Skip to content

Instantly share code, notes, and snippets.

@realslacker

realslacker/HOWTO Nextcloud SAML Login with AzureAD.md

Last active April 3, 2024 18:31
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save realslacker/7a8d79755f706aae76175df9c27b797d to your computer and use it in GitHub Desktop.
Save realslacker/7a8d79755f706aae76175df9c27b797d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
HOWTO Nextcloud SAML Login with AzureAD.md

Enable Nextcloud SAML Login using AzureAD

Create an Enterprise App for Nextcloud

  1. Open the Azure admin portal - https://portal.azure.com
  2. Open Azure Active Directory > Enterprise applications
  3. Click the + New application link at the top
  4. Search for "Azure AD SAML Toolkit" in the gallery
  5. Click on "Azure AD SAML Toolkit"
  6. Enter "Nextcloud" in the Name and click the Add button
  7. When the app opens click on "Single sign-on"
  8. Click the pencil icon on the Basic SAML Configuration
  9. Fill in the required fields:
  10. Save the settings
  11. Download the Federation Metadata XML under the SAML Signing Certificate section

Configure Nextcloud

  1. Enable the "SSO & SAML authentication" app in Nextcloud

  2. Navigate to the "SSO & SAML authentication" configuration page ( Settings > SSO & SAML authentication )

  3. Optionally enable "Allow the use of multiple user back-ends"

  4. Under General

  5. Identity Provider Data (show optional Identity Provider settings)

    • Identifier of the IdP entity => Azure AD Identifier from section 4 of the Azure App

    • URL Target of the IdP where the SP will send the Authentication Request Message => Login URL from section 4 of the Azure App

    • URL Location of the IdP where the SP will send the SLO Request => Logout URL from section 4 of the Azure App

    • Public X.509 certificate of the IdP => extract the X509Certificate from the Federation Metadata XML

      PS C:\> ([xml](Get-Content -Path .\Nextcloud.xml)).EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate | Set-Clipboard

  6. Attribute Mapping

  7. Make note of the direct login URL, typically https://nextcloud.domain.com/login?direct=1

Note: If you use the Nextcloud container you may have to include index.php in your URLs.

@mikegog
Copy link

mikegog commented Jul 22, 2022

Short question, I hope you can help.
Do you know if it is possible to "connect" 2 seperate Azure AD's to the same NextCloud?
Regards Mike.

@realslacker
Copy link
Author

That would depend on whether the SAML provider for Nextcloud supports multiple IdPs. Which it looks like it does. You would just need to add each IdP separately.

@ubuntuyou
Copy link

I'm assuming the instance of Nextcloud will need to be accessible from outside the local network? I have it working with LDAP but I can only access it from within the domain currently.

@Juanjotravelc
Copy link

Hi, I have followed the manual step by step, after several attempts and review of permissions in the tenant I still get the following error:

AADSTS700016: Application with identifier 'http://xxx.xxx.com/apps/user_saml/saml/metadata' was not found in the 'namedtenant' directory. This can happen if the application has not been installed by the tenant administrator or consented by a tenant user. You may have sent your authentication request to the wrong tenant.

I get the feeling that it's something on the azure side.... thanks!

@Exploit-Syst3me
Copy link

Hi bro, i have the same issue of @Juanjotravelc
Could you please help us :)

@kybernetik42
Copy link

Hi Exploit-Syst3me , Juanjotravelc you must use ad AzureAD admin account, who is assigned to EnterpriseApp-entry of you Nextcloud

@NONO023
Copy link

NONO023 commented Jul 29, 2023

Hi @Exploit-Syst3me , @Juanjotravelc , I had the same problem and found the missing settings on Azure. I had to configure self-service to allow users to request access.
Hopping this can help you and the community.

@kale1d0code
Copy link

I pasted http://schemas.microsoft.com/identity/claims/displayname into Attribute to map the displayname to
and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Attribute to map the email address to.
and it doesn't seem to work.

can you be clearer on what to type in to the attribute mapping

@b3nis
Copy link

b3nis commented Oct 24, 2023

Hi @Exploit-Syst3me , @Juanjotravelc , I had the same problem and found the missing settings on Azure. I had to configure self-service to allow users to request access. Hopping this can help you and the community.

I have the same issue and wanted to try your solution - was it only the request to access setting that you changed?

@bankmrc054
Copy link

https://sekureco42.ch/posts/nextcloud-sso-with-azure-active-directory/

@b3nis
Copy link

b3nis commented Nov 12, 2023

https://sekureco42.ch/posts/nextcloud-sso-with-azure-active-directory/

@bankmrc054, thank you so much! It works now. I am very grateful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment