问题描述

我正在尝试使用nextcloud(13.0.4)和keycloak(4.0.0.Final)(作为SSO/SAML IDP和用户管理解决方案)设置SSO，如.

I'm trying to setup SSO with nextcloud (13.0.4) and keycloak (4.0.0.Final) (as SSO/SAML IDP und user management solution) like described at SSO with SAML, Keycloak and Nextcloud.

但是，尝试使用在密钥库中配置的SSO测试用户登录nextcloud时，nextcloud会抱怨以下错误:

However, trying to login to nextcloud with the SSO test user configured in keycloak, nextcloud complaints with the following error:

OneLogin_Saml2_ValidationError: Found an Attribute element with duplicated Name

/var/www/html/nextcloud/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/lib/Saml2/Auth.php - line 177: OneLogin_Saml2_Response->getAttributes()
/var/www/html/nextcloud/custom_apps/user_saml/lib/Controller/SAMLController.php - line 219: OneLogin_Saml2_Auth->processResponse('ONELOGIN_1111a8...')
[internal function] OCA\User_SAML\Controller\SAMLController->assertionConsumerService()
/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 161: call_user_func_array(Array, Array)
/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 91: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\User_SAML\Controller\SAMLController), 'assertionConsum...')
/var/www/html/nextcloud/lib/private/AppFramework/App.php - line 115: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\User_SAML\Controller\SAMLController), 'assertionConsum...')
/var/www/html/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main('OCA\\User_SAML\\C...', 'assertionConsum...', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/html/nextcloud/lib/private/Route/Router.php - line 297: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
/var/www/html/nextcloud/lib/base.php - line 999: OC\Route\Router->match('/apps/user_saml...')
/var/www/html/nextcloud/index.php - line 42: OC handleRequest()
{main}
enter

我想知道是否有一种方法可以避免/过滤密钥斗篷中重复的属性名称来规避此问题?

I wonder if there is a way to avoid/filter duplicate attribute names in keycloak to circumvent the problem?

我已经设置了一个测试docker-compose.yml来显示问题(仅本地主机，不带https，即仅用于测试).

I've set up a test docker-compose.yml to show the problem (localhost only, without https, i.e. for testing only).

# Use only for testing the BASE_PATH feature
# An unencrypted nextcloud will be accessible at
# http://localhost/${BASE_PATH}
version: '3.3'
services:
  app:
    image: aanno/nextcloud:13.0.4-apache
    ports:
        - 8081:80
    container_name: nextcloud-docker-apache
    volumes:
# Attention: Adapt this to your BASE_PATH
#      - ./apps:/var/www/html/nextcloud/custom_apps
#      - ./config:/var/www/html/nextcloud/config
       - ./data:/var/www/html/nextcloud/data
    environment:
        - BASE_PATH=/nextcloud
    networks:
        - bridge
  keycloak_container:
    image: jboss/keycloak
    container_name: keycloak-server
    ports:
      - 8080:8080
    environment:
      - PROXY_ADDRESS_FORWARDING=true
      # defaults to:
      # -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m
      # -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
      #- JAVA_OPTS=-Xmx512m
      - DB_VENDOR=h2
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin1234
    networks:
        - bridge

networks:
    bridge:
        external:
            name: app

Keycloak将位于 http://localhost:8080 处，而nextcloud将位于 http://localhost:8081/nextcloud .也可以在 https://github.com/aanno/nextcloud-docker/blob/tp/set-base-url-2/13.0/apache/test/docker-compose.yml .在这里，您还可以详细了解docker镜像(它基于13.0-apache的官方nextcloud/docker镜像).

Keycloak will be at http://localhost:8080 and nextcloud at http://localhost:8081/nextcloud . This file could be found also at https://github.com/aanno/nextcloud-docker/blob/tp/set-base-url-2/13.0/apache/test/docker-compose.yml . At this place you also can details about the docker image (it is based on the official nextcloud/docker image for 13.0-apache).

推荐答案

因为我也在 https://github.com/nextcloud/user_saml/issues/222 ，现在我知道解决方案:您必须激活单一角色属性"开关.

Because I also posted this as bug at https://github.com/nextcloud/user_saml/issues/222 , I now know the solution: You have to activate the 'Single Role Attribute' switch.

在密钥斗篷4.0.0.Final中，该选项隐藏在以下位置:(领域)->客户范围-> role_list(saml)->映射器选项卡->角色列表->'单个角色属性'.

In keycloak 4.0.0.Final the option is a bit hidden under:(Realm) -> Client Scopes -> role_list (saml) -> Mappers tab -> role list -> 'Single Role Attribute'.

这篇关于有没有一种方法可以过滤/避免密钥斗篷SAML断言中的重复属性名称?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！