|
|
|
@ -0,0 +1,103 @@
|
|
|
|
|
# Keycloak as SSO in Nextcloud
|
|
|
|
|
|
|
|
|
|
In this guide we will cover two methods to have SSO in Nextcloud via Keycloak.
|
|
|
|
|
The first one uses the plugin Social Login in Nextcloud.
|
|
|
|
|
The second one uses the OpenidConnect plugin.
|
|
|
|
|
|
|
|
|
|
## SSO with Social Login plugin
|
|
|
|
|
|
|
|
|
|
### Keycloak configuration
|
|
|
|
|
|
|
|
|
|
#### Create a client
|
|
|
|
|
|
|
|
|
|
We need first to create a client in keycloak, to connect to Nextcloud.
|
|
|
|
|
|
|
|
|
|
Name `Client id` as you wish.
|
|
|
|
|
|
|
|
|
|
![create a client](img/keycloak-nextcloud/keycloak_create-client.png)
|
|
|
|
|
|
|
|
|
|
Use the following settings:
|
|
|
|
|
|
|
|
|
|
![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png)
|
|
|
|
|
|
|
|
|
|
#### Create a new role in client
|
|
|
|
|
|
|
|
|
|
In **Roles** tab, we create a role admin that we will map to Nextcloud.
|
|
|
|
|
|
|
|
|
|
![create role](img/keycloak-nextcloud/keycloak_client-newrole.png)
|
|
|
|
|
|
|
|
|
|
#### Create a new protocol mapper
|
|
|
|
|
|
|
|
|
|
In **Mappers** tab, we create a mapper for roles.
|
|
|
|
|
|
|
|
|
|
![create mapper](img/keycloak-nextcloud/keycloak_client-newmapper.png)
|
|
|
|
|
|
|
|
|
|
#### Map roles for user
|
|
|
|
|
|
|
|
|
|
Go to an admin user you created (or create an user) and map admin role we created.
|
|
|
|
|
|
|
|
|
|
Go to the **Role Mappings** tab, then select the client you created in the **Client Roles**
|
|
|
|
|
selection box, then click on **Add Selected** in the bottom-left to promote admin from available
|
|
|
|
|
to assigned roles.
|
|
|
|
|
|
|
|
|
|
![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Check if mapping has been catched by client
|
|
|
|
|
|
|
|
|
|
Go back to client part and evaluate client scope for the admin user you just configured.
|
|
|
|
|
|
|
|
|
|
Go to your client, tab **Client Scopes**, select your user and clic on **Evaluate**.
|
|
|
|
|
|
|
|
|
|
Check the **Generated Access Token** tab to see if the user get admin role.
|
|
|
|
|
|
|
|
|
|
![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png)
|
|
|
|
|
|
|
|
|
|
#### Get Client Secret
|
|
|
|
|
|
|
|
|
|
Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
|
|
|
|
|
|
|
|
|
|
![get client secret](img/keycloak-nextcloud/keycloak_client-getcredentials.png)
|
|
|
|
|
|
|
|
|
|
#### See Endpoints
|
|
|
|
|
|
|
|
|
|
You will also need endpoints urls to adapt Nextcloud Social Login plugin configuration.
|
|
|
|
|
|
|
|
|
|
Go in **Realm Settings** -> **General**, clic on `OpenID EndpointConfiguration`.
|
|
|
|
|
|
|
|
|
|
![Ask for conf page](img/keycloak-nextcloud/keycloak_realm-accessconf.png)
|
|
|
|
|
|
|
|
|
|
You will be redirected to the API endpoint, showing you endpoits url and other infos:
|
|
|
|
|
|
|
|
|
|
![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Use Social Login
|
|
|
|
|
|
|
|
|
|
#### Install Social Login Plugin
|
|
|
|
|
|
|
|
|
|
1. In Nextcloud, go to Applications and search for Social Login.
|
|
|
|
|
|
|
|
|
|
2. Clic on Download and install.
|
|
|
|
|
|
|
|
|
|
#### Configure Social Login
|
|
|
|
|
|
|
|
|
|
1. Go to Administration Settings, where a new section has been created for Social Login.
|
|
|
|
|
|
|
|
|
|
2. Use following configuration and Save:
|
|
|
|
|
|
|
|
|
|
![Social Login Settings](img/keycloak-nextcloud/social_settings.png)
|
|
|
|
|
|
|
|
|
|
3. Create a custom OpenId Connect
|
|
|
|
|
|
|
|
|
|
Use following configuration and adapt enpoints and secret.
|
|
|
|
|
|
|
|
|
|
![Custom Openid Connect](img/keycloak-nextcloud/social_customopenid.png)
|
|
|
|
|
|
|
|
|
|
4. Reform Logout Url like this:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
https://keycloak.domain.ext/auth/realms/your-realm/protocol/openid-connect/logout?redirect_uri=https://nextcloud.domain.ext
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
5. Don't forget to save
|