habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cab2942c4e32029b7bdc9df85a30dbedd9ec8e34
authentik/website/docs/integrations/services/nextcloud/index.md
Jens Langhammer 001de38d85 docs: add nextcloud docs
2020-12-22 20:09:15 +01:00

2.5 KiB
Raw Blame History

title
title
NextCloud

What is NextCloud

From https://en.wikipedia.org/wiki/Nextcloud

:::note Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices. :::

:::warning This setup only works, when NextCloud is running with HTTPS enabled. :::

:::warning In case something goes wrong with the configuration, you can use the URL http://nextcloud.company/login?direct=1 to log in using the built-in authentication. :::

Preparation

The following placeholders will be used:

  • nextcloud.company is the FQDN of the NextCloud install.
  • authentik.company is the FQDN of the authentik install.

Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:

  • ACS URL: https://nextcloud.company/apps/user_saml/saml/metadata
  • Audience: https://nextcloud.company/apps/user_saml/saml/acs
  • Issuer: https://authentik.company
  • Service Provider Binding: Post
  • Property mappings: Select all Autogenerated mappings.

You can of course use a custom signing certificate, and adjust durations.

NextCloud

In NextCloud, navigate to Settings, then SSO & SAML Authentication.

Set the following values:

  • Attribute to map the UID to.: urn:oid:0.9.2342.19200300.100.1.1
  • Optional display name of the identity provider (default: "SSO & SAML log in"): authentik
  • Identifier of the IdP entity (must be a URI): https://authentik.company
  • URL Target of the IdP where the SP will send the Authentication Request Message: https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/

Under Attribute mapping, set these values:

  • Attribute to map the displayname to.: urn:oid:2.16.840.1.113730.3.1.241
  • Attribute to map the email address to.: urn:oid:0.9.2342.19200300.100.1.3
  • Attribute to map the users groups to.: member-of

Group Quotas

Create a group for each different level of quota you want users to have. Set a custom attribute, for example called nextcloud_quota, to the quota you want, for example 15 GB.

Afterwards, create a custom SAML Property Mapping with the name SAML NextCloud Quota. Set the SAML Name to nextcloud_quota. Set the Expression to return user.group_attributes.get("nextcloud_quota", "1 GB"), where 1 GB is the default value for users that don't belong to another group (or have another value set).