SAML assertion URL processing issue

ℹ️ Support
, , ,
1
Support intro

Sorry to hear you’re facing problems. :slightly_frowning_face:

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can. :heart:

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 32.0.2 (and 32.0.1)
  • Operating system and version (e.g., Ubuntu 24.04):
    • Ubuntu 24.04
  • Web server and version (e.g, Apache 2.4.25):
    • Apache as per docker image 32.0.2-apache
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • nginx1.24
  • PHP version (e.g, 8.3):
    • As per Docker image 32.0.2-apache
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • unsure due to using 'latest' tag by mistake
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Docker
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

SAML (with Keycloak) was working fine in v30 then the docker image updated (I was using latest by mistake). Somewhere since then - definitely from v31, when the SAML assertion comes back I get

“The response was received at https:////apps/user_saml/saml/apps/user_saml/saml/acs instead of https:////apps/user_saml/saml/acs”. This appears on screen (no other html, just this text) as well as in the log - domain and subdir are correct for my install, just obfuscated for the purpose of this post.

Somehow it has the middle part replicated.

I’ve been through every setting, recreated etc. and still the same. The only change was NC upgrading.

Steps to replicate it (hint: details matter!):

  1. Install using docker 32.0.2-apache image

  2. Configure with keycloak SAML provider

  3. Test!

The issue seems suspiciously related to this: buildWithBaseURLPath corrupts the current route if it contains slashes, causing assertion validation to fail · Issue #249 · SAML-Toolkits/php-saml

I’ve been trying to trace this issue through the code but cannot find where this error message is being generated. Having done a packet capture, all the requests to the NC server appear correct so it looks like something is happening internally.

Any help getting to the bottom of this appreciated.

thanks

2

You mentioned a subdirectory. How specifically are you handling that with the micro-services Docker image? There are some nuance that could be interacting here.

So:

  • It may be related to how your reverse proxy is integrated (or web server if you’d done something custom in the image)
  • Do you have warnings under Admin settings->Overview?
  • You didn’t share your config so not much else to go on.

The error message itself is coming from an external dependency (onelogin/php-saml) which may be why you haven’t seen it directly in the user_saml code base. You can find it on GitHub in it’s own repository however.

3

Thanks @jtr

I’m always open to the fact there may be a configuration nuance here. I have an NGINX reverse proxy set up which does the usual proxypass on to the NC Docker image. I’ve updated the config.php to support the subdirectory and all was working well until one of the updates. I just wish I knew which one!

The only warning I have is the AppAPI Deploy daemon one - I’m pretty sure this is unrelated (happy to be corrected) as it wasn’t there in previous versions that didn’t work.

I’ve just updated to 32.0.3 which is now producing an interesting response in the log:

Cannot modify header information - headers already sent by (output started at /var/www/html/custom_apps/user_saml/vendor/onelogin/php-saml/src/Saml2/Response.php:441) at /var/www/html/lib/private/AppFramework/Http/Output.php#46

Does this give any further clues at all as to where I should be looking?

4

Update: I believe I may have found the root cause of this having done some more extensive tracing.

It fundementally boils down to the baseurl in user_saml > SAMLSettings.php which is getting its value from user_saml.SAML.base which appears to be /apps/user_saml/saml hence when the correct route for acs is applied it doubles up this root.

I have reported this as an issue on GitHub user_saml repo.

Hopefully this is useful to others experiencing this.