User Tools

Site Tools


Keycloak as (SAML) SSO-Authentication provider for Nextcloud

We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use LDAP federation in Keycloak and before setting up the SAML authentication, set up the LDAP connection in Nextcloud. Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them. Unfortunately they aren't able to get first and last name from keycloak, but expect the Full Name (Displayname) to be provided. Which keycloak in the newer versions doesn't provide in an easy way (You need to upload your own SPI).

Before anything else you should have a working Keycloak installation ;-) : Install Keycloak as Docker Container with Apache Web Server as Reverse Proxy and a local PostgreSQL

Nextcloud configuration

Before you configure nextcloud, create a self signed x.509 certificate, you'll need it in the next step. The cn and other details you enter for it, don't really matter. That certificate will be used by nextcloud to sign its request and proof to keycloak that it is allowed to authenticate against it.

openssl req  -nodes -new -x509  -keyout private.key -out public.cert

Then in Nextcloud, install and activated the plugin user_saml. Go to the Admin section SSO & SAML authentication and setup a new SAML connection with following settings. Some of the settings are hidden and you need to click first Hide/Show … Setting:

Attribute to map the UID to username
Only allow authentication if acount exists … Enable it if you want LDAP for group permission, otherwise disable it
X.509 Certificate of Service provider This one is kinda difficult to discover. Behind “Service Provider data” click “Hide Service Provider settings …”. Copy here the content from the above generated public.cert with or without the “–begin …” and “–end …” lines. Alternatively you can also leave that empty, do all the other steps, activate in keycloak Client Signature Required, save and then copy the private and public key from the tab SAML keys to nextcloud. But I think the way described here is more straight forward, and you won't need to change any special settings in Keycloak like that.
Private Key of service provider Copy here the content from privat.key
Identifier of IdP entity{realm-name} replace {realm-name} with your realm name
URL target of the IdP …{realm-name}/protocol/saml
URL location of the IdP for SLO{realm-name}/protocol/saml
Public x.509 certificate of the IdP Copy here the public certificate of keycloak which you can find in realm settings/keys/rs256/certificate
Attribute to map the email to email
Attribute to map the User groups to Roleif you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty
Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. enabled
Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed. enabled
Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed. enabled
Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed. enabled
Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. enabled

You could do the whole thing, also without the certificates, and without requiring the the SP or the IdP to sign their requests and responses, but without doing that, neither the IdP nor the SP are sure it the other one, is really the one he pretends to be. I'm not a SAML specialist, and I'm definitely not planing to become one, so I'm not completely sure, which parts should be signed, and which ones aren't important. So we just sign everything we can ;-) . Since we believe in HTTPS encryption, I didn't activate any of the encryption options.

Then click an Download metadata XML and save the file, you'll need it for Keycloak.

Keycloak configuration

In keycloak go to clients and choose “Import Client”. Upload the previously downladed medata.xml and click ok.

Then go to the Client scopes tab and delete the roles_list scope. It won't work since it is not configured as <b>Single Role Attribute</b> it will lead a <b>Duplicated Attribute Error</b> in Nextcloud.

Now below Assigned client scope click on the URL <nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21).

Then create multiple new mappers: add Mapper/by configuration/User Property:

name username
property username
SAML attribute name username
SAML attribute name format basic
name email
property email
SAML attribute name email
SAML attribute name format basic

If you want to map the roles or groups to nextcloud add a Role list respectively Group list mapper (instead of User property).

name role list

Role attribute name
SAML attribute name format basic

Single Role Attribute

So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log.


Paul Jaros, 2018/02/02 22:01

I'm the author of the question and answer of

I published my example on how to connect Keycloak and Nextcloud to help others to do the same and also to be able to improve my solution.

Right now I'm on vacation so I can't really work on improving it right now. Apparently there is mistake in my answer which needs to improve. I didn't really copy the private-key but the public-key from Keycloak. to the Nextcloud SSO & SAML private-key field. Still something is amis and need correction. But I won't be able to correct it until monday or later.

Ronney, 2018/02/05 10:45

Unfortunately stack overvflow didn't allow me to comment on your answer because I don't have enough reputation…
Just so you acn make the necesary corrections:

X.509 Certificate: Enter —–BEGIN CERTIFICATE—– add a newline, copy the RSA-Certifacte-key from my-realm, add a newline and add —–END CERTIFICATE—–
Private Key of the Service Provider: —–BEGIN PRIVATE KEY—–, add a newline, copy the RSA private key from my-realm —–END PRIVATE KEY—–

Is wrong, there you copy the private key from keycloak.

What you actually want to do is create a new private/public key pair. You can do that, either by using openssl (see above), or let keycloak create a key pair just for that client (see comment above for “X.509 Certificate of Service provider ”).

additionaly for nextcloud to sign the requests, and to verify the signature of the responses you need to activate the corresponding options. (you actually deactivate the signing in keycloak) and you should activate the “Client Signature Required” in keycloak. This will be done automatically if you configure nextcloud correctly before exporting the metadata.xml file.
So nextcloud knows the public certificate of you need to copy it to “Public x.509 certificate of the IdP” see above.

Paul Jaros, 2018/02/06 12:46

I've corrected my setup and integrated your suggestions. I've tested and everything seems to ok.

Thank you for that :)

gert silkens, 2018/08/01 20:50

Unfortunately, nextcloud log says user not found

Jude Zhu, 2018/08/08 02:27

Great guide!

I follow this guide and it works well!

but I still have two questions

1. how to mapper the full name, current is only using the user id.
2. the pc/mac client not work

for detail, please see:

could you kindly help me with this?

Zeinab Khosravi, 2019/07/01 09:44

Thank you for the instruction. I followed your instruction and it looks ok. But when I try to connect to nextcloud using keycloak user I get the following error: “Account not provisioned.

Your account is not provisioned, access to this service is thus not possible.”

I would appreciate your comment on this if you have any idea.

Ronney Meier, 2019/07/01 19:05

my previous comment is obviously only valid, if you also use ldap. THen you can invalidate the ldap cache somewhere in the ldap settings…

Otherwise it could be that you didn't delete the role mapping as described in the guide. That will also produce that error message…

Ronney Meier, 2019/07/01 18:54

most probably you've got the problem that the ldap cache isn't updated yet.
I've descriped the problem here:

Once I get time I'll update the manual…

Otherwise always take a look at the nextcloud.log file, there's often written more. In the gui you always get “Account not provisioned” doesn't matter what the underlying error is (I've made a bug report about that too ;-))..

Shadi, 2019/08/23 10:46


I know the topic is for one year ago and sorry to bother, but I used your instruction to authenticate my Nexcloud using keycloak. The problem is while some users are able to connect, some will see a blank page after logging in. When trying to login with firefox users receive an error which states the connection is not safe and with Safari and IE it is impossible to login (receiving some server error or https 405 error). Do you have any idea what might cause that?

Thank you in advance

Ronney Meier, 2019/08/24 18:21

* Connection is not safe ⇒ probably you're not using a valid https certificate.
* http 405 error ⇒ method not allowed. You're trying to access a http resource with an not allowed method (get, post, etc.)
In general it sounds like the server is heavily misconfigured.
Check your nextcloud logfiles, the keycloak logfiles and the webserver logfiles for error messages and stuff.
Using the network tab in your browsers development console you should be able to see, which resources the browser tries to access when he gets the 405 error (probably some url misconfiguration).
In firefox open the certificate to see what's the problem with it (connection's not safe).

btw. IE is EOL (End Of life) since quite a while. I wouldn't use that anymore…

Jordan, 2019/09/27 23:44

Thank for this tutorial.

I'm also stuck in keycloak because of an invalid redirect uri error on the login form.

Strange thing, when I swap the “Valid redirects URL” from HTTPS to HTTP, and when I try again to login, a pop-up come, and tell me that “the information you have entered on this page will be sent over an insecure connection”, I can continue, and then I finish on a blank page… to the following url: (I'm using firefox)

Do you have any idea ?

Paul Jaros, 2019/10/02 13:20

Hi Jordan

Go to your “Clients”-Settings and have a look in you App. In the tab “Settings” you will the list of “*Valid Reirect URIs”. The redirect you want to make after entering the credentials will need to match one of those entries.

eric, 2020/06/04 03:29

Hi there,

Thanks for this great guide but I'm facing some issue to make it work

I followed this setup but Keycloak complains 'Unsupported NameIDFormat' when I redirect from nextcloud to keycloak for authentication.

Any suggestions is appreciate.

SKM, 2021/03/09 11:40

Dear All, i am getting below Error when trying to get this authenticated by Keycloak.

Account not provisioned.

Your account is not provisioned, access to this service is thus not possible.

Nextcloud Log:

Fatal user_saml Signature validation failed. SAML Response rejected 2021-03-09T19:36:45+0800

Fatal user_saml invalid_response 2021-03-09T19:36:45+0800

any help please ?

You could leave a comment if you were logged in.
linux_server_manuals/nextcloud_saml_authentication_against_keycloak.txt · Last modified: 2023/06/25 17:24 by admin