HOWTO Nextcloud SAML Login with AzureAD.md

Enable Nextcloud SAML Login using AzureAD

Create an Enterprise App for Nextcloud

1. Open the Azure admin portal - https://portal.azure.com
2. Open Azure Active Directory > Enterprise applications
3. Click the + New application link at the top
4. Search for "Azure AD SAML Toolkit" in the gallery
5. Click on "Azure AD SAML Toolkit"
6. Enter "Nextcloud" in the Name and click the Add button
7. When the app opens click on "Single sign-on"
8. Click the pencil icon on the Basic SAML Configuration
9. Fill in the required fields:
   • Identifier = https://nextcloud.yourdomain.com/apps/user_saml/saml/metadata
   • Reply URL = https://nextcloud.yourdomain.com
   • Sign on URL = https://nextcloud.yourdomain.com/login
10. Save the settings
11. Download the Federation Metadata XML under the SAML Signing Certificate section

Configure Nextcloud

1. Enable the "SSO & SAML authentication" app in Nextcloud

2. Navigate to the "SSO & SAML authentication" configuration page ( Settings > SSO & SAML authentication )

3. Optionally enable "Allow the use of multiple user back-ends"

4. Under General

   • Attribute to map the UID to => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

5. Identity Provider Data (show optional Identity Provider settings)

   • Identifier of the IdP entity => Azure AD Identifier from section 4 of the Azure App

   • URL Target of the IdP where the SP will send the Authentication Request Message => Login URL from section 4 of the Azure App

   • URL Location of the IdP where the SP will send the SLO Request => Logout URL from section 4 of the Azure App

   • Public X.509 certificate of the IdP => extract the X509Certificate from the Federation Metadata XML

     PS C:\> ([xml](Get-Content -Path .\Nextcloud.xml)).EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate | Set-Clipboard

6. Attribute Mapping

   • Attribute to map the displayname to => http://schemas.microsoft.com/identity/claims/displayname
   • Attribute to map the email address to => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

7. Make note of the direct login URL, typically https://nextcloud.domain.com/login?direct=1

Note: If you use the Nextcloud container you may have to include index.php in your URLs.

Hi Exploit-Syst3me , Juanjotravelc you must use ad AzureAD admin account, who is assigned to EnterpriseApp-entry of you Nextcloud

Hi @Exploit-Syst3me , @Juanjotravelc , I had the same problem and found the missing settings on Azure. I had to configure self-service to allow users to request access.
Hopping this can help you and the community.

I pasted http://schemas.microsoft.com/identity/claims/displayname into Attribute to map the displayname to
and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Attribute to map the email address to.
and it doesn't seem to work.

can you be clearer on what to type in to the attribute mapping

Hi @Exploit-Syst3me , @Juanjotravelc , I had the same problem and found the missing settings on Azure. I had to configure self-service to allow users to request access. Hopping this can help you and the community.

I have the same issue and wanted to try your solution - was it only the request to access setting that you changed?

https://sekureco42.ch/posts/nextcloud-sso-with-azure-active-directory/

https://sekureco42.ch/posts/nextcloud-sso-with-azure-active-directory/

@bankmrc054, thank you so much! It works now. I am very grateful.

For those who are trying this on a small deployment with just basic services. I believe you need at least an Entrata ID P2 level of license.

For those who are trying this on a small deployment with just basic services. I believe you need at least an Entrata ID P2 level of license.

From what I remember we only had E3 at the time. I think you should be able to do this with basic O365 licensing.