linux_server_manuals:nextcloud_saml_authentication_against_keycloak
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 14:02] – admin | linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 17:24] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Keycloak as (SAML) SSO-Authentication provider for Nextcloud ====== | ====== Keycloak as (SAML) SSO-Authentication provider for Nextcloud ====== | ||
- | We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. < | + | We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. < |
Before anything else you should have a working Keycloak installation ;-) : [[: | Before anything else you should have a working Keycloak installation ;-) : [[: | ||
Line 19: | Line 19: | ||
|**Attribute to map the UID to** |username| | | |**Attribute to map the UID to** |username| | | ||
|**Only allow authentication if acount exists … ** | |Enable it if you want LDAP for group permission, otherwise disable it| | |**Only allow authentication if acount exists … ** | |Enable it if you want LDAP for group permission, otherwise disable it| | ||
- | |**X.509 Certificate of Service provider ** | |Copy here the content from the above generated public.cert. Alternatively you can also leave that empty, do all the other steps, activate in keycloak **Client Signature Required**, save and then copy the private and public key from the tab **SAML keys** to nextcloud. But I think the way described here is more straight forward, and you won't need to change any special settings in Keycloak like that.| | + | |**X.509 Certificate of Service provider ** | |This one is kinda difficult to discover. Behind " |
|**Private Key of service provider ** | |Copy here the content from privat.key| | |**Private Key of service provider ** | |Copy here the content from privat.key| | ||
- | |**Identifier of IdP entity** |< | + | |**Identifier of IdP entity** |< |
- | |**URL target of the IdP …** |< | + | |**URL target of the IdP …** |< |
- | |**URL location of the IdP for SLO ** |< | + | |**URL location of the IdP for SLO ** |< |
|**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/ | |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/ | ||
+ | |**Attribute to map the email to** |email| | | ||
+ | |**Attribute to map the User groups to** |Role|if you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty| | ||
|**Indicates whether the < | |**Indicates whether the < | ||
|**Indicates whether the < | |**Indicates whether the < | ||
Line 36: | Line 38: | ||
===== Keycloak configuration ===== | ===== Keycloak configuration ===== | ||
- | In keycloak | + | In keycloak |
- | Then go to the **Mappers** tab. If you don' | + | Then go to the **Client scopes** tab and delete the **roles_list** scope. It won' |
+ | Now below Assigned client scope click on the URL **<nextcloud-url> | ||
- | Then create | + | Then create |
^setting^value| | ^setting^value| | ||
|**name** |username| | |**name** |username| | ||
- | |**mapper type** |user property| | ||
|**property** |username| | |**property** |username| | ||
|**SAML attribute name** |username| | |**SAML attribute name** |username| | ||
|**SAML attribute name format** |basic| | |**SAML attribute name format** |basic| | ||
- | So now everything should be working. Try to log in. If it doesn' | + | ^setting^value| |
- | < | + | |**name** |email| |
+ | |**property** |email| | ||
+ | |**SAML attribute name** |email| | ||
+ | |**SAML attribute name format** |basic| | ||
- | docker log keycloak | + | If you want to map the roles or groups to nextcloud add a **Role list** respectively **Group list** mapper (instead of User property). |
- | + | ||
- | </ | + | |
+ | ^setting^value| | ||
+ | |**name** |role list| | ||
+ | |** | ||
+ | Role attribute name ** |Role| | ||
+ | |**SAML attribute name format** |basic| | ||
+ | |** | ||
+ | Single Role Attribute ** |on| | ||
+ | So now everything should be working. Try to log in. If it doesn' | ||
linux_server_manuals/nextcloud_saml_authentication_against_keycloak.1687701734.txt.gz · Last modified: 2023/06/25 14:02 by admin