RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » nextcloud_saml_authentication_against_keycloak
linux_server_manuals:nextcloud_saml_authentication_against_keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 17:03] adminlinux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 17:24] (current) admin
Line 25: Line 25:
 |**URL location of the IdP for SLO ** |<nowiki>https://auth.example.com/realms/{realm-name}/protocol/saml</nowiki>| | |**URL location of the IdP for SLO ** |<nowiki>https://auth.example.com/realms/{realm-name}/protocol/saml</nowiki>| |
 |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/keys/rs256/certificate**   | |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/keys/rs256/certificate**   |
 +|**Attribute to map the email to** |email| |
 +|**Attribute to map the User groups to** |Role|if you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty|
 |**Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.** |enabled| | |**Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.** |enabled| |
 |**Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.** |enabled| | |**Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.** |enabled| |
Line 41: Line 43:
 Now below Assigned client scope click on the URL **<nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated** (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21). Now below Assigned client scope click on the URL **<nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated** (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21).
  
-Then go to the **Client scopes** tab. If you don't need the role_list scope, just delete it. If you want to map roles, go to the Keycloak Menu **Client Scopes** click on **role list** (or create a new scope, if you already use this one for an other SAML client), then go to **Mappers/Roles List** and activate **Single Role Attribute**, otherwise you will get a **Duplicated Attribute Error** in Nextcloud. <del>Unfortunately for the time beeing, Nextcloud doesn't support any Role or Group mappings, but maybe in the future…</del> + Then create multiple new mappers: **add Mapper/by configuration/User Property**:\\
- +
-Then create multiple new mappers: **add Mapper/by configuration/User Property**:+
  
 ^setting^value| ^setting^value|
Line 57: Line 57:
 |**SAML attribute name format** |basic| |**SAML attribute name format** |basic|
  
-So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak logIf you've installed keycloak as docker container you can access its log like that: +If you want to map the roles or groups to nextcloud add a **Role list** respectively **Group list** mapper (instead of User property).
-<code> +
- +
-docker log keycloak +
- +
-</code>+
  
 +^setting^value|
 +|**name** |role list|
 +|**
 +Role attribute name ** |Role|
 +|**SAML attribute name format** |basic|
 +|**
 +Single Role Attribute ** |on|
  
 +So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log.
  
  
linux_server_manuals/nextcloud_saml_authentication_against_keycloak.txt · Last modified: 2023/06/25 17:24 by admin