Problem:
Troubleshooting SAML with nextcloud
Configuring nextcloud with saml, as described in our blog post:
If you have this error message:
the user is not activated for using nextcloud with saml. You have to add the SP to the user.
An other kind of error you may face is this one:
This can be all kind of error. The most common error is a certificate issue. For further info consult the logfile:
root@real-member:/var/lib/univention-appcenter/apps/nextcloud/data/nextcloud-data# less nextcloud.log
To get the right certificate for the nextcloud settings you can use the curl command on your server:
curl https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php
Please adjust the domain name to your domain.
Little stumbling blocks at the nextcloud settings
-
The uid needs to be in lowercase
-
https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php
-
https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/SSOService.php
-
https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/SingleLogoutService.php
-
curl https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php
to get the certificate, and just copy the certificate only.
Like above please adjust here your domain name.
Settings in the UMC should be like this.
If the nextcloud app is installed on an other server you need this fqdn for the identity provider here.
Please have in mind, that checkmark Allow transmissions of ldap attributes to the service provider in the Extendes Settings category has to be set, even if you define no additional ldap attributes, that have to be transmitted. UCS transfers the uid attribute back to the Nextcloud App every single login, that’s why, the checkmark is mandatory.