Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[help_request] Users disappear when switching from SAML to OpenIDconnect #1018

Open
warioishere opened this issue Jan 3, 2025 · 0 comments
Open

[help_request] Users disappear when switching from SAML to OpenIDconnect #1018

warioishere opened this issue Jan 3, 2025 · 0 comments
Labels
0. Needs triage bug Something isn't working

Comments

@warioishere
Copy link

warioishere commented Jan 3, 2025
edited
Loading

Hi there,

I'm running a public Nextcloud instance for a little community and currently facing a major issue when attempting to switch from the SAML plugin to OpenID Connect for authentication. I am using keycloak as Identity Provider. I dont think its a bug, but rather wrong configuration.

When I deactivate the SAML plugin and enable OpenID Connect, all existing users disappear from the Nextcloud instance. If I re-enable the SAML plugin, the users reappear. Here's what I've tried so far to troubleshoot and resolve the issue:

Mapping Consistency:

SAML was using the username attribute for mapping users.
For OpenID Connect, I configured the User ID Mapping to username as well.
On Keycloak, I created a mapper that outputs username as a token claim.

Database Checks:

I inspected the oc_accounts table in the Nextcloud database, which stores user data in the uid field.
The uid values correspond to the usernames used by SAML, so the issue doesn't seem to be related to the database itself.
Logs:

When OpenID Connect is enabled, users attempting to log in receive the error: Failed to provision user.
There are no specific hints in the nextcloud.log file pointing to a clear cause.

It seems like Nextcloud doesn't recognize the existing users when switching to OpenID Connect, even though the username mapping is identical across both plugins.

I also tried preferred_username in the plugin and created mapper to username from preferred_username for the claim token. It also didnt help. No old user created with the SAML Plugin are there when i deactivare the SAML Plugin for nextcloud.

My Questions:

Why do users disappear from the Nextcloud instance when switching from SAML to OpenID Connect?
Is there a way to safely migrate users between these two authentication plugins without losing access or data?
Are there additional steps required to make Nextcloud recognize the existing users after switching to OpenID Connect?
Thanks in advance for your help! If you need more details or logs, I'd be happy to provide them.
I am just a hobby admin and authentication flows and systems are hard for me to understand.

Best regards,
Wario
@warioishere warioishere added 0. Needs triage bug Something isn't working labels Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@warioishere