- Open the Azure admin portal - https://portal.azure.com
- Open Azure Active Directory > Enterprise applications
- Click the + New application link at the top
- Search for "Azure AD SAML Toolkit" in the gallery
- Click on "Azure AD SAML Toolkit"
- Enter "Nextcloud" in the Name and click the Add button
- When the app opens click on "Single sign-on"
- Click the pencil icon on the Basic SAML Configuration
- Fill in the required fields:
- Identifier = https://nextcloud.yourdomain.com/apps/user_saml/saml/metadata
- Reply URL = https://nextcloud.yourdomain.com
- Sign on URL = https://nextcloud.yourdomain.com/login
- Save the settings
- Download the Federation Metadata XML under the SAML Signing Certificate section
-
Enable the "SSO & SAML authentication" app in Nextcloud
-
Navigate to the "SSO & SAML authentication" configuration page ( Settings > SSO & SAML authentication )
-
Optionally enable "Allow the use of multiple user back-ends"
-
Under General
- Attribute to map the UID to => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-
Identity Provider Data (show optional Identity Provider settings)
-
Identifier of the IdP entity => Azure AD Identifier from section 4 of the Azure App
-
URL Target of the IdP where the SP will send the Authentication Request Message => Login URL from section 4 of the Azure App
-
URL Location of the IdP where the SP will send the SLO Request => Logout URL from section 4 of the Azure App
-
Public X.509 certificate of the IdP => extract the X509Certificate from the Federation Metadata XML
PS C:\> ([xml](Get-Content -Path .\Nextcloud.xml)).EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate | Set-Clipboard
-
-
Attribute Mapping
- Attribute to map the displayname to => http://schemas.microsoft.com/identity/claims/displayname
- Attribute to map the email address to => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-
Make note of the direct login URL, typically https://nextcloud.domain.com/login?direct=1
Note: If you use the Nextcloud container you may have to include index.php in your URLs.
That would depend on whether the SAML provider for Nextcloud supports multiple IdPs. Which it looks like it does. You would just need to add each IdP separately.