After reviewing keycloak, gluu and other opensource SSO mamangers, I decided to go with auth0 as a hosted service. it gives me the basic functionality I need for next cloud setup. I'm not sure yet if I have to worry about user data migration if I'm to change auth server, but for the time being i'm not going to consider this as a blocker.
Steps followed:
- https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf
- setup auth0 account and follow the auth0 config instructions
- login to adminportal of nextcloud and go to apps, install "SSO & SAML authentication" app
- I had to browse through the enterprise bundle to find this app
- go to settings -> "SSO / SAML authentication"
- tick "Allow the use of multiple user back-ends (e.g. LDAP)"
- attribute to map UID : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
- identity of the IDP : urn:<tenant>.eu.auth0.com
- URL target of IDP: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>
- URL Location of the IdP where the SP will send the SLO Request: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logout
- Public X.509 certificate of the IdP:<copy the certificate from the Auth0 application settings :: advanced>
- Attribute to map the displayname to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Attribute to map the email address to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Setup the redirect.html according to the article
- sudo vim /var/www/nextcloud/redirect.html
- sudo chown www-data:www-data /var/www/nextcloud/redirect.html
- Disable signups and enable email allowlist for social logins on Auth0
- good time to backup the droplet
No comments:
Post a Comment