Skip to content

Instantly share code, notes, and snippets.

@wgroenewold

wgroenewold/tutorial.md

Last active October 11, 2019 06:15
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save wgroenewold/ace6a64537f0f500676a325632796261 to your computer and use it in GitHub Desktop.
Save wgroenewold/ace6a64537f0f500676a325632796261 to your computer and use it in GitHub Desktop.
Download ZIP
Use Azure AD Connect to do SSO on your Nextcloud instance
Raw
tutorial.md

Do your usual Microsoft Azure AD Connect Application mumbo-jumbo to create a new application.

My config looks like this, use it as inspiration:

{
  "appId": "********-****-****-****-*************",
  "appRoles": [],
  "availableToOtherTenants": false,
  "displayName": "Nextcloud",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "optionalClaims": null,
  "acceptMappedClaims": null,
  "homepage": "https://nextcloudurl.tld",
  "informationalUrls": {
    "privacy": null,
    "termsOfService": null
  },
  "identifierUris": [
    "https://nextcloudurl.tld/apps/user_saml/saml/metadata"
  ],
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [
    {
      "adminConsentDescription": "Allow the application to access Nextcloud on behalf of the signed-in user.",
      "adminConsentDisplayName": "Access Nextcloud",
      "id": "********-****-****-****-************",
      "isEnabled": true,
      "type": "User",
      "userConsentDescription": "Allow the application to access Nextcloud on your behalf.",
      "userConsentDisplayName": "Access Nextcloud",
      "value": "user_impersonation"
    }
  ],
  "oauth2RequirePostResponse": false,
  "objectId": "********-****-****-****-************",
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [
    {
      "customKeyIdentifier": "************************",
      "endDate": "2299-12-30T23:00:00Z",
      "keyId": "*********-****-****-****-***********",
      "startDate": "2018-09-10T14:39:58.0337567Z",
      "value": null
    }
  ],
  "publicClient": false,
  "replyUrls": [
    "https://nextcloudurl.tld"
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "********-****-****-*****-************",
      "resourceAccess": [
        {
          "id": "*********-****-****-****-************",
          "type": "Scope"
        }
      ]
    }
  ],
  "samlMetadataUrl": "https://nextcloudurl.tld/apps/user_saml/saml/metadata"
}

Go to:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps

You'll find your 36 character Microsoft ID as part of the endpoints. E.g. "SAML-P sign-on endpoint" https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2

Bash these settings in the db of Nextcloud, table [prefix]_appconfig:

general-uid_mapping: 
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

idp-entityId: 
https://sts.windows.net/[MICROSOFT ID HERE]/

idp-singleLogoutService.url: https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2
idp-singleSignOnService.url: https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2
idp-x509cert: LOOOONG string you can find in your "Federation metadata document" at the same page as the endpoints.
saml-attribute-mapping-displayName_mapping: http://schemas.microsoft.com/identity/claims/displayname
saml-attribute-mapping-email_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
@Anduin2017
Copy link

So where shall I write that configuration?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment