Differences

This shows you the differences between two versions of the page.

--- linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 14:55] – admin
+++ linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 17:24] (current) – admin
@@ Line 1: / Line 1: @@
 ====== Keycloak as (SAML) SSO-Authentication provider for Nextcloud ======
-We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. <del>Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use [[:linux_server_manuals:keycloak_openldap_integration|LDAP federation in Keycloak]] and before setting up the SAML authentication, set up the [[:linux_server_manuals:nextcloud_ldap_integration| LDAP connection in Nextcloud.]]</del> Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them.
+We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. <del>Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use [[:linux_server_manuals:keycloak_openldap_integration|LDAP federation in Keycloak]] and before setting up the SAML authentication, set up the [[:linux_server_manuals:nextcloud_ldap_integration| LDAP connection in Nextcloud.]]</del> Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them. Unfortunately they aren't able to get first and last name from keycloak, but expect the Full Name (Displayname) to be provided. Which keycloak in the newer versions doesn't provide in an easy way (You need to upload your own SPI).
 Before anything else you should have a working Keycloak installation ;-) : [[:linux_server_manuals:docker_keycloak_container_with_local_postgresql|]]
@@ Line 25: / Line 25: @@
 |**URL location of the IdP for SLO ** |<nowiki>https://auth.example.com/realms/{realm-name}/protocol/saml</nowiki>| |
 |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/keys/rs256/certificate**   |
+|**Attribute to map the email to** |email| |
+|**Attribute to map the User groups to** |Role|if you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty|
 |**Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.** |enabled| |
 |**Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.** |enabled| |
@@ Line 38: / Line 40: @@
 In keycloak go to clients and choose "Import Client". Upload the previously downladed **medata.xml** and click ok.
-Then go to the **Client scopes** tab. If you don't need the role_list scope, just delete it. If you want to map roles, go to the Keycloak Menu **Client Scopes** click on **role list** (or create a new scope, if you already use this one for an other SAML client), then go to **Mappers/Roles List** and activate **Single Role Attribute**, otherwise you will get a **Duplicated Attribute Error** in Nextcloud. <del>Unfortunately for the time beeing, Nextcloud doesn't support any Role or Group mappings, but maybe in the future…</del>
+Then go to the **Client scopes** tab and delete the **roles_list** scope. It won't work since it is not configured as <b>Single Role Attribute</b> it will lead a <b>Duplicated Attribute Error</b> in Nextcloud.\\
+Now below Assigned client scope click on the URL **<nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated** (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21).
-Then create a new Mapper:
+ Then create multiple new mappers: **add Mapper/by configuration/User Property**:\\
 ^setting^value|
 |**name** |username|
-|**mapper type** |user property|
 |**property** |username|
 |**SAML attribute name** |username|
 |**SAML attribute name format** |basic|
-So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log. If you've installed keycloak as docker container you can access its log like that:
+^setting^value|
-<code>
+|**name** |email|
+|**property** |email|
+|**SAML attribute name** |email|
+|**SAML attribute name format** |basic|
-docker log keycloak
+If you want to map the roles or groups to nextcloud add a **Role list** respectively **Group list** mapper (instead of User property).
-</code>
+^setting^value|
+|**name** |role list|
+|**
+Role attribute name ** |Role|
+|**SAML attribute name format** |basic|
+|**
+Single Role Attribute ** |on|
+So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log.