1

We're testing an upgrade from Nextcloud 16 to Nextcloud 17, and everything seems to be working well except for logins through SAML. We are using user_saml 2.4.2. Every time we try to log-in via SAML, it seems to work until the final redirect into Nextcloud. Then we receive the following message:

Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.

I've tried clearing cookies, using Incognito mode, and clearing server-side sessions in Redis, but nothing has an effect. We've checked with our IdP (Azure AD) and the user is definitely allowed access to this app. We've also confirmed that a corresponding user account exists in Nextcloud, so we're not sure what the issue is.

GuyPaddock
  • 2,233
  • 2
  • 23
  • 27

1 Answers1

1

It turned out that our staging environment did not have the proper IdP x.509 certificate for the Azure AD app/service that the user was signing into. In other words, our live environment is normally "files.ourdomain.com" and our staging environment is "dev.files.ourdomain.com", but the certificate the staging instance of Nextcloud was using from Azure AD corresponded to the App Registration for "files.ourdomain.com" -- the live environment. Nextcloud and the SAML authentication module apparently do not log anything useful to tell you this is the root cause.

To fix, we had to:

  1. Log-in with the local Nextcloud admin account (using /login?direct).
  2. Go under the user menu in the upper-right corner of the page.
  3. Go to "SSO & SAML authentication".
  4. Expand "Show optional Identity Provider settingsā€¦".
  5. Replace the contents of the "Public x.509 Certificate of the IdP" with the certificate provided by Azure AD.
GuyPaddock
  • 2,233
  • 2
  • 23
  • 27