user_saml
user_saml copied to clipboard
nextcloud
It publishes assertion consumer with the wrong scheme, ADFS
Troubleshooting federation I realized it was getting the wrong assertion consumer endpoint, I mean, it's basically the same but with the scheme http:// instead of https:// required on ADFS. I tried adding it manually but ADFS won't let me, I tried hack the XML metadata before loading it into ADFS but it outsmarts me and won't let me, here the error I'm getting in Event Viewer:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
http://domain.com/apps/user_saml/saml/metadata
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.AssertionConsumerServiceUrlDoesNotMatchPolicyException: MSIS3200: No AssertionConsumerService is configured on the relying party trust 'http://domain.com/apps/user_saml/saml/metadata' that is a prefix match of the AssertionConsumerService URL 'http://domain.com/apps/user_saml/saml/acs' specified by the request.
at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.LookupAssertionConsumerServiceByUrl(Collection`1 assertionConsumerServices, Uri requestedAssertionConsumerServiceUrl, String scopeIdentity)
at Microsoft.IdentityServer.Service.SamlProtocol.EndpointResolver.FindSamlResponseEndpointForAuthenticationRequest(Boolean artifactEnabled, AuthenticationRequest request, ScopeDescription scopeDescription)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.GetResponseEndpointFromRequest(SamlRequest request, Boolean isUrlTranslationNeeded, ScopeDescription scope)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Even if I go full security or zero security basically it only asks for the metadata point (Nextcloud's) also with an http:// scheme but it won't correct the assertion thingy to a the secure version. I hope this is enough to help the devs. :)
Hey @vitaprimo, I'm not sure if you've resolved this on your end, given it was over a year ago, but I had a similar issue and was able to resolve it with some minor changes: https://github.com/nextcloud/user_saml/issues/343#issuecomment-512085714
If using the Helm chart, you must add this entry to resolve the issue and force it to use https for the user_saml app:
nextcloud:
extraEnv:
- name: OVERWRITEPROTOCOL
value: "https"
