sso nextcloud only with openid connect login plugin

2020-10-14 23:32:03 +02:00 · 2020-10-14 23:32:03 +02:00 · 37b43dbebd
commit 37b43dbebd
parent 16d7ca0f38
5 changed files with 41 additions and 76 deletions
--- a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png
+++ b/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png
--- a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
+++ b/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
--- a/docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png
+++ b/docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png
--- a/docs/divers/devops/img/keycloak-nextcloud/social_settings.png
+++ b/docs/divers/devops/img/keycloak-nextcloud/social_settings.png
--- a/docs/divers/devops/keycloak-nextcloud.md
+++ b/docs/divers/devops/keycloak-nextcloud.md
@ -1,14 +1,8 @@
 # Keycloak as SSO in Nextcloud

-In this guide we will cover two methods to have SSO in Nextcloud via Keycloak.
-The first one uses the plugin Social Login in Nextcloud.
-The second one uses the OpenidConnect plugin.
+## Keycloak configuration

-## SSO with Social Login plugin
-
-### Keycloak configuration
-
-#### Create a client
+### Create a client

 We need first to create a client in keycloak, to connect to Nextcloud.

@ -20,29 +14,40 @@ Use the following settings:

 ![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png)

+and
+
+![Configure ID Token Signature Algo as RS256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
+
+### Map groups in client
+
 #### Create a new role in client

 In **Roles** tab, we create a role admin that we will map to Nextcloud.

 ![create role](img/keycloak-nextcloud/keycloak_client-newrole.png)

-#### Create a new protocol mapper
+Create here all the groups you'll need in Nextcloud

-In **Mappers** tab, we create a mapper for roles.
+**You will also have to create them in Nextcloud! **

-![create mapper](img/keycloak-nextcloud/keycloak_client-newmapper.png)
+#### Configure mapper for roles
+
+This will allow us to map roles from client to nextcloud's groups.
+
+![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
+
+Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.

 #### Map roles for user

 Go to an admin user you created (or create an user) and map admin role we created.

 Go to the **Role Mappings** tab, then select the client you created in the **Client Roles** 
-selection box, then click on **Add Selected** in the bottom-left to promote admin from available 
+selection box, then click on **Add Selected** in the bottom-left to promote a role from available 
 to assigned roles.

 ![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png)

-
 #### Check if mapping has been catched by client

 Go back to client part and evaluate client scope for the admin user you just configured. 
@ -53,6 +58,22 @@ Check the **Generated Access Token** tab to see if the user get admin role.

 ![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png)

+### Map quota
+
+We have the ability to define storage quota for each user we create.
+
+#### Configure mapper for quota
+
+![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
+
+#### Configure quota for user
+
+![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
+
+### Get informations
+
+We need client secret and realm endpoints to configure nextcloud.
+
 #### Get Client Secret

 Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
@ -72,67 +93,9 @@ You will be redirected to the API endpoint, showing you endpoits url and other i
 ![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png)


-### Use Social Login
-
-#### Install Social Login Plugin
-
-1. In Nextcloud, go to Applications and search for Social Login.
-
-2. Clic on Download and install.
-
-#### Configure Social Login
-
-1. Go to Administration Settings, where a new section has been created for Social Login.
-
-2. Use following configuration and Save:
-
-    ![Social Login Settings](img/keycloak-nextcloud/social_settings.png)
-
-3. Create a custom OpenId Connect
-
-    Use following configuration and adapt enpoints and secret. 
-
-    ![Custom Openid Connect](img/keycloak-nextcloud/social_customopenid.png)
-
-4. Reform Logout Url like this:
-  
-    ```
-    https://keycloak.domain.ext/auth/realms/your-realm/protocol/openid-connect/logout?redirect_uri=https://nextcloud.domain.ext
-    ```
-    
-5. Don't forget to save
-
-## SSO with OpenId Connect Login Plugin
-
-### Configure Keycloak 
-
-#### Configure client in Keycloak
-
-Use the same configuration than the solution with social login:
-
-![Basic configuration for client](img/keycloak-nextcloud/keycloak_client-settings.png)
-
-Just add Fine Grain OpenId Connect Configuration as above:
-
-![Configure ID Token Signature Algo as 256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
-
-#### Configure mapper for quota
-
-![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
-
-#### Configure mapper for roles
-
-![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
-
-#### Configure quota for user
-
-![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
-
-### Use OpenId Connect Login Plugin
-
 #### Install the plugin

-OpenID connect Login is a plugin made by pulsejet that can be found in Nextcloud AppStore.
+**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.

 #### Configure Nextcloud

@ -140,7 +103,6 @@ Configuration of the plugin can only be made by modifying `config.php`.

 ```
 $CONFIG = array (
-    // Some Nextcloud options that might make sense here
    'allow_user_to_change_display_name' => false,
    'lost_password_link' => 'disabled',

@ -152,7 +114,7 @@ $CONFIG = array (
    'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials

    // Automatically redirect the login page to the provider
-    'oidc_login_auto_redirect' => true,
+    'oidc_login_auto_redirect' => false,

    // Redirect to this page after logging out the user
    'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F', 
@ -161,7 +123,7 @@ $CONFIG = array (
    'oidc_login_default_quota' => '1000000000',

    // Login button text
-    'oidc_login_button_text' => 'Log in with OpenID',
+    'oidc_login_button_text' => 'OpenID',

    // Attribute map for OIDC response. Available keys are:
    //   i)   id:       Unique identifier for username
@ -220,7 +182,7 @@ $CONFIG = array (
    'oidc_login_proxy_ldap' => false,

    // Disable creation of new users from OIDC login
-    'oidc_login_disable_registration' => true,
+    'oidc_login_disable_registration' => false,

    // Fallback to direct login if login from OIDC fails
    // Note that no error message will be displayed if enabled
@ -238,5 +200,8 @@ $CONFIG = array (
    // For development, you may disable TLS verification. Default value is `true`
    // which should be kept in production
    'oidc_login_tls_verify' => true,
+    
+    // If you are behind a proxy
+    'overwriteprotocol' => 'https',
 );
 ```