We use Nextcloud with the SAML plugin at Gluu too. Ganesh can help you.

Hello Boris, You're quite near. Can you try the setup as below: Configure Your settings as: Identifier of Idp entry: https://gluu-url/idp/shibboleth URL target of Idp where SP will send request: https://gluu-url/idp/profile/SAML2/Redirect/SSO SLO URL: https://gluu-url/idp/Authn/oxAuth/logout The certificate is retrieved from shibboleth link in first entry. The screenshot is attached herewith.

The TR portion on gluu-server looks like the screenshot attached here. The metadata has to be uploaded here during creation. This metadata file can be downloaded from the nextcloud saml page where you'll configure the entries.

Hi there. Thank you for your help with this! I configured the settings the way you sent them over, but I'm afraid there's still some stuff to finalize. I think that `Message: Found an Attribute element with duplicated Name is caused` because the SAML response looks like this ```xml <saml2:AttributeStatement> <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>Boris Budini</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Boris Budini</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>boris@cloud68.co</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">boris@cloud68.co</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>kominoshja</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">kominoshja</saml2:AttributeValue> </saml2:Attribute> ``` Maybe Nextcloud is confused by the duplicate values? Also, I'm not quite sure what I should set at "Configure Relying Party"

Hi again Ganesh! I'm fairly sure that the problem seems to come from SAML2SSO, but I'm not sure how to configure it in a way that it doesn't respond with the same attribute twice (as below) ```xml <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue>boris@cloud68.co</saml2:AttributeValue></saml2:Attribute> <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">boris@cloud68.co</saml2:AttributeValue> </saml2:Attribute> ``` I tried unchecking `Support Unspecified NameIdFormat? `, but after saving it it's reactivated automatically, even though i have selected `SAML:2.0:nameid-format:transient` Am I misconfiguring it?

Anything interesting in `/opt/gluu/jetty/idp/logs` ? Can you past the screenshots for the attribute mapping in Nextcloud? Or any other config in Nextcloud that might be interesting. And also the screenshot for the "Configure Relying Party" popup?

Nothing really going on in the logs.. Nextcloud config:  Gluu configs: https://nextcloudgluu.cloud68.co/s/Y3mLRgH93MqtLnC

Ganesh will take a look. One quick note: you should always sign assertions.

Screenshot is not clearly visible. Can you please send clearer image?

@Michael.Schwartz Good point! @Ganesh.Dutt Sharma https://nextcloudgluu.cloud68.co/s/nsPb3z27ZQTeYxs

Thanks Boris. Your config looks alright. We come back to you after setting similar environment to check why two same attributes, when one is released.

Hello, We've tested the authentication in our environment. Upto 4.1.1 it's working. But for 4.2.1, the bug is appearing exactly as you described. The bug is listed here: https://github.com/GluuFederation/oxShibboleth/issues/75 The resolution is under way.

Hello Boris, The bug has been fixed in latest stable version of gluu-server 4.2.1: https://repo.gluu.org/ubuntu/pool/main/bionic/gluu-server_4.2.1~ubuntu18.04_amd64.deb Can you please try the newer version? The nameID config has changed as per attached screenshots. Another screenshot has been attached for TR example. --- Thanks Ganesh

Hello! i'am trying to integrate Nextcloud Hub 21 and Gluu 4.1 i used settings from this thread, but when i press Download Metadata XML i see this in nextcloud log: {"reqId":"YKg5lBIGNlzu0Rh45l7lvgAAAAE","level":3,"time":"2021-05-21T22:52:04+00:00","remoteAddr":"ip-addres_hiden for_security_reason","user":"--","app":"index","method":"GET","url":"/index.php/apps/user_saml/saml/metadata","message":{"Exception":"OneLogin\\Saml2\\Error","Message":"Invalid array settings: idp_cert_or_fingerprint_not_found_and_required","Code":2,"Trace":[{"file":"/var/www/html/nextcloud/apps/user_saml/lib/Controller/SAMLController.php","line":247,"function":"__construct","class":"OneLogin\\Saml2\\Settings","type":"->","args":[{"strict":true,"debug":false,"baseurl":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml","security":{"nameIdEncrypted":false,"authnRequestsSigned":false,"logoutRequestSigned":false,"logoutResponseSigned":false,"signMetadata":false,"0":"And 9 more entries, set log level to debug to see all entries"},"sp":{"entityId":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/metadata","assertionConsumerService":{"url":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/acs"},"NameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified","singleLogoutService":{"url":"https://nextcloud.my_site.com/index.php/apps/user_saml/saml/sls"}},"0":"And 1 more entries, set log level to debug to see all entries"}]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":218,"function":"getMetadata","class":"OCA\\User_SAML\\Controller\\SAMLController","type":"->","args":[null]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":127,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\User_SAML\\Controller\\SAMLController"},"getMetadata"]},{"file":"/var/www/html/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\User_SAML\\Controller\\SAMLController"},"getMetadata"]},{"file":"/var/www/html/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\User_SAML\\Controller\\SAMLController","getMetadata",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"user_saml.SAML.getMetadata"}]},{"file":"/var/www/html/nextcloud/lib/base.php","line":993,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/user_saml/saml/metadata"]},{"file":"/var/www/html/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/nextcloud/apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php","Line":141,"CustomMessage":"--"},"userAgent":"ShibbolethIdp/3.4.6 OpenSAML/3.4.5","version":"21.0.2.1"} Where could be the problem? Thank you.

Hi there! As you can probably tell, this is an automatic email. I am currently out of office until Monday If you need any technical assistance, please contact support@cloud68.co