Nextcloud Single-Sign-On with Auth0
In this blog post I show you how easy it is to setup single-sign-on (SSO with SAML2) for Nextcloud using Auth0 as identity provider (IdP).
Nextcloud is an open source (AGPLv3) file sync and sharing (EFSS) solution with millions of users worldwide, a self-hosted alternative to Dropbox, Google Drive and OneDrive.
Auth0 provides a universal authentication & authorization platform for web, mobile, and legacy applications. It was recently listed on “Forbes’ List of Next Billion-Dollar Startups 2018” (https://wilab.com/news-blog/auth0-on-forbes-list-of-next-billion-dollar-startups-2018/), which got me excited to check it out further. There are several identity management services out there, though Auth0 seems to be especially developer friendly and easy to configure, providing lots of code samples for various web technologies.
Since Nextcloud supports SAML/SSO out-of-the-box, I gave Auth0 a try and thought to put it down in a blog post. So, these are the steps:
Step 1: Auth0 application configuration
In the Auth0 management console, create a new single-page application (SPA), with the following settings:
Name:
Nextcloud
Application Type:
Single Page Application
Allowed Callback URLs:
https://<NEXTCLOUD_HOSTNAME>/index.php/apps/user_saml/saml/acsDomain, Client ID and Client Secret is auto-generated.
Under the AddOns tab, enable SAML2 …
…with the following settings:
Application Callback URL:
https://<NEXTCLOUD_HOSTNAME>/index.php/apps/user_saml/saml/acsSettings:
{
“logout”: {
“callback”: “https://<tenant>.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2F<NEXTCLOUD_HOSTNAME>%2Fredirect.html"
},
“binding”: “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
}
Step 2: Tenant Settings
Under your Tenant Settings > Advanced, set:
Allowed Logout URLs:
https://<NEXTCLOUD_HOSTNAME>/redirect.html
Step 3: Nextcloud Configuration
In Nextcloud, enable the SAML/SSO app.
Then configure the app with the following settings:
Attribute to map the UID to:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierIdentity Provider Data:
Identity of the IdP entity:
urn:<tenant>.eu.auth0.comURL Target of the IdP where the SP will send the Authentication Request Message:
https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>>> Show optional Identity Provider settings…
URL Location of the IdP where the SP will send the SLO Request:
https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logoutPublic X.509 certificate of the IdP:
<copy the certificate from the Auth0 application settings > advanced>
>> Show attribute mapping settings…
Attribute to map the displayname to.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAttribute to map the email address to.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressExample configuration:
Step 4: Single Sign Out redirect page for Nextcloud
Create a single sign logout redirect page for Nextcloud on the Nextcloud server: create a new html page called redirect.html in the application root folder (usually /var/www/html/ or /var/www/nextcloud/ on Ubuntu/Debian) with the following redirect code:
<script>
document.location.href = ‘https://<NEXTCLOUD_HOST>/’;
</script>
Make sure to adjust the ownership as well:
chown www-data:www-data redirect.htmlI had to create this redirect.html as logout callback page because I otherwise ran into an endless redirect loop when logging out.
Test it!
Now open the Nextcloud URL in the browser — warning: it’s best to stay logged in in Nextcloud as local admin in one browser session and try the newly configured SSO in a separate incognito browser tab (=new session), so that in case of any misconfiguration, you don’t lock yourself out.
You should be asked to authenticate with email address or social login, if enabled.
When you tried logging in using several of the authentication options, go to the Nextcloud user management:
If you have any questions or suggestions, leave a comment.
