Here you can see, how it is working.
This how-to shows only the basics. To get further information follow the links below.

Installing privacyIDEA

You should install privacyIDEA on a different server, than sipmleSAMLphp and Nextcloud.
In this case, we use the Apache2 setup on a fresh installed Ubuntu 16.04.
During the installation, you will be asked for a mysql root password.

• Adding the repository apt-add-repository ppa:privacyidea/privacyidea
• Update with apt update
• Installing privacyIDEA for apache2 apt install privacyidea-apache2
• Create administrator account with pi-manage admin add <username>

Congratulations you installed privacyIDEA successfully.

Now privacyIDEA needs to know, where your users are stored. Please check our documentation for more information about this.

Installing simpleSAMLphp as an identity provider

Please follow the instructions from simpleSAMLphp

Installing the privacyIDEA module for simpleSAMLphp

First of all you need to install the module privacyIDEA. You can get the current version on GitHub.

Put the files in the directory modules/privacyidea.

The privacyIDEA module can be used in two different ways:
Method 1: The user’s first and second factor will be authenticated against privacyIDEA
Method 2: Only the second factor will be authenticated against privacyIDEA

In this how-to, we only show the simplest way to configure. Especially the method 2 can be configured way more.

Method 1

We will install privacyIDEA as an authentication source.
To do that, we have to append the configuration to config/authsources.php

This is the basic configuration

'example-privacyidea' => array(
    'privacyidea:privacyidea',
    'privacyideaserver' => 'https://your.server.com/pi',
),

If you want to edit more details, please check the documentation on GitHub.

After editing the configuration, please enable the authentication source in the metadata metadate/saml20-idp-hosted.php
Add 'auth' => 'example-privacyidea'

Method 2

If you want to use the second method, you have to use another authentication source (e.g. LDAP)
After that, activate privacyIDEA as an authentication processing filter.
Append in the array in your metadata metadata/saml20-idp-hosted.php the following lines.

This is the basic configuration

'authproc.idp' => array(
    20 => array(
        'class'             => 'privacyidea:serverconfig',
        'privacyideaserver' => 'https://your.server.com/pi',
    )
    25 => array(
        'class'             => 'privacyidea:privacyidea',
    ),
),

If you want to configure the authentication processing filter in more details, please check the documentation on GitHub.

Installing Nextcloud

Please follow the instructions from Nextcloud

Install and configure the app ‘SSO & SAML authentication’

This app can be installed via the marketplace.

After installing the app, it has to be configured like it is done in the following.

Attribute to map the UID to.
This depends on the authentication source.
If you use method 1 (privacyIDEA as an authentication source) and you did not change the attribute map, enter username

Identifier of the IdP entity (must be a URI)
https://your.server.com/simplesamlphp/saml2/idp/metadata.php

URL Target of the IdP where the SP will send the Authentication Request Message
https://your.server.com/simplesamlphp/saml2/idp/SSOService.php

URL Location of the IdP where the SP will send the SLO Request
https://your.server.com/simplesamlphp/saml2/idp/SingleLogoutService.php

Public X.509 certificate of the IdP
You can get it from https://your.server.com/simplesamlphp/module.php/saml/idp/certs.php/idp.crt

If you want to, you can add additional attribute mappings or security settings, but for this how-to it should be enough.

When everything is configured, you can click on ‘Download metadata XML’. To add this is your saml20-sp-remote.php, you need to parse it. Use https://your.server.com/simplesamlphp/admin/metadata-converter.php to do so.

You can copy the result in your metadata/saml20-sp-remote.php.

That’s it

privacyIDEA, simpleSAMLphp and Nextcloud are now configured in the correct way.
You and your users will be able to authenticate now!

An authentication processing filter is one step of the login process in simpleSAMLphp.
For example it can be useful, if you want to authenticate the first factor against LDAP and the second one against privacyIDEA.
If you enable privacyIDEA as an authsource, both factors will be authenticated against privacyIDEA.

With privacyIDEA as an authproc filter, you are much more flexible. You can expand and individualize the authentication process in many different ways. In this how-to we want to explain some of the features and show how to configure it in the best way.

How to setup privacyIDEA as an authproc filter

Authproc filters are configured in config.php (to use them every time) or in the metadata (to use it only, if the user comes from a specific service provider for example). Every authproc filter is listed in an array with a number, which shows the priority. The lowest number begins the login process.

privacyIDEA without special features (necessary)

'authproc' => array(
  20 => array(
    'class'             => 'privacyidea:serverconfig',
    'privacyideaserver' => 'https://your.privacyidea.server',
    'realm'             => 'realm1',
    'uidKey'            => 'uid',
    'sslverifyhost'     => true,
    'sslverifypeer'     => true,
    'serviceAccount'  => 'service',
    'servicePass'     => 'service',
  ),
  25 => array(
    'class'             => 'privacyidea:privacyidea',
  ),
),

This configuration enables the authentication against privacyIDEA. The first factor will be authenticated against the authsource (e.g. LDAP) and the second one against privacyIDEA.

• class: this enables the authproc filter. (Do not change it)
• privacyideaserver: here you can enter the url of your pricacyIDEA server
• realm: enter the user’s realm name
• uidKey: privacyIDEA has to know in which attribute the username is stored (it depends on your authsource)
• sslverifyhost: Check if the hostname matches the name in the certificate (set to true or false)
• sslverifypeer: Check if the certificate is valid, signed by a trusted CA (true or false)
• serviceAccount: The service account’s username
• servicePass: The service account’s password

Disable 2FA for users with specified ip addresses (optional)

You can disable 2FA for users with a special ip address (e.g. your local area network).
To do that, you have to enable and configure the authproc filter privacyidea:checkClientIP

21 => array (
  'class'             => 'privacyidea:checkClientIP',
  'excludeClientIPs'  => array("10.0.0.0-10.2.0.0", "192.168.178.10"),
),

This array has to be in the authproc array, which is mentioned above.

• class: this enables the authproc filter.
• excludeClientIPs: You can enter a single ip address or a range. These clients will not be asked to do 2FA.

Enroll new token, if the user does not have one (optional)

If a user does not have a second factor yet, it can be enrolled by simpleSAMLphp. To do that, a service account has to be configured and enabled. This can be done either above in privacyidea:privacyidea or here in privacyidea:tokenEnrollment)

24 => array(
  'class'           => 'privacyidea:tokenEnrollment',
  'tokenType'       => 'totp',
)

• class: this enables the authproc filter
• tokenType: Here you can enter the token type. It can be hotp or totp

You can overwrite the settings from privacyidea:serverconfig, if it is necessary. For example you can change the serviceAccount and servicePass. You only have to add it in this array.