NextCloud
=========
|image0|
Presentation
------------
`NextCloud `__ is a fork of Owncloud, suite of
client-server software for creating file hosting services and using
them.
This documentation explains how to interconnect LemonLDAP::NG and
NextCloud using Open ID Connect or SAML 2.0 protocol.
OpenID Connect
--------------
Requirements
~~~~~~~~~~~~
Your LemonLDAP::NG server must be configured as OpenID Connect provider.
Your NextCloud server must be able to join directly the LemonLDAP::NG server.
It using SSL, be sure that certificate of LL::NG portal is trusted on NextCloud server.
LemonLDAP::NG
~~~~~~~~~~~~~
Create a new OpenID Connect RP with these settings:
* Client ID: generate a value
* Client Secret: generate a value
* Login redirection URL: https://nextcloud.example.com/index.php/apps/oidc_login/oidc
* Attributes: at least ``email`` and ``name``
* User attribute: you must set here the identifier that is already used by NextCloud (if you already plugged NextCloud to your LDAP directory).
It can be ``entryUUID`` for OpenLDAP or ``objectGUID`` for AD. If this is not correctly configured, a new account will be created instead
of using the existing account.
You can also share groups trough OpenID Connect. In this case, create a ``groups`` claim.
Another optional claim is a boolean to let NextCloud know if user is admin or not. You can easily create a macro for this.
NextCloud
~~~~~~~~~
Install and enable `"OpenID Connect Login" plugin `__.
In your ``config.php``, configure OIDC parameters:
.. code-block:: php
'oidc_login_hide_password_form' => true,
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => false,
'oidc_login_provider_url' => 'https://auth.example.com',
'oidc_login_tls_verify' => true,
'oidc_login_client_id' => 'clientid',
'oidc_login_client_secret' => 'clientsecret',
'oidc_login_disable_registration' => false,
'oidc_login_use_id_token' => false,
'oidc_login_attributes' =>
array (
'id' => 'sub',
'name' => 'name',
'mail' => 'email',
),
'oidc_login_scope' => 'openid profile email',
'oidc_login_logout_url' => 'https://auth.example.com',
For advanced conifguration, with groups and admin claims:
.. code-block:: php
'oidc_login_attributes' =>
array (
'id' => 'sub',
'name' => 'name',
'mail' => 'email',
'groups' => 'groups',
'is_admin' => 'nextcloud_admin',
),
'oidc_create_groups' => true,
SAML
----
Requirements
~~~~~~~~~~~~
Make sure you have :doc:`set up LemonLDAP::NG a SAML IDP <../samlservice>`
.. warning::
Nextcloud requires your public SAML Signature key to be in `BEGIN CERTIFICATE`
format, if this is not the case, you need to :ref:`convert your SAML key to
a certificate`. Note that recent versions of
LL:NG are already configured to use certificates instead public key.
.. _nextcloud-1:
NextCloud
~~~~~~~~~
.. tip::
If your NextCloud is behind a proxy (thus having a private
IP), metadata generated by NextCloud won't work.
Consider changing the configuration of NextCloud to force the domain and the protocol, in
**$nextcloudrootwww/config/config.php**, add the following:
.. code:: php
'overwritehost' => 'nextcloud.example.com',
'overwriteprotocol' => 'https',
Enable the `"SAML authentication" plugin `__.
Create Certificate of Service Provider for Nextcloud
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You will need private key and public key within a certificate to identify your SP in LL:NG IDP.
Select a host with a secure filesystem as a secure random source since private keys are generated.
To create a private key and self-sign a certificate for its public key please adapt to your country/state.
It is recommended to use nextcloud hostname for Common Name.
::
certname=nextcloud_saml
openssl req -new -newkey rsa:4096 -keyout $certname.key -nodes -out $certname.pem -x509 -days 3650
Country Name (2 letter code) [AU]:BTN
State or Province Name (full name) [Some-State]:North
Locality Name (eg, city) []:Thimphou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NGO
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:nextcloud.example.com
Email Address []:
Please note that once you have copied those in following process it is recommended to remove private
key file from your system.
Configure Service provider within Nextcloud
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
Administration -> SSO & SAML authentication
You will find the following fields:
- **Allow the use of multiple user back-ends (e.g. LDAP)**
Activate it during configuration, remove it later only once a saml
user with administration rights can login.
- **Attribute to map the UID to**: Identity attribute provided by your
LL:NG that will be used as UID in NextCloud.
- **Optional display name of the identity provider**: choose a name
meaningfull to identify this nextcloud app without spaces to use
it in LL:NG too.
- **Service Provider Data**:
- **Name ID format**: select Email Address
- **X509 certificate of Service provider**: a Certificate you have
created previously for this purpose
- **Private key of the Service provider**: private key corresponding
to public key within certificate of Service provider.
- **Identity Provider Data**:
- **Identifier of the IdP entity**: SAML Metadata URL of your LL:NG
- **URL Target of the IdP where the SP will send the Authentication
Request Message**: SingleSignOn URL of your LL:NG
- **URL Location of the IdP where the SP will send the SLO
Request**: SingleLogOut URL of your LL:NG
- **Public X.509 certificate of the IdP**: Certificate of your LL:NG
Your fields should look like this: |image3|
Recent versions of LL:NG are already configured to use Certificates
instead public key so you can obtain pem encoded certificate directly
by Copy/Paste of certificate field in the "Public X.509 certificate of
the IdP" field of your NextCloud.
You can now download your metadata xml file.
LL:NG, SAML 2.0 Service Provider configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We now have to define a service provider (e.g our nextcloud) in LL:NG.
Go to "SAML service providers", click on "Add SAML SP" and name it as
you want (example : 'NextCloud') (was 'NGOSSO' in previous screenshoot)
In the new subtree 'NextCloud', open 'Metadata' and paste the content of
your previously downloaded file (or upload the file)
|image4|
Now go in "Exported attributes" and add, at least, the 'uid'
|image5|
You might need to add 'mail' to fill expected NameID from NextCloud or
to configure explicit 'uid' NameID mapping in **Force NameID session key**.
Don't forget to save your configuration.
You are now good to go, and you can add the application in
:doc:`your menu<../portalmenu>` and
:doc:`your virtual hosts<../configvhost>`.
.. |image0| image:: /applications/nextcloud-logo.png
:class: align-center
.. |image1| image:: /applications/nextcloud_saml_activation.png
:class: align-center
.. |image2| image:: /applications/nextcloud_certificate_keys.png
:class: align-center
.. |image3| image:: /applications/nextcloud_saml_configuration.png
:class: align-center
.. |image4| image:: /applications/nextcloud_service_metadata.png
:class: align-center
.. |image5| image:: /applications/nextcloud_service_exportedattributes.png
:class: align-center
.. |image6| image:: /applications/nextcloud_certificate_keys.png
:class: align-center