Problem: Nextcloud - Login to Nextcloud Fails After Application Upgrade

Knowledge Base Community
, , , ,
1

Login to Nextcloud Fails After Application Upgrade

Problem:

During the upgrade of the Nextcloud App on Univention Corporate Server (UCS), the join script 50nextcloud.inst fails because the user_saml app is not installed or activated during container setup. As a result, simpleSAMLphp cannot configure Nextcloud as an Identity Provider (IdP), leading to Single Sign-On (SSO) login failures.

This issue results in a critical authentication outage, where users are unable to log in to Nextcloud.

Symptoms

Users encounter the following error message when accessing Nextcloud after an upgrade:

“Anscheinend gibt es ein Problem mit dieser Website”
“Fehlercode: 500 Internal Server Error”

Additionally, the join process fails with an error.
Excerpt from /var/log/univention/join.log:

RUNNING 50nextcloud.inst
Object exists: cn=Nextcloud Hub,cn=services,cn=univention,dc=univention,dc=intranet
No modification: cn=ucs-5,cn=dc,cn=computers,dc=univention,dc=intranet
...
Object exists: SAMLServiceProviderIdentifier=https://ucs-5.univention.intranet/nextcloud/apps/user_saml/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=univention,dc=intranet

There are no commands defined in the "saml:config" namespace.

Could not configure simpleSAMLphp as Nextcloud Identity Provider
EXITCODE=1

Affected Systems

  • UCS Version: 5.0-10 errata1323
  • Nextcloud App Version: 31.0.9-0

Root Cause

Reference: Univention Bugzilla #58753

During the upgrade process, the Nextcloud container fails to correctly install and enable the user_saml app.
The following steps normally executed during setup, are missing:

user_saml x.x.x installed
user_saml enabled

As a result, the command occ saml:config is unavailable, causing the join script 50nextcloud.inst to fail when attempting to configure SSO integration via simpleSAMLphp.

Investigation Notes:

Before applying the workaround, the following condition can be observed:

There are no commands defined in the "saml" namespace.

This confirms that user_saml was missing or not initialized correctly.

Verification Steps:

1. Connect to the Nextcloud Container

univention-app shell nextcloud

2. Check System Status

sudo -u www-data /var/www/html/occ status

Example output:

- installed: true
- version: 31.0.9.1
- versionstring: 31.0.9
- maintenance: false
- needsDbUpgrade: false
- productname: Nextcloud

3. List Installed Apps

sudo -u www-data /var/www/html/occ app:list

Example (problematic case — user_saml missing):

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - user_ldap: 1.22.0
  - user_status: 1.11.0
  ...
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  ...

4. Check LDAP connection and configuration

LDAP connection and configuration tests may still show as valid:

sudo -u www-data /var/www/html/occ ldap:test-config -vvv s01
The configuration is valid and the connection could be established!

Verification Example

root@nextc-87183795:/# sudo -u www-data /var/www/html/occ saml:config
Available commands for the "saml:config" namespace:
  saml:config:create
  saml:config:get
  saml:config:set
  saml:config:delete

Workaround:

Step 1: Connect to the Nextcloud App Container

univention-app shell nextcloud

Step 2: Install the Missing user_saml App

sudo -u www-data /var/www/html/occ app:install user_saml

Expected output:

user_saml 7.0.0 installed
user_saml enabled

Step 3: Verify Installation

sudo -u www-data /var/www/html/occ app:list

Now, user_saml should appear under “Enabled”:

root@nextc-55840987:/# sudo -u www-data /var/www/html/occ app:list
Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0   
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0  
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0 
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0   
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0  
  - settings: 1.14.0   
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1 
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - user_ldap: 1.22.0  
  - user_saml: 7.0.0   
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0 
  - files_external: 1.23.0
  - onlyoffice: 9.11.0 (installed 9.8.0)
  - richdocuments: 8.7.6 (installed 8.4.13)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0

Step 4: Validate SAML Configuration

sudo -u www-data /var/www/html/occ saml:config:get

Example output:

- 1:
  - general-uid_mapping: uid
  - idp-entityId: https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/metadata.php
  - idp-singleSignOnService.url: https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/SSOService.php
  - idp-x509cert: -----BEGIN CERTIFICATE-----
    ...

Step 5: Exit the Container

exit

Step 6: Re-run the Join Script

Execute the join script manually to complete configuration:

univention-run-join-scripts --run-scripts 50nextcloud.inst

Expected output:

Running 50nextcloud.inst                                   done
Running post-joinscripts hook(s):                          done

Step 7: Verify Successful Login

Log in to Nextcloud through UCS Single Sign-On (simpleSAMLphp).
The login should now succeed without 500 Internal Server Error.

Screenshot from 2025-10-28 14-15-29
Screenshot from 2025-10-28 14-15-29633×678 51.3 KB

Additional Informations:

How to remove the SSO login option for Nextcloud

If you need to remove the SSO Login from Nextcloud:

Login to the container:

univention-app shell nextcloud

Disable the application user_saml

sudo -u www-data /var/www/html/occ app:disable user_saml

Example output:
user_saml 7.0.0 disabled

How to Properly Remove Nextcloud (for Full Cleanup)

If you need to completely reinstall Nextcloud:

univention-app remove nextcloud

To reset UCS variables:

ucr unset $(ucr search --key "^nextcloud" | cut -d ":" -f1)

To remove Nextcloud’s PostgreSQL database:

su -c "psql -c \"drop database nextcloud\"" - postgres
su -c "dropuser \"nextcloud\"" - postgres
rm /etc/postgresql-nextcloud.secret

To delete application data:

rm -Rf "/var/lib/univention-appcenter/apps/nextcloud"