RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » nextcloud_saml_authentication_against_keycloak
linux_server_manuals:nextcloud_saml_authentication_against_keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 15:09] – [Keycloak configuration] adminlinux_server_manuals:nextcloud_saml_authentication_against_keycloak [2023/06/25 17:24] (current) admin
Line 1: Line 1:
 ====== Keycloak as (SAML) SSO-Authentication provider for Nextcloud ====== ====== Keycloak as (SAML) SSO-Authentication provider for Nextcloud ======
  
-We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. <del>Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use [[:linux_server_manuals:keycloak_openldap_integration|LDAP federation in Keycloak]] and before setting up the SAML authentication, set up the [[:linux_server_manuals:nextcloud_ldap_integration| LDAP connection in Nextcloud.]]</del> Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them.+We can use Keycloak as SSO (Single Sign On) authentication provider for nextcloud using SAML. <del>Unfortunately the SAML plugin for nextcloud doesn't support groups (yet?). If you need/want to use them, you can get them over LDAP. Therefor you want to use [[:linux_server_manuals:keycloak_openldap_integration|LDAP federation in Keycloak]] and before setting up the SAML authentication, set up the [[:linux_server_manuals:nextcloud_ldap_integration| LDAP connection in Nextcloud.]]</del> Newer Versions of the SAML plugin are able to get the groups from Keycloak and also to restrict by them. Unfortunately they aren't able to get first and last name from keycloak, but expect the Full Name (Displayname) to be provided. Which keycloak in the newer versions doesn't provide in an easy way (You need to upload your own SPI).
  
 Before anything else you should have a working Keycloak installation ;-) : [[:linux_server_manuals:docker_keycloak_container_with_local_postgresql|]] Before anything else you should have a working Keycloak installation ;-) : [[:linux_server_manuals:docker_keycloak_container_with_local_postgresql|]]
Line 25: Line 25:
 |**URL location of the IdP for SLO ** |<nowiki>https://auth.example.com/realms/{realm-name}/protocol/saml</nowiki>| | |**URL location of the IdP for SLO ** |<nowiki>https://auth.example.com/realms/{realm-name}/protocol/saml</nowiki>| |
 |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/keys/rs256/certificate**   | |**Public x.509 certificate of the IdP** | |Copy here the public certificate of keycloak which you can find in **realm settings/keys/rs256/certificate**   |
 +|**Attribute to map the email to** |email| |
 +|**Attribute to map the User groups to** |Role|if you want to get the roles from keycloak. if you want to get the groups, use member, otherwise leave empty|
 |**Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.** |enabled| | |**Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.** |enabled| |
 |**Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.** |enabled| | |**Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.** |enabled| |
Line 34: Line 36:
  
 Then click an **Download metadata XML** and save the file, you'll need it for Keycloak. Then click an **Download metadata XML** and save the file, you'll need it for Keycloak.
-__false__+===== Keycloak configuration ===== 
 + 
 +In keycloak go to clients and choose "Import Client". Upload the previously downladed **medata.xml** and click ok. 
 + 
 +Then go to the **Client scopes** tab and delete the **roles_list** scope. It won't work since it is not configured as <b>Single Role Attribute</b> it will lead a <b>Duplicated Attribute Error</b> in Nextcloud.\\ 
 +Now below Assigned client scope click on the URL **<nextcloud-url>/index.php/apps/user_saml/saml/metadata-dedicated** (a bold UI Design decision… only took me hours to find that. Hopefully that will be changed in Keycloak > 21). 
 + 
 + Then create multiple new mappers: **add Mapper/by configuration/User Property**:\\ 
 + 
 +^setting^value| 
 +|**name** |username| 
 +|**property** |username| 
 +|**SAML attribute name** |username| 
 +|**SAML attribute name format** |basic| 
 + 
 +^setting^value| 
 +|**name** |email| 
 +|**property** |email| 
 +|**SAML attribute name** |email| 
 +|**SAML attribute name format** |basic| 
 + 
 +If you want to map the roles or groups to nextcloud add a **Role list** respectively **Group list** mapper (instead of User property). 
 + 
 +^setting^value| 
 +|**name** |role list| 
 +|** 
 +Role attribute name ** |Role| 
 +|**SAML attribute name format** |basic| 
 +|** 
 +Single Role Attribute ** |on| 
 + 
 +So now everything should be working. Try to log in. If it doesn't work check out the nextcloud log file and the keycloak log. 
  
linux_server_manuals/nextcloud_saml_authentication_against_keycloak.1687705748.txt.gz · Last modified: 2023/06/25 15:09 by admin