diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png b/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png deleted file mode 100644 index eb8d0f37..00000000 Binary files a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png and /dev/null differ diff --git a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png b/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png index e47db3aa..b367deca 100644 Binary files a/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png and b/docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png differ diff --git a/docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png b/docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png deleted file mode 100644 index d8234528..00000000 Binary files a/docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png and /dev/null differ diff --git a/docs/divers/devops/img/keycloak-nextcloud/social_settings.png b/docs/divers/devops/img/keycloak-nextcloud/social_settings.png deleted file mode 100644 index 4a79d1d9..00000000 Binary files a/docs/divers/devops/img/keycloak-nextcloud/social_settings.png and /dev/null differ diff --git a/docs/divers/devops/keycloak-nextcloud.md b/docs/divers/devops/keycloak-nextcloud.md index 66f30af6..5bb42445 100644 --- a/docs/divers/devops/keycloak-nextcloud.md +++ b/docs/divers/devops/keycloak-nextcloud.md @@ -1,14 +1,8 @@ # Keycloak as SSO in Nextcloud -In this guide we will cover two methods to have SSO in Nextcloud via Keycloak. -The first one uses the plugin Social Login in Nextcloud. -The second one uses the OpenidConnect plugin. +## Keycloak configuration -## SSO with Social Login plugin - -### Keycloak configuration - -#### Create a client +### Create a client We need first to create a client in keycloak, to connect to Nextcloud. @@ -20,29 +14,40 @@ Use the following settings: ![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png) +and + +![Configure ID Token Signature Algo as RS256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png) + +### Map groups in client + #### Create a new role in client In **Roles** tab, we create a role admin that we will map to Nextcloud. ![create role](img/keycloak-nextcloud/keycloak_client-newrole.png) -#### Create a new protocol mapper +Create here all the groups you'll need in Nextcloud -In **Mappers** tab, we create a mapper for roles. +**You will also have to create them in Nextcloud! ** -![create mapper](img/keycloak-nextcloud/keycloak_client-newmapper.png) +#### Configure mapper for roles + +This will allow us to map roles from client to nextcloud's groups. + +![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png) + +Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`. #### Map roles for user Go to an admin user you created (or create an user) and map admin role we created. Go to the **Role Mappings** tab, then select the client you created in the **Client Roles** -selection box, then click on **Add Selected** in the bottom-left to promote admin from available +selection box, then click on **Add Selected** in the bottom-left to promote a role from available to assigned roles. ![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png) - #### Check if mapping has been catched by client Go back to client part and evaluate client scope for the admin user you just configured. @@ -53,6 +58,22 @@ Check the **Generated Access Token** tab to see if the user get admin role. ![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png) +### Map quota + +We have the ability to define storage quota for each user we create. + +#### Configure mapper for quota + +![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png) + +#### Configure quota for user + +![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png) + +### Get informations + +We need client secret and realm endpoints to configure nextcloud. + #### Get Client Secret Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin. @@ -72,67 +93,9 @@ You will be redirected to the API endpoint, showing you endpoits url and other i ![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png) -### Use Social Login - -#### Install Social Login Plugin - -1. In Nextcloud, go to Applications and search for Social Login. - -2. Clic on Download and install. - -#### Configure Social Login - -1. Go to Administration Settings, where a new section has been created for Social Login. - -2. Use following configuration and Save: - - ![Social Login Settings](img/keycloak-nextcloud/social_settings.png) - -3. Create a custom OpenId Connect - - Use following configuration and adapt enpoints and secret. - - ![Custom Openid Connect](img/keycloak-nextcloud/social_customopenid.png) - -4. Reform Logout Url like this: - - ``` - https://keycloak.domain.ext/auth/realms/your-realm/protocol/openid-connect/logout?redirect_uri=https://nextcloud.domain.ext - ``` - -5. Don't forget to save - -## SSO with OpenId Connect Login Plugin - -### Configure Keycloak - -#### Configure client in Keycloak - -Use the same configuration than the solution with social login: - -![Basic configuration for client](img/keycloak-nextcloud/keycloak_client-settings.png) - -Just add Fine Grain OpenId Connect Configuration as above: - -![Configure ID Token Signature Algo as 256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png) - -#### Configure mapper for quota - -![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png) - -#### Configure mapper for roles - -![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png) - -#### Configure quota for user - -![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png) - -### Use OpenId Connect Login Plugin - #### Install the plugin -OpenID connect Login is a plugin made by pulsejet that can be found in Nextcloud AppStore. +**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore. #### Configure Nextcloud @@ -140,7 +103,6 @@ Configuration of the plugin can only be made by modifying `config.php`. ``` $CONFIG = array ( - // Some Nextcloud options that might make sense here 'allow_user_to_change_display_name' => false, 'lost_password_link' => 'disabled', @@ -152,7 +114,7 @@ $CONFIG = array ( 'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials // Automatically redirect the login page to the provider - 'oidc_login_auto_redirect' => true, + 'oidc_login_auto_redirect' => false, // Redirect to this page after logging out the user 'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F', @@ -161,7 +123,7 @@ $CONFIG = array ( 'oidc_login_default_quota' => '1000000000', // Login button text - 'oidc_login_button_text' => 'Log in with OpenID', + 'oidc_login_button_text' => 'OpenID', // Attribute map for OIDC response. Available keys are: // i) id: Unique identifier for username @@ -220,7 +182,7 @@ $CONFIG = array ( 'oidc_login_proxy_ldap' => false, // Disable creation of new users from OIDC login - 'oidc_login_disable_registration' => true, + 'oidc_login_disable_registration' => false, // Fallback to direct login if login from OIDC fails // Note that no error message will be displayed if enabled @@ -238,5 +200,8 @@ $CONFIG = array ( // For development, you may disable TLS verification. Default value is `true` // which should be kept in production 'oidc_login_tls_verify' => true, + + // If you are behind a proxy + 'overwriteprotocol' => 'https', ); ```