Nextcloud changed in version 14 the authentication function, which makes it impossible for us to be as flexible as we want to be. We tried to use Nextcloud with simpleSAMLphp and privacyIDEA to get the flexibility, we love.
Here you can see, how it is working.
This how-to shows only the basics. To get further information follow the links below.
You should install privacyIDEA on a different server, than sipmleSAMLphp and Nextcloud.
In this case, we use the Apache2 setup on a fresh installed Ubuntu 16.04.
During the installation, you will be asked for a mysql root password.
- Adding the repository
- Update with
- Installing privacyIDEA for apache2
apt install privacyidea-apache2
- Create administrator account with
pi-manage admin add <username>
Congratulations you installed privacyIDEA successfully.
Now privacyIDEA needs to know, where your users are stored. Please check our documentation for more information about this.
Please follow the instructions from simpleSAMLphp
First of all you need to install the module privacyIDEA. You can get the current version on GitHub.
Put the files in the directory
The privacyIDEA module can be used in two different ways:
Method 1: The user’s first and second factor will be authenticated against privacyIDEA
Method 2: Only the second factor will be authenticated against privacyIDEA
In this how-to, we only show the simplest way to configure. Especially the method 2 can be configured way more.
We will install privacyIDEA as an authentication source.
To do that, we have to append the configuration to
This is the basic configuration
'example-privacyidea' => array( 'privacyidea:privacyidea', 'privacyideaserver' => 'https://your.server.com/pi', ),
If you want to edit more details, please check the documentation on GitHub.
After editing the configuration, please enable the authentication source in the metadata
'auth' => 'example-privacyidea'
If you want to use the second method, you have to use another authentication source (e.g. LDAP)
After that, activate privacyIDEA as an authentication processing filter.
Append in the array in your metadata
metadata/saml20-idp-hosted.php the following lines.
This is the basic configuration
'authproc.idp' => array( 20 => array( 'class' => 'privacyidea:serverconfig', 'privacyideaserver' => 'https://your.server.com/pi', ) 25 => array( 'class' => 'privacyidea:privacyidea', ), ),
If you want to configure the authentication processing filter in more details, please check the documentation on GitHub.
Please follow the instructions from Nextcloud
This app can be installed via the marketplace.
After installing the app, it has to be configured like it is done in the following.
Attribute to map the UID to.
This depends on the authentication source.
If you use method 1 (privacyIDEA as an authentication source) and you did not change the attribute map, enter
Identifier of the IdP entity (must be a URI)
URL Target of the IdP where the SP will send the Authentication Request Message
URL Location of the IdP where the SP will send the SLO Request
Public X.509 certificate of the IdP
You can get it from https://your.server.com/simplesamlphp/module.php/saml/idp/certs.php/idp.crt
If you want to, you can add additional attribute mappings or security settings, but for this how-to it should be enough.
When everything is configured, you can click on ‘Download metadata XML’. To add this is your saml20-sp-remote.php, you need to parse it. Use https://your.server.com/simplesamlphp/admin/metadata-converter.php to do so.
You can copy the result in your
privacyIDEA, simpleSAMLphp and Nextcloud are now configured in the correct way.
You and your users will be able to authenticate now!