Server: SAML login fails because of invalid signature since NC 17 update
Steps to reproduce
- Updated to NC 17
- Tried to login which redirects to the external SAML provider exactly as it did before with 16.0.5
- That SAML provider (Keycloak in our case) prints an error message about an invalid requester and the system log there shows that the signature of the request is invalid.
Expected behaviour
The external service should still understand the SAML request.
Actual behaviour
The external service complaints about the signature used by the NC request.
Server configuration
Operating system: Ubuntu 18.04
Web server: Apache
Database: MySQL
PHP version: 7.2
Nextcloud version: (see Nextcloud admin page) 17.0.0
Updated from an older Nextcloud/ownCloud or fresh install: updated from 16.0.5
Where did you install Nextcloud from: github sources
Signing status:
Signing status
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- INVALID_HASH
- .htaccess
Raw output
==========
Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[.htaccess] => Array
(
[expected] => c98ec6c839cd1c86e69900c8dbc2fe457b6fd7d6ae626cfa6247b1774dfac1444b2d9cfbc0060af2a891c10d74bc0acfbf8b70f341db05429825eabf2a406bff
[current] => 03a32baf7f3a61e407b4a452422c7641594cd7701426039443c2f10f311ca1a0d5e1865bbb8e7a0fba0c2144076f0af5781f95d78bdae4672ec2a6c08c338070
)
)
)
)
List of activated apps:
App list
Enabled:
- accessibility: 1.3.0
- activity: 2.10.1
- admin_audit: 1.7.0
- announcementcenter: 3.6.0
- apporder: 0.7.1
- audioplayer: 2.8.4
- bookmarks: 2.1.1
- bruteforcesettings: 1.4.0
- calendar: 1.7.1
- circles: 0.17.7
- cloud_federation_api: 1.0.0
- comments: 1.7.0
- contacts: 3.1.6
- cookbook: 0.4.2
- dashboard: 6.0.0
- dav: 1.13.0
- deck: 0.7.0
- external: 3.4.0
- federatedfilesharing: 1.7.0
- federation: 1.7.0
- files: 1.12.0
- files_automatedtagging: 1.7.0
- files_downloadactivity: 1.6.0
- files_fulltextsearch: 1.3.6
- files_fulltextsearch_tesseract: 1.3.1
- files_pdfviewer: 1.6.0
- files_readmemd: 1.1.1
- files_rightclick: 0.15.1
- files_sharing: 1.9.0
- files_trashbin: 1.7.0
- files_versions: 1.10.0
- files_videoplayer: 1.6.0
- firstrunwizard: 2.6.0
- flowupload: 0.1.2
- fulltextsearch: 1.3.6
- fulltextsearch_elasticsearch: 1.4.0
- gallery: 18.4.0
- gpxpod: 4.0.5
- group_everyone: 0.1.3
- groupfolders: 5.0.3
- guests: 1.3.0
- impersonate: 1.4.0
- logreader: 2.2.0
- lookup_server_connector: 1.5.0
- maps: 0.1.2
- news: 14.0.0
- nextcloud_announcements: 1.6.0
- notes: 3.0.3
- notifications: 2.5.0
- oauth2: 1.5.0
- password_policy: 1.7.0
- passwords: 2019.9.1
- phonetrack: 0.5.4
- previewgenerator: 2.1.0
- privacy: 1.1.0
- provisioning_api: 1.7.0
- rainloop: 6.0.4
- ransomware_protection: 1.5.0
- recommendations: 0.5.0
- registration: 0.4.7
- richdocuments: 3.4.2
- serverinfo: 1.7.0
- sharebymail: 1.7.0
- sharerenamer: 2.7.2
- social: 0.2.101
- spreed: 7.0.0
- support: 1.0.1
- survey_client: 1.5.0
- systemtags: 1.7.0
- tasks: 0.11.3
- text: 1.0.2
- theming: 1.8.0
- twofactor_backupcodes: 1.6.0
- twofactor_totp: 4.0.0
- updatenotification: 1.7.0
- user_saml: 2.4.0
- viewer: 1.1.0
- workflowengine: 1.7.0
Disabled:
- encryption
- files_external
- gpxedit
- gpxmotion
- metadata
- polls
- ransomware_detection
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.example.de"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "17.0.0.9",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"forcessl": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "ssl",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": "true",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"loglevel": 3,
"logfile": "\/var\/log\/nextcloud\/example.log",
"theme": "",
"maintenance": false,
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"timeout": 0,
"dbindex": 2
},
"appstore.experimental.enabled": true,
"trashbin_retention_obligation": "auto",
"overwrite.cli.url": "https:\/\/cloud.example.de",
"overwriteprotocol": "https",
"logtimezone": "UTC",
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"mysql.utf8mb4": true,
"app_install_overwrite": [
"apporder",
"dashboard",
"flowupload",
"files_readmemd"
]
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: SAML with Keycloak
Client configuration
Browser: Firefox, Chrome, Brave
Operating system: Ubuntu 18
Logs
Web server error log
Web server error log
217.8.58.12 - - [04/Oct/2019:11:39:33 +0200] "GET /index.php/apps/user_saml/saml/login?originalUrl=&idp=1&requesttoken=3xJpDGzmL0c7rVV9kHfplyExaaNP/aavq/vEOwissuA%3D%3AvHEoVAfNHyMM6gYpxSWc3lJzPfU5numckpO0bGPu2Iw%3D HTTP/1.1" 303 2004 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
Nextcloud log (data/nextcloud.log)
Nextcloud log
none
Browser log
Browser log
none
jurgenhaas
All 11 comments
Hi @jurgenhaas
In Keycloack check you clientID has a ../index.php/apps/user_saml/saml/metadata in url.
If true, remove the /index.php/
Thanks,
TP
tpimpao
on 4 Oct 2019
Hi @tpimpao
Sorry for my late reply, I've been on vacation last week. I've just removed the /index.php from the ID but the problem is still the same as before.
I have also exported a fresh copy of metadata.xml and re-created the client over at Keycloak by removing the index.php part, but that doesn't make any difference.
Is there anything else I could try?
jurgenhaas
on 14 Oct 2019
Additional info: the event log in keycloak reports login errors because the client ID couldn't be found. This is because the request from NC still contains the /index.php in the client ID. When I bring back the original client ID, then I'm back to the error invalid signature
jurgenhaas
on 14 Oct 2019
I have now disabled Client Signature Required in the Keycloak client and now the login process is working just fine. This is certainly not a propper solution but seems to indicate that everything else is configured correctly.
jurgenhaas
on 14 Oct 2019
I've run into the same problem. Disabling "Client Signature Required" in Keycloak does get login working for me as well. Any ideas on how to get client signatures working again?
isuttell
on 7 Dec 2019
Just to add my two cents: For me this started happening without any apparent reason overnight, with Nextcloud 18.0.1, SSO & SAML authentication 3.0.1 and Keycloak 8.0.1. There were no updates as far as I can see and I think desktop clients are still working. Disabling "Client Signature Required" solved this for now. Obviously something must have changed in my setup, however I cannot determine what that might be.
Maybe it's related to this, at least the fix is the same.
shukon
on 4 Mar 2020
Also experiencing this issue, no explicit changes were made recently to either Keycloak or SAML settings on Nextcloud however I did update to Nextcloud 18.0.3 recently. That might have been the change that broke but I cant confirm because I havnt tested authentication in some time.
SNThrailkill
on 9 Apr 2020
Hey there. I just experienced the same issue after simply restarting the nextcloud docker container.
I assume something is not persisted properly in the nextcloud saml config. Disabling client signatures worked for me, but definately is security risk.
janikvonrotz
on 10 Jul 2020
I just did a quick test. First I have recreated the idp certificate. Configured it for nextcloud saml and the keycloak client and the authentication works as expected!
It also works after restarting nextcloud.
This makes the case even more complicated. The state of the nextcloud saml config changes after a while and becomes invalid after a restart.
No sure how to proceed from here.
janikvonrotz
on 10 Jul 2020
This is due to an invalid certificate.
To solve this, you can do as follows.
- Enter keycloak's nextcloud client settings.
- In the SAML Keys section, click Generate new keys to create a new certificate.
- The generated certificate is in .pem format. You should change to .crt format and .key format.
- Enter crt and key in order in the Service Provider Data section of the SAML setting of nextcloud.
- No more errors.
For reference, this is how to replace pem with key and crt.
- Copy the created private key
vi privkey.pem
-----BEGIN RSA PRIVATE KEY-----
Private Key
-----END RSA PRIVATE KEY-----
Save it.
openssl rsa -in privkey.pem -text privkey.key- Copy the generated certificate
vi cert.pem
-----BEGIN CERTIFICATE-----
Certificate
-----END CERTIFICATE-----
Save it.
openssl x509 -inform PEM -in cert.pem -out public.crt
Now you have the crt and key files.
P.s. Since I used the Google Translator, there may be incorrect expressions. Please understand. :)
rlagmlah
on 29 Jul 2020
This is due to an invalid certificate.
To solve this, you can do as follows.
- Enter keycloak's nextcloud client settings.
- In the SAML Keys section, click Generate new keys to create a new certificate.
- The generated certificate is in .pem format. You should change to .crt format and .key format.
- Enter crt and key in order in the Service Provider Data section of the SAML setting of nextcloud.
- No more errors.
For reference, this is how to replace pem with key and crt.
- Copy the created private key
vi privkey.pem-----BEGIN RSA PRIVATE KEY----- Private Key -----END RSA PRIVATE KEY-----Save it.
openssl rsa -in privkey.pem -text privkey.key- Copy the generated certificate
vi cert.pem-----BEGIN CERTIFICATE----- Certificate -----END CERTIFICATE-----Save it.
openssl x509 -inform PEM -in cert.pem -out public.crtNow you have the crt and key files.
P.s. Since I used the Google Translator, there may be incorrect expressions. Please understand. :)
It works for me, thank you!
rn232
on 12 Aug 2020
Related issues
MorrisJobke
路
3Comments
mfechner
路
3Comments
brylie
路
3Comments
ghost
路
3Comments
dl5rcw
路
3Comments
Most helpful comment
This is due to an invalid certificate.
To solve this, you can do as follows.
For reference, this is how to replace pem with key and crt.
vi privkey.pemSave it.
openssl rsa -in privkey.pem -text privkey.keyvi cert.pemSave it.
openssl x509 -inform PEM -in cert.pem -out public.crtNow you have the crt and key files.
P.s. Since I used the Google Translator, there may be incorrect expressions. Please understand. :)