Wednesday, July 29, 2020

Social logins for nextcloud via auth0 - 2 Auth Server

Following up on the previous blog post on setting up a basic nextcloud server on digitalocean, the next step is to setup an auth/SSO server so I dont have to create individual users on nextcloud.

After reviewing keycloak, gluu and other opensource SSO mamangers, I decided to go with auth0 as a hosted service. it gives me the basic functionality I need for next cloud setup. I'm not sure yet if I have to worry about user data migration if I'm to change auth server, but for the time being i'm not going to consider this as a blocker.

Steps followed:
  1. https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf
    1. setup auth0 account and follow the auth0 config instructions
  2. login to adminportal of nextcloud and go to apps, install "SSO & SAML authentication" app
    1. I had to browse through the enterprise bundle to find this app 
  3. go to settings -> "SSO / SAML authentication"
    1. tick "Allow the use of multiple user back-ends (e.g. LDAP)"
    2. attribute to map UID : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    3. identity of the IDP : urn:<tenant>.eu.auth0.com
    4. URL target of IDP: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>
    5. URL Location of the IdP where the SP will send the SLO Request: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logout
    6. Public X.509 certificate of the IdP:<copy the certificate from the Auth0 application settings :: advanced>
    7. Attribute to map the displayname to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    8. Attribute to map the email address to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  4. Setup the redirect.html according to the article
    1. sudo vim /var/www/nextcloud/redirect.html
    2. sudo chown www-data:www-data /var/www/nextcloud/redirect.html
  5. Disable signups and enable email allowlist for social logins on Auth0
    1. https://auth0.com/rules/simple-user-whitelist
  6. good time to backup the droplet

No comments: