Table of Contents
Keycloak as (SAML) SSO-Authentication provider for Nextcloud
We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use LDAP federation in Keycloak and before setting up the SAML authentication, set up the LDAP connection in Nextcloud. Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them. Unfortunately they aren't able to get first and last name from keycloak, but expect the Full Name (Displayname) to be provided. Which keycloak in the newer versions doesn't provide in an easy way (You need to upload your own SPI).
Before anything else you should have a working Keycloak installation 
: Install Keycloak as Docker Container with Apache Web Server as Reverse Proxy and a local PostgreSQL
Nextcloud configuration
Before you configure nextcloud, create a self signed x.509 certificate, you'll need it in the next step. The cn and other details you enter for it, don't really matter. That certificate will be used by nextcloud to sign its request and proof to keycloak that it is allowed to authenticate against it.
openssl req -nodes -new -x509 -keyout private.key -out public.cert
Then in Nextcloud, install and activated the plugin user_saml. Go to the Admin section SSO & SAML authentication and setup a new SAML connection with following settings. Some of the settings are hidden and you need to click first Hide/Show … Setting:
| Setting | Value | Comment |
|---|---|---|
| Attribute to map the UID to | username | |
| Only allow authentication if acount exists … | Enable it if you want LDAP for group permission, otherwise disable it | |
| X.509 Certificate of Service provider | This one is kinda difficult to discover. Behind “Service Provider data” click “Hide Service Provider settings …”. Copy here the content from the above generated public.cert with or without the “–begin …” and “–end …” lines. Alternatively you can also leave that empty, do all the other steps, activate in keycloak Client Signature Required, save and then copy the private and public key from the tab SAML keys to nextcloud. But I think the way described here is more straight forward, and you won't need to change any special settings in Keycloak like that. | |
| Private Key of service provider | Copy here the content from privat.key | |
| Identifier of IdP entity | https://auth.example.com/realms/{realm-name} | replace {realm-name} with your realm name |
| URL target of the IdP … | https://auth.example.com/realms/{realm-name}/protocol/saml | |
| URL location of the IdP for SLO | https://auth.example.com/realms/{realm-name}/protocol/saml | |
| Public x.509 certificate of the IdP | Copy here the public certificate of keycloak which you can find in realm settings/keys/rs256/certificate | |
| Attribute to map the email to | ||
| Attribute to map the User groups to | Role | if you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty |
| Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. | enabled | |
| Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed. | enabled | |
| Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed. | enabled | |
| Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed. | enabled | |
| Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. | enabled |
You could do the whole thing, also without the certificates, and without requiring the the SP or the IdP to sign their requests and responses, but without doing that, neither the IdP nor the SP are sure it the other one, is really the one he pretends to be. I'm not a SAML specialist, and I'm definitely not planing to become one, so I'm not completely sure, which parts should be signed, and which ones aren't important. So we just sign everything we can . Since we believe in HTTPS encryption, I didn't activate any of the encryption options.
Then click an Download metadata XML and save the file, you'll need it for Keycloak.
Keycloak configuration
In keycloak go to clients and choose “Import Client”. Upload the previously downladed medata.xml and click ok.
Then go to the Client scopes tab and delete the roles_list scope. It won't work since it is not configured as <b>Single Role Attribute</b> it will lead a <b>Duplicated Attribute Error</b> in Nextcloud.
Now below Assigned client scope click on the URL <nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21).
Then create multiple new mappers: add Mapper/by configuration/User Property:
| setting | value |
|---|---|
| name | username |
| property | username |
| SAML attribute name | username |
| SAML attribute name format | basic |
| setting | value |
|---|---|
| name | |
| property | |
| SAML attribute name | |
| SAML attribute name format | basic |
If you want to map the roles or groups to nextcloud add a Role list respectively Group list mapper (instead of User property).
| setting | value |
|---|---|
| name | role list |
Role attribute name | Role |
| SAML attribute name format | basic |
Single Role Attribute | on |
So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log.
Discussion
I'm the author of the question and answer of https://stackoverflow.com/q/48400812/406423
I published my example on how to connect Keycloak and Nextcloud to help others to do the same and also to be able to improve my solution.
Right now I'm on vacation so I can't really work on improving it right now. Apparently there is mistake in my answer which needs to improve. I didn't really copy the private-key but the public-key from Keycloak. to the Nextcloud SSO & SAML private-key field. Still something is amis and need correction. But I won't be able to correct it until monday or later.
Unfortunately stack overvflow didn't allow me to comment on your answer because I don't have enough reputation…
Just so you acn make the necesary corrections:
X.509 Certificate: Enter —–BEGIN CERTIFICATE—– add a newline, copy the RSA-Certifacte-key from my-realm, add a newline and add —–END CERTIFICATE—–
Private Key of the Service Provider: —–BEGIN PRIVATE KEY—–, add a newline, copy the RSA private key from my-realm —–END PRIVATE KEY—–
Is wrong, there you copy the private key from keycloak.
What you actually want to do is create a new private/public key pair. You can do that, either by using openssl (see above), or let keycloak create a key pair just for that client (see comment above for “X.509 Certificate of Service provider ”).
additionaly for nextcloud to sign the requests, and to verify the signature of the responses you need to activate the corresponding options. (you actually deactivate the signing in keycloak) and you should activate the “Client Signature Required” in keycloak. This will be done automatically if you configure nextcloud correctly before exporting the metadata.xml file.
So nextcloud knows the public certificate of you need to copy it to “Public x.509 certificate of the IdP” see above.
I've corrected my setup and integrated your suggestions. I've tested and everything seems to ok.
Thank you for that :)
Unfortunately, nextcloud log says user not found
Great guide!
I follow this guide and it works well!
but I still have two questions
1. how to mapper the full name, current is only using the user id.
2. the pc/mac client not work
for detail, please see:
https://help.nextcloud.com/t/saml-desktop-app-errors/30838
could you kindly help me with this?
Hello,
Thank you for the instruction. I followed your instruction and it looks ok. But when I try to connect to nextcloud using keycloak user I get the following error: “Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.”
I would appreciate your comment on this if you have any idea.
my previous comment is obviously only valid, if you also use ldap. THen you can invalidate the ldap cache somewhere in the ldap settings…
Otherwise it could be that you didn't delete the role mapping as described in the guide. That will also produce that error message…
most probably you've got the problem that the ldap cache isn't updated yet.
I've descriped the problem here:
https://github.com/nextcloud/user_saml/issues/213
Once I get time I'll update the manual…
Otherwise always take a look at the nextcloud.log file, there's often written more. In the gui you always get “Account not provisioned” doesn't matter what the underlying error is (I've made a bug report about that too
)..
Hello,
I know the topic is for one year ago and sorry to bother, but I used your instruction to authenticate my Nexcloud using keycloak. The problem is while some users are able to connect, some will see a blank page after logging in. When trying to login with firefox users receive an error which states the connection is not safe and with Safari and IE it is impossible to login (receiving some server error or https 405 error). Do you have any idea what might cause that?
Thank you in advance
* Connection is not safe ⇒ probably you're not using a valid https certificate.
* http 405 error ⇒ method not allowed. You're trying to access a http resource with an not allowed method (get, post, etc.)
In general it sounds like the server is heavily misconfigured.
Check your nextcloud logfiles, the keycloak logfiles and the webserver logfiles for error messages and stuff.
Using the network tab in your browsers development console you should be able to see, which resources the browser tries to access when he gets the 405 error (probably some url misconfiguration).
In firefox open the certificate to see what's the problem with it (connection's not safe).
btw. IE is EOL (End Of life) since quite a while. I wouldn't use that anymore…
Hi,
Thank for this tutorial.
I'm also stuck in keycloak because of an invalid redirect uri error on the login form.
Strange thing, when I swap the “Valid redirects URL” from HTTPS to HTTP, and when I try again to login, a pop-up come, and tell me that “the information you have entered on this page will be sent over an insecure connection”, I can continue, and then I finish on a blank page… to the following url: https://my.domain.ovh/apps/user_saml/saml/acs (I'm using firefox)
Do you have any idea ?
Thanks
Hi Jordan
Go to your “Clients”-Settings and have a look in you App. In the tab “Settings” you will the list of “*Valid Reirect URIs”. The redirect you want to make after entering the credentials will need to match one of those entries.
https://www.keycloak.org/docs/6.0/server_admin/#oidc-clients
Hi there,
Thanks for this great guide but I'm facing some issue to make it work
I followed this setup but Keycloak complains 'Unsupported NameIDFormat' when I redirect from nextcloud to keycloak for authentication.
Any suggestions is appreciate.
Dear All, i am getting below Error when trying to get this authenticated by Keycloak.
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
Nextcloud Log:
Fatal user_saml Signature validation failed. SAML Response rejected 2021-03-09T19:36:45+0800
Fatal user_saml invalid_response 2021-03-09T19:36:45+0800
any help please ?