetadata"}]},{"file":"/var/www/html/nextcloud/lib/base.php","line":993,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/user_saml/saml/metadata"]},{"file":"/var/www/html/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php","Line":141,"CustomMessage":"--"},"userAgent":"ShibbolethIdp/3.4.6 OpenSAML/3.4.5","version":"21.0.2.1"} Where could be the problem? Thank you.

By Boris Budini user 21 May 2021 at 5:58 p.m. CDT

Boris Budini gravatar
Hi there! As you can probably tell, this is an automatic email. I am currently out of office until Monday If you need any technical assistance, please contact support@cloud68.co