How to Enable SSO to Nextcloud with Safous

The article outlines the necessary steps to configure Safous as an Identity Provider (IdP) to facilitate Single Sign-On (SSO) with Nextcloud serving as the Service Provider (SP). In this article, we are demonstrating it with Nextcloud version 29.0.2 and SSO & SAML authentication app version 6.1.3.

Prerequisites

  • You have access to the Nextcloud administrator account.
  • You possess administrative access to your Safous tenant through the admin portal.

1. Register Nextcloud as a SaaS Application on Admin Portal

Please follow the steps outlined below to register Nextcloud as a SaaS application on the Admin portal.

  1. Login to Safous admin portal.
  2. Navigate to Settings > ZTNA > Applications > SaaS > Click New SaaS.
  3. Enter the name for the SaaS application. In this example, the name is simply nextcloud.
  4. Choose site.
  5. Choose domain.
  6. Enter https://<Nextcloud>/apps/user_saml/saml/acs as the ACS URL. Replace <Nextcloud> with your Nextcloud domain.
  7. Enter https://<Nextcloud>/apps/user_saml/saml/metadata as the Entity ID. Replace <Nextcloud> with your Nextcloud domain.
  8. Enter https://<Nextcloud>/apps/user_saml/saml/acs as the Relay State. Replace <Nextcloud> with your Nextcloud domain.
  9. Enable the Visible toggle button.
  10. Enable the Allow IDP-Initiated Flow toggle.
  11. Click Save. 
  12. Your newly created SaaS application should resemble the image below. Please copy or take note of the generated SSO URL, Issuer and Certificate.
  13. Configure the user access policy for the application. You can refer to this guide for that.

2. Add and Install SSO & SAML Authentication App

By default, the app has to be added and installed first to enable SAML authentication in order to use it for SSO. In this guide, we will add and install the app through the Nextcloud console.

  1. Open your Nextcloud domain and login with administrator account.
  2. Navigate to Apps > Featured Apps.
  3. Scroll down and find SSO & SAML authentication App.
  4. Click Download & enable.
  5. Navigate to Apps > Your Apps and verify that the SSO & SAML authentication app is installed and enabled for your Nextcloud.

3. Set Up and Configure Safous as an IdP on Nextcloud

This time we will register Safous as the IdP to use for SAML authentication on Nextcloud in order to enable SSO.

  1. Navigate to Administration settings > SSO & SAML authentication
  2. Select built-in SAML authentication.
  3. Configure Global settings
    • Enable the Allow the use of multiple user back-ends (e.g. LDAP) option

      Enabling this option allows you to select the login method between direct login using password or through SAML. Later, you can disable this option if you want to enforce login via SAML only once all the settings and configurations are finished.
  4. Configure General settings 
    • (Optional) Change the name of the IdP from Provider 1 to Safous
    • Set Attribute to map the UID to urn:oid:0.9.2342.19200300.100.1.1.
    • Set Optional display name to Safous.


  5. Configure Service Provider Data
    • Set Name ID format to Unspecified.
    • To generate a certificate, open a shell and execute the specified command.
      openssl req -nodes -new -x509 -keyout private.key -out public.cert
    • Paste the content of public.cert to X.509 certificate of the Service Provider.
    • Paste the content of private.key to Private key of the Service Provider.
  6. Configure Identity Provider Data
    • Set the Identifier of the IdP entity to the copied Issuer.
    • Set the URL Target of the IdP to the copied SSO URL.
    • Set the URL location of the IdP to https://users.<tenant>.ztna.safous.com/cyolo/v1/logout
    • Set the URL Location of the IDP'S SLO Response to your user portal login page (e.g. https://login.<tenant>.ztna.safous.com/
    • Paste the Certificate to Public X.509 certificate of the IdP and format it like this

      Once done, your configuration should be similar to the example below.
  7. Configure Security Settings
    • Enable all the settings as exactly shown in this example
  8. Click Download Metadata file on the bottom of the page to verify that all the configurations are done and saved.

4. Testing SSO

As the set up and configurations are done, we will now continue to test the SSO to ensure that we can SSO to Nextcloud via SAML.

  1. Go to your Safous tenant's user portal and log in with your credential.
  2. Click on the nextcloud SaaS application.
  3. As previously we have enabled the option to select the login method, we will be asked to choose which method to use to login to Nextcloud. Choose login with Safous.

    Note that you can disable this login method selection and only allow to login via Safous by disabling the option on Global Settings.
  4. If you see this message, then you have successfully done SSO to Nextcloud via SAML. Your account is automatically provisioned the first time you log in to Nextcloud via SAML, so you don't have to manually create and map user between Safous and Nextcloud.
  5. As we also have configured SLO, if you click the Log out button on Nextcloud, then you will be logged out too from the Safous user portal.

Logs

You can check the logs for SAML authentication on Safous admin portal and any SAML authentication error logs on the Nextcloud logs.

  • On Safous admin portal, navigate to Analytics > ZTNA > Activity Log
  • On Nextcloud, login with administrator account and navigate to Administration settings > Logging. There you can find the error messages you would need to troubleshoot problems related to the SAML authentication.