GARAGENUM/docs
GARAGENUM/docs
15
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sso nextcloud only with openid connect login plugin

Browse Source
This commit is contained in:
makayabou 2020-10-14 23:32:03 +02:00
parent 16d7ca0f38
commit 37b43dbebd
5 changed files with 41 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/divers/devops/img/keycloak-nextcloud/keycloak_client-newmapper.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 41 KiB

BIN
docs/divers/devops/img/keycloak-nextcloud/keycloak_client-openidfineconfig.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 56 KiB

BIN
docs/divers/devops/img/keycloak-nextcloud/social_customopenid.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
docs/divers/devops/img/keycloak-nextcloud/social_settings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

117
docs/divers/devops/keycloak-nextcloud.md
View File

@ -1,14 +1,8 @@
# Keycloak as SSO in Nextcloud
In this guide we will cover two methods to have SSO in Nextcloud via Keycloak.
The first one uses the plugin Social Login in Nextcloud.
The second one uses the OpenidConnect plugin.
## Keycloak configuration
## SSO with Social Login plugin
### Keycloak configuration
#### Create a client
### Create a client
We need first to create a client in keycloak, to connect to Nextcloud.
@ -20,29 +14,40 @@ Use the following settings:
![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png)
and
![Configure ID Token Signature Algo as RS256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
### Map groups in client
#### Create a new role in client
In **Roles** tab, we create a role admin that we will map to Nextcloud.
![create role](img/keycloak-nextcloud/keycloak_client-newrole.png)
#### Create a new protocol mapper
Create here all the groups you'll need in Nextcloud
In **Mappers** tab, we create a mapper for roles.
**You will also have to create them in Nextcloud! **
![create mapper](img/keycloak-nextcloud/keycloak_client-newmapper.png)
#### Configure mapper for roles
This will allow us to map roles from client to nextcloud's groups.
![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.
#### Map roles for user
Go to an admin user you created (or create an user) and map admin role we created.
Go to the **Role Mappings** tab, then select the client you created in the **Client Roles**
selection box, then click on **Add Selected** in the bottom-left to promote admin from available
selection box, then click on **Add Selected** in the bottom-left to promote a role from available
to assigned roles.
![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png)
#### Check if mapping has been catched by client
Go back to client part and evaluate client scope for the admin user you just configured.
@ -53,6 +58,22 @@ Check the **Generated Access Token** tab to see if the user get admin role.
![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png)
### Map quota
We have the ability to define storage quota for each user we create.
#### Configure mapper for quota
![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
#### Configure quota for user
![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
### Get informations
We need client secret and realm endpoints to configure nextcloud.
#### Get Client Secret
Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
@ -72,67 +93,9 @@ You will be redirected to the API endpoint, showing you endpoits url and other i
![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png)
### Use Social Login
#### Install Social Login Plugin
1. In Nextcloud, go to Applications and search for Social Login.
2. Clic on Download and install.
#### Configure Social Login
1. Go to Administration Settings, where a new section has been created for Social Login.
2. Use following configuration and Save:
![Social Login Settings](img/keycloak-nextcloud/social_settings.png)
3. Create a custom OpenId Connect
Use following configuration and adapt enpoints and secret.
![Custom Openid Connect](img/keycloak-nextcloud/social_customopenid.png)
4. Reform Logout Url like this:
```
https://keycloak.domain.ext/auth/realms/your-realm/protocol/openid-connect/logout?redirect_uri=https://nextcloud.domain.ext
```
5. Don't forget to save
## SSO with OpenId Connect Login Plugin
### Configure Keycloak
#### Configure client in Keycloak
Use the same configuration than the solution with social login:
![Basic configuration for client](img/keycloak-nextcloud/keycloak_client-settings.png)
Just add Fine Grain OpenId Connect Configuration as above:
![Configure ID Token Signature Algo as 256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
#### Configure mapper for quota
![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
#### Configure mapper for roles
![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
#### Configure quota for user
![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
### Use OpenId Connect Login Plugin
#### Install the plugin
OpenID connect Login is a plugin made by pulsejet that can be found in Nextcloud AppStore.
**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.
#### Configure Nextcloud
@ -140,7 +103,6 @@ Configuration of the plugin can only be made by modifying `config.php`.
```
$CONFIG = array (
// Some Nextcloud options that might make sense here
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
@ -152,7 +114,7 @@ $CONFIG = array (
'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials
// Automatically redirect the login page to the provider
'oidc_login_auto_redirect' => true,
'oidc_login_auto_redirect' => false,
// Redirect to this page after logging out the user
'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F',
@ -161,7 +123,7 @@ $CONFIG = array (
'oidc_login_default_quota' => '1000000000',
// Login button text
'oidc_login_button_text' => 'Log in with OpenID',
'oidc_login_button_text' => 'OpenID',
// Attribute map for OIDC response. Available keys are:
// i) id: Unique identifier for username
@ -220,7 +182,7 @@ $CONFIG = array (
'oidc_login_proxy_ldap' => false,
// Disable creation of new users from OIDC login
'oidc_login_disable_registration' => true,
'oidc_login_disable_registration' => false,
// Fallback to direct login if login from OIDC fails
// Note that no error message will be displayed if enabled
@ -238,5 +200,8 @@ $CONFIG = array (
// For development, you may disable TLS verification. Default value is `true`
// which should be kept in production
'oidc_login_tls_verify' => true,
// If you are behind a proxy
'overwriteprotocol' => 'https',
);
```