| Next revision | Previous revision |
| en:2.0:single_sign_on:saml_nextcloud [2025/04/25 10:59] – created kainhofer | en:2.0:single_sign_on:saml_nextcloud [2025/04/27 22:06] (current) – [Configuring the Service Provider (Nextcloud)] kainhofer |
|---|
| |
| Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting Nextcloud to Admidio to use Admidio's login. For general instructions, and other apps, please visit the [[en:2.0:single_sign_on|general Single-Sign-On overview page]]. | Starting with version 5.0, Admidio can be used by other applications to authenticate users against Admidios user base. These instructions will guide you through the process of connecting Nextcloud to Admidio to use Admidio's login. For general instructions, and other apps, please visit the [[en:2.0:single_sign_on|general Single-Sign-On overview page]]. |
| | |
| | The SAML Login functionality of Nextcloud is provided by the [[https://apps.nextcloud.com/apps/user_saml|SSO & SAML authentication]] extension. |
| |
| ===== Prerequisites ===== | ===== Prerequisites ===== |
| === Setting up encryption === | === Setting up encryption === |
| |
| If encryption is desired for all SAML messages sent by Admidio to Nextcloud, or if Nextcloud should sign all its requests, then Nextcloud needs a private/public key pair to decrypt or sign messages. These need to be entered into the Nextcloud SAML config in PEM format and can be generated by openssl's command line tools, or in Admidio's key administration. Simply create a new Key for Nextcloud (RSA 2048 bits). The certificate can be copied directly from the key's edit page, but the private key is not available in Admidio's GUI for security reason. Instead, it can be downloaded (secured with a password!) from the list of keys in Admidio: | If encryption is desired for all SAML messages sent by Admidio to Nextcloud, or if Nextcloud should sign all its requests, then Nextcloud needs a private/public key pair to decrypt or sign messages. These need to be entered into the Nextcloud SAML config in PEM format and can be generated by openssl's command line tools, by tools like https://www.samltool.com/self_signed_certs.php, or in Admidio's key administration. Simply create a new Key for Nextcloud (RSA 2048 bits). The certificate can be copied directly from the key's edit page, but the private key is not available in Admidio's GUI for security reason. Instead, it can be downloaded (secured with a password!) from the list of keys in Admidio: |
| |
| {{ :en:2.0:sso:sso_saml_02-03a_nc_saml_keysetup1.png?direct&400 |}} | {{ :en:2.0:sso:sso_saml_02-03a_nc_saml_keysetup1.png?direct&400 |}} |
| In addition to the Entity ID and URLs to connect SP and IdP and the certificate, which are configured automatically, one also needs to define the attribute and role mapping. The username is the most relevant. To use Admidio's group memberships as Nextcloud groups, make sure to include the "Roles" field and provide the correct field name in Nextcloud. Internally, Nextcloud will add a prefix to the role names, which makes it impossible to assign admin rights to SAML groups (Nextcloud uses the group with internal name "admin" for administrators). If you want to assign admin rights through SAML, too, then you must enter a single space into the prefix field. This causes Nextcloud to take the role names verbatim as Nextcloud group names, including "admin". | In addition to the Entity ID and URLs to connect SP and IdP and the certificate, which are configured automatically, one also needs to define the attribute and role mapping. The username is the most relevant. To use Admidio's group memberships as Nextcloud groups, make sure to include the "Roles" field and provide the correct field name in Nextcloud. Internally, Nextcloud will add a prefix to the role names, which makes it impossible to assign admin rights to SAML groups (Nextcloud uses the group with internal name "admin" for administrators). If you want to assign admin rights through SAML, too, then you must enter a single space into the prefix field. This causes Nextcloud to take the role names verbatim as Nextcloud group names, including "admin". |
| |
| {{ :en:2.0:sso:sso_saml_02-06_nc_admidio_clientsetup1.png?direct&600 |}} | {{ :en:2.0:sso:sso_saml_02-06_nc_admidio_clientsetup1.png?direct&900 |}} |
| | |
| | |
| | The Nextclout SAML configuration also provides settings to choose whether its requests sent to admidio should be signed (a crypto key needs to be set as described above!), and whether all received responses and asserts are expected to be signed or encrypted. You can choose the security level that you desire, but you need to make sure that the settings in Admidio and Nextcloud are consistent, otherwise login will not be possible (e.g. if Wordpress is configured to require signatures on all asserts and responses received, while Admidio is configured not to sign them). |
| |
| <WRAP center round todo 60%> | {{ :en:2.0:sso:sso_saml_02-07_nc_admidio_clientsetup3.png?direct&900 |}} |
| TODO: Describe signing and encryption settings (synced) | |
| </WRAP> | |
| {{ :en:2.0:sso:sso_saml_02-07_nc_admidio_clientsetup3.png?direct&600 |}} | |
| |
| |
