user_saml
user_saml copied to clipboard
nextcloud
HTTP ERROR 405 - NextCloud with Okta
We are trying to setup SAML login on nextcloud with https://www.okta.com/ when trying to login with SAML on nextcloud it is showing
If the problem continues, contact the site owner. HTTP ERROR 405
Any Directions ?
NextCloud 18.0.4 CentOS 7 PHP 7.3.17 MYSQL 5.5.64
Can you please specify your settings a little bit more? What did you set up on Okta side (especially Single Sign On URL, Audience Restriction and attribute statements) and what did you set up on Nextcloud side (expecially IdP entity ID, Login URL and attribute for uid)?
I'm seeing the same thing using Keycloak. NextCloud properly navigates to the Keycloak login, I authenticate, and NextCloud starts part of the login flow. The failure is after POST to Next Cloud at http://cloud.mydomain.dev/apps/user_saml/saml/acs. NextCloud responds with 301 and Location https://cloud.mydomain.dev/apps/user_saml/saml/acs. At this point Chrome performs a GET to https://cloud.mydomain.dev/apps/user_saml/saml/acs and NextCloud responds with 405.
Interestingly Firefox behaves differently. It makes the POST request to https://cloud.mydomain.dev/apps/user_saml/saml/acs and also gets a Location header in the response with https://cloud.mydomain.dev/apps/user_saml/saml/acs. It then performs the GET request to https://cloud.mydomain.dev/apps/user_saml/saml/acs and recieves a 405 response. However, it doesn't wait and show an error like Chrome but instead goes on to make a GET request to https://cloud.mydomain.dev/favicon.ico. Firefox is telling me this is part of the logic in FaviconLoader.js. This gets a 302 redirect to https://cloud.mydomain.dev/login which gets another 302 to https://cloud.mydomain.dev/apps/user_saml/saml/selectUserBackEnd?redirectUrl=. The GET request to https://cloud.mydomain.dev/apps/user_saml/saml/selectUserBackEnd succeeds with a 200 response which contains a webpage. The page looks like the main NextCloud login page. Unfortunately the javascript doesn't render the page since it was initiated by a favicon img tag so I just get a white empty webpage.
In either case my session isn't logged in - navigating to the main site just shows me another login prompt.
My NextCloud SAML config:
- NO - Only allow authentication if an account exists on some other backend. (e.g. LDAP)
- YES - Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)
- YES - Allow the use of multiple user back-ends (e.g. LDAP)
- Attribute to map the UID to: username
- Optional display name of the identity provider: Keycloak
- Name ID format: Unspecified
- Identifier of the IdP entity: https://auth.mydomain.dev/auth/realms/theribbles
- URL target of the IdP where the SP will send the Authentication Request Message: https://auth.mydomain.dev/auth/realms/theribbles/protocol/saml
- URL location of the IdP where the SP will send the SLO request: https://auth.mydomain.dev/auth/realms/theribbles/protocol/saml
- URL Location of the IdP's SLO response: None/blank
- Attribute to map the email to: email
- Attribute to map the users groups to: Role
- NO - Indicates that the nameID of the samlp:logoutRequest sent by this SP will be encrypted
- YES - Indicates whether the samlp:AuthnRequest messages sent by this SP will be signed.
- YES - Indicates whether the samlp:logoutRequest messages sent by this SP will be signed.
- YES - Indicates whether the samlp:logoutResponse messagies sent by this SP will be signed.
- NO - Whether the metadata should be signed.
- YES - Indicates a requirement for the samlp:Response, samlp:LogoutRequest and samlp:LogoutResponse elements recieved by this SP to be signed.
- YES - Indicates a requirement for the saml:Assertion elements received by this SP to be signed.
- NO - Indicates a requirement for the saml:Assertion elements received by this SP to be encrypted.
- NO - Indicates a requirement for the NameID element on the SAMLResponse received by this SP to be present.
- NO - Indicates a requirement for the NameID element received by this SP to be encrypted.
- NO - Indicates if the SP will validate all received XML.
- NO - ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses uppercase.Enable for ADFS compatibility on signature verification.
- Algorithm that the toolkit will use on signing process: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 (default)
@EliRibble @fancycode
I have succeeded with keycloak in nextcloud
use Openid-connect instead SAML. enable Social Login Nextcloud.
at keycloak
at nextcloud
Hello! Did you manage to solve the problem with Okta? @Sx3 @EliRibble @fancycode
For GitHub is primarily used for discussions related to the code itself and improving the code. Addressing configuration woes, we recommend utilising other channels better suited for support.
In light of this, I will be closing your issue here. There are alternative avenues for assistance, for example I can recommend our very active home-user forum or the official support channels. You'll have access to a more suitable platform to discuss and resolve any concerns you may have. Thanks again!
Hello! Did you manage to solve the problem with Okta? @Sx3 @EliRibble @fancycode
Did you follow my above reply. ?
I did not. I actually moved away from Keycloak and on to Authentik. It has been far simpler.
yes, but I had errors, the solution was to use the data from the instructions that octa generates after configuring the saml application. They can be found on the right on the Sign On page. And it also needs to be used on https://cloud.com/index.php/apps/user_saml/saml/acs Ah https://cloud.com/apps/user_saml/saml/acs It helped me. And you also need to add fields like in the picture
Thank you all! @Sx3 @EliRibble @fancycode