Photo by MILKOVÍ on Unsplash (edited)

Nextcloud Single-Sign-On with Auth0

In this blog post I show you how easy it is to setup single-sign-on (SSO with SAML2) for Nextcloud using Auth0 as identity provider (IdP).

Nextcloud is an open source (AGPLv3) file sync and sharing (EFSS) solution with millions of users worldwide, a self-hosted alternative to Dropbox, Google Drive and OneDrive.

Auth0 provides a universal authentication & authorization platform for web, mobile, and legacy applications. It was recently listed on “Forbes’ List of Next Billion-Dollar Startups 2018” (https://wilab.com/news-blog/auth0-on-forbes-list-of-next-billion-dollar-startups-2018/), which got me excited to check it out further. There are several identity management services out there, though Auth0 seems to be especially developer friendly and easy to configure, providing lots of code samples for various web technologies.

Since Nextcloud supports SAML/SSO out-of-the-box, I gave Auth0 a try and thought to put it down in a blog post. So, these are the steps:

Step 1: Auth0 application configuration

In the Auth0 management console, create a new single-page application (SPA), with the following settings:

Name:
Nextcloud

Application Type:
Single Page Application

Allowed Callback URLs:

https://<NEXTCLOUD_HOSTNAME>/index.php/apps/user_saml/saml/acs

Domain, Client ID and Client Secret is auto-generated.

Under the AddOns tab, enable SAML2

…with the following settings:

Application Callback URL:

https://<NEXTCLOUD_HOSTNAME>/index.php/apps/user_saml/saml/acs

Settings:

{
“logout”: {
“callback”: “https://<tenant>.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2F<NEXTCLOUD_HOSTNAME>%2Fredirect.html"
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
}

Step 2: Tenant Settings

Under your Tenant Settings > Advanced, set:

Allowed Logout URLs:

https://<NEXTCLOUD_HOSTNAME>/redirect.html

Step 3: Nextcloud Configuration

In Nextcloud, enable the SAML/SSO app.

Then configure the app with the following settings:

Attribute to map the UID to:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Identity Provider Data:

Identity of the IdP entity:

urn:<tenant>.eu.auth0.com

URL Target of the IdP where the SP will send the Authentication Request Message:

https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>

>> Show optional Identity Provider settings…

URL Location of the IdP where the SP will send the SLO Request:

https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logout

Public X.509 certificate of the IdP:

<copy the certificate from the Auth0 application settings > advanced>

>> Show attribute mapping settings…

Attribute to map the displayname to.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Attribute to map the email address to.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Example configuration:

Step 4: Single Sign Out redirect page for Nextcloud

Create a single sign logout redirect page for Nextcloud on the Nextcloud server: create a new html page called redirect.html in the application root folder (usually /var/www/html/ or /var/www/nextcloud/ on Ubuntu/Debian) with the following redirect code:

<script>
document.location.href = ‘https://<NEXTCLOUD_HOST>/’;
</script>

Make sure to adjust the ownership as well:

chown www-data:www-data redirect.html

I had to create this redirect.html as logout callback page because I otherwise ran into an endless redirect loop when logging out.

Test it!

Now open the Nextcloud URL in the browser — warning: it’s best to stay logged in in Nextcloud as local admin in one browser session and try the newly configured SSO in a separate incognito browser tab (=new session), so that in case of any misconfiguration, you don’t lock yourself out.

You should be asked to authenticate with email address or social login, if enabled.

When you tried logging in using several of the authentication options, go to the Nextcloud user management:

If you have any questions or suggestions, leave a comment.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mathias Conradt

Mathias Conradt

Cybersecurity Professional | CTO & Co-Founder at Quasr | DevSecCon Germany Chapter Lead | Snyk Ambassador | Motorbiker & MotoGP Fan | Tactical & Stealth Gamer