User Tools

Site Tools


linux_server_manuals:nextcloud_saml_authentication_against_keycloak

Keycloak as (SAML) SSO-Authentication provider for Nextcloud

We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use LDAP federation in Keycloak and before setting up the SAML authentication, set up the LDAP connection in Nextcloud.
Before anything else you should have a working Keycloak installation ;-):
Install Keycloak as Docker Container with Apache Web Server as Reverse Proxy and a local PostgreSQL

Nextcloud configuration

Before you configure nextcloud, create a self signed x.509 certificate, you'll need it in the next step. The cn and other details you enter for it, don't really matter. That certificate will be used by nextcloud to sign its request and proof to keycloak that it is allowed to authenticate against it.

openssl req  -nodes -new -x509  -keyout private.key -out public.cert

Then in Nextcloud, install and activated the plugin user_saml. Go to the Admin section SSO & SAML authentication and setup a new SAML connection with following settings. Some of the settings are hidden and you need to click first Hide/Show … Setting:

Setting Value Comment
Attribute to map the UID to username
Only allow authentication if acount exists … Enable it if you want LDAP for group permission, otherwise disable it
X.509 Certificate of Service provider Copy here the content from the above generated public.cert. Alternatively you can also leave that empty, do all the other steps, activate in keycloak Client Signature Required, save and then copy the private and public key from the tab SAML keys to nextcloud. But I think the way described here is more straight forward, and you won't need to change any special settings in Keycloak like that.
Private Key of service provider Copy here the content from privat.key
Identifier of IdP entity https://auth.example.com/auth/realms/{realm-name} replace {realm-name} with your realm name
URL target of the IdP … https://auth.example.com/auth/realms/{realm-name}/protocol/saml
URL location of the IdP for SLO https://auth.example.com/auth/realms/{realm-name}/protocol/saml
Public x.509 certificate of the IdP Copy here the public certificate of keycloak which you can find in realm settings/keys/RSA/certifcate
Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. enabled
Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed. enabled
Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed. enabled
Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed. enabled
Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. enabled

You could do the whole thing, also without the certificates, and without requiring the the SP or the IdP to sign their requests and responses, but without doing that, neither the IdP nor the SP are sure it the other one, is really the one he pretends to be. I'm not a SAML specialist, and I'm definitely not planing to become one, so I'm not completely sure, which parts should be signed, and which ones aren't important. So we just sign everything we can ;-).

Then click an Download metadata XML and save the file, you'll need it for Keycloak.

Keycloak configuration

In keycloak create a new client and choose to import a file. Upload the previously downladed medata.xml and click ok.

Then go to the Mappers tab. If you don't need the role mapping, just delete it. If you want to map roles, edit that mapping, and activate Single Role Attribute, otherwise you will get a Duplicated Attribute Error in Nextcloud. Unfortunately for the time beeing, Nextcloud doesn't support any Role or Group mappings, but maybe in the future…

Then create a new Mapper:

settingvalue
name username
mapper type user property
property username
SAML attribute name username
SAML attribute name format basic

So now everything should be working.
Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log.
If you've installed keycloak as docker container you can access its log like that:

docker log keycloak

Discussion

Paul Jaros, 2018/02/02 23:01

I'm the author of the question and answer of https://stackoverflow.com/q/48400812/406423

I published my example on how to connect Keycloak and Nextcloud to help others to do the same and also to be able to improve my solution.

Right now I'm on vacation so I can't really work on improving it right now. Apparently there is mistake in my answer which needs to improve. I didn't really copy the private-key but the public-key from Keycloak. to the Nextcloud SSO & SAML private-key field. Still something is amis and need correction. But I won't be able to correct it until monday or later.

Ronney, 2018/02/05 11:45

Unfortunately stack overvflow didn't allow me to comment on your answer because I don't have enough reputation…
Just so you acn make the necesary corrections:

X.509 Certificate: Enter —–BEGIN CERTIFICATE—– add a newline, copy the RSA-Certifacte-key from my-realm, add a newline and add —–END CERTIFICATE—–
Private Key of the Service Provider: —–BEGIN PRIVATE KEY—–, add a newline, copy the RSA private key from my-realm —–END PRIVATE KEY—–

Is wrong, there you copy the private key from keycloak.

What you actually want to do is create a new private/public key pair. You can do that, either by using openssl (see above), or let keycloak create a key pair just for that client (see comment above for “X.509 Certificate of Service provider ”).

additionaly for nextcloud to sign the requests, and to verify the signature of the responses you need to activate the corresponding options. (you actually deactivate the signing in keycloak) and you should activate the “Client Signature Required” in keycloak. This will be done automatically if you configure nextcloud correctly before exporting the metadata.xml file.
So nextcloud knows the public certificate of you need to copy it to “Public x.509 certificate of the IdP” see above.

Paul Jaros, 2018/02/06 13:46

I've corrected my setup and integrated your suggestions. I've tested and everything seems to ok.

Thank you for that :)

gert silkens, 2018/08/01 22:50

Unfortunately, nextcloud log says user not found

Jude Zhu, 2018/08/08 04:27

Great guide!

I follow this guide and it works well!

but I still have two questions

1. how to mapper the full name, current is only using the user id.
2. the pc/mac client not work

for detail, please see:

https://help.nextcloud.com/t/saml-desktop-app-errors/30838

could you kindly help me with this?

Zeinab Khosravi, 2019/07/01 11:44

Hello,
Thank you for the instruction. I followed your instruction and it looks ok. But when I try to connect to nextcloud using keycloak user I get the following error: “Account not provisioned.

Your account is not provisioned, access to this service is thus not possible.”

I would appreciate your comment on this if you have any idea.

Ronney Meier, 2019/07/01 21:05

my previous comment is obviously only valid, if you also use ldap. THen you can invalidate the ldap cache somewhere in the ldap settings…

Otherwise it could be that you didn't delete the role mapping as described in the guide. That will also produce that error message…

Ronney Meier, 2019/07/01 20:54

most probably you've got the problem that the ldap cache isn't updated yet.
I've descriped the problem here:
https://github.com/nextcloud/user_saml/issues/213

Once I get time I'll update the manual…

Otherwise always take a look at the nextcloud.log file, there's often written more. In the gui you always get “Account not provisioned” doesn't matter what the underlying error is (I've made a bug report about that too ;-))..

Shadi, 2019/08/23 12:46

Hello,

I know the topic is for one year ago and sorry to bother, but I used your instruction to authenticate my Nexcloud using keycloak. The problem is while some users are able to connect, some will see a blank page after logging in. When trying to login with firefox users receive an error which states the connection is not safe and with Safari and IE it is impossible to login (receiving some server error or https 405 error). Do you have any idea what might cause that?

Thank you in advance

Ronney Meier, 2019/08/24 20:21

* Connection is not safe ⇒ probably you're not using a valid https certificate.
* http 405 error ⇒ method not allowed. You're trying to access a http resource with an not allowed method (get, post, etc.)
In general it sounds like the server is heavily misconfigured.
Check your nextcloud logfiles, the keycloak logfiles and the webserver logfiles for error messages and stuff.
Using the network tab in your browsers development console you should be able to see, which resources the browser tries to access when he gets the 405 error (probably some url misconfiguration).
In firefox open the certificate to see what's the problem with it (connection's not safe).

btw. IE is EOL (End Of life) since quite a while. I wouldn't use that anymore…

Jordan, 2019/09/28 01:44

Hi,
Thank for this tutorial.

I'm also stuck in keycloak because of an invalid redirect uri error on the login form.

Strange thing, when I swap the “Valid redirects URL” from HTTPS to HTTP, and when I try again to login, a pop-up come, and tell me that “the information you have entered on this page will be sent over an insecure connection”, I can continue, and then I finish on a blank page… to the following url: https://my.domain.ovh/apps/user_saml/saml/acs (I'm using firefox)

Do you have any idea ?
Thanks

Paul Jaros, 2019/10/02 15:20

Hi Jordan

Go to your “Clients”-Settings and have a look in you App. In the tab “Settings” you will the list of “*Valid Reirect URIs”. The redirect you want to make after entering the credentials will need to match one of those entries.

https://www.keycloak.org/docs/6.0/server_admin/#oidc-clients

eric, 2020/06/04 05:29

Hi there,

Thanks for this great guide but I'm facing some issue to make it work

I followed this setup but Keycloak complains 'Unsupported NameIDFormat' when I redirect from nextcloud to keycloak for authentication.

Any suggestions is appreciate.

Enter your comment. Wiki syntax is allowed:
If you can't read the letters on the image, download this .wav file to get them read to you.
 
linux_server_manuals/nextcloud_saml_authentication_against_keycloak.txt · Last modified: 2018/02/05 12:42 by admin