Do your usual Microsoft Azure AD Connect Application mumbo-jumbo to create a new application.
My config looks like this, use it as inspiration:
{
"appId": "********-****-****-****-*************",
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "Nextcloud",
"errorUrl": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"acceptMappedClaims": null,
"homepage": "https://nextcloudurl.tld",
"informationalUrls": {
"privacy": null,
"termsOfService": null
},
"identifierUris": [
"https://nextcloudurl.tld/apps/user_saml/saml/metadata"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access Nextcloud on behalf of the signed-in user.",
"adminConsentDisplayName": "Access Nextcloud",
"id": "********-****-****-****-************",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access Nextcloud on your behalf.",
"userConsentDisplayName": "Access Nextcloud",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "********-****-****-****-************",
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": "************************",
"endDate": "2299-12-30T23:00:00Z",
"keyId": "*********-****-****-****-***********",
"startDate": "2018-09-10T14:39:58.0337567Z",
"value": null
}
],
"publicClient": false,
"replyUrls": [
"https://nextcloudurl.tld"
],
"requiredResourceAccess": [
{
"resourceAppId": "********-****-****-*****-************",
"resourceAccess": [
{
"id": "*********-****-****-****-************",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": "https://nextcloudurl.tld/apps/user_saml/saml/metadata"
}
Go to:
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
You'll find your 36 character Microsoft ID as part of the endpoints. E.g. "SAML-P sign-on endpoint"
https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2
Bash these settings in the db of Nextcloud, table [prefix]_appconfig
:
general-uid_mapping:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
idp-entityId:
https://sts.windows.net/[MICROSOFT ID HERE]/
idp-singleLogoutService.url: https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2
idp-singleSignOnService.url: https://login.microsoftonline.com/[MICROSOFT ID HERE]/saml2
idp-x509cert: LOOOONG string you can find in your "Federation metadata document" at the same page as the endpoints.
saml-attribute-mapping-displayName_mapping: http://schemas.microsoft.com/identity/claims/displayname
saml-attribute-mapping-email_mapping: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
So where shall I write that configuration?