Wednesday, July 29, 2020

Social logins for nextcloud via auth0 - 2 Auth Server

Following up on the previous blog post on setting up a basic nextcloud server on digitalocean, the next step is to setup an auth/SSO server so I dont have to create individual users on nextcloud.

After reviewing keycloak, gluu and other opensource SSO mamangers, I decided to go with auth0 as a hosted service. it gives me the basic functionality I need for next cloud setup. I'm not sure yet if I have to worry about user data migration if I'm to change auth server, but for the time being i'm not going to consider this as a blocker.

Steps followed:
  1. https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf
    1. setup auth0 account and follow the auth0 config instructions
  2. login to adminportal of nextcloud and go to apps, install "SSO & SAML authentication" app
    1. I had to browse through the enterprise bundle to find this app 
  3. go to settings -> "SSO / SAML authentication"
    1. tick "Allow the use of multiple user back-ends (e.g. LDAP)"
    2. attribute to map UID : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    3. identity of the IDP : urn:<tenant>.eu.auth0.com
    4. URL target of IDP: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>
    5. URL Location of the IdP where the SP will send the SLO Request: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logout
    6. Public X.509 certificate of the IdP:<copy the certificate from the Auth0 application settings :: advanced>
    7. Attribute to map the displayname to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    8. Attribute to map the email address to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  4. Setup the redirect.html according to the article
    1. sudo vim /var/www/nextcloud/redirect.html
    2. sudo chown www-data:www-data /var/www/nextcloud/redirect.html
  5. Disable signups and enable email allowlist for social logins on Auth0
    1. https://auth0.com/rules/simple-user-whitelist
  6. good time to backup the droplet
Posted by at No comments:
Labels: , ,

Set up nextcloud on digitalocean - 1 Basic setup (snap)

I've always wanted to setup a private file share family and friends that is secure. Looks like Nextcloud have the best feature set, and I've decided to give it a shot. If all goes well I will have a simple, efficient setup to use as a file backup on cloud with mobile access.

Once the functional aspects are setup properly, I will have time to worry about non functional requirements (security / backup, restore / monitoring / performance / cost efficiency / high availability / etc..)

heres the steps I followed:
  1. https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04
    I didnt worry about UFW as I will be using DigitalOcean cloud firewall rules to secure hosts at a network level for now. host level firewall is a possible future addon
  2. https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-18-04
  3. Have the block storage attached to the droplet 
  4. sudo snap stop nextcloud
  5. https://www.digitalocean.com/community/questions/configuring-volumes
    1. sudo mkdir -p /media/nextcloud_data
    2. sudo mount -o discard,defaults,noatime /dev/disk/by-id/<disk-id> /media/nextcloud_data
    3. sudo echo '/dev/disk/by-id/<disk-id> /media/nextcloud_data ext4 defaults,nofail,discard 0 0' | sudo tee -a /etc/fstab
  6. read through https://askubuntu.com/questions/882625/nextcloud-snap-with-data-directory-on-external-harddrive
    1. sudo mv /var/snap/nextcloud/common/nextcloud/data ./nextcloud_data/data
    2. sudo vi /var/snap/nextcloud/current/nextcloud/config/config.php
  7. sudo snap start nextcloud
  8. go to the application and do a quick sanity check as admin. 
  9. This is a good time to take a backup for droplet as you may want to restart the journey from here in case

Additional reading material:
Posted by at No comments:
Subscribe to: Posts (Atom)