Here you can see, how it is working.
This how-to shows only the basics. To get further information follow the links below.

Installing privacyIDEA

You should install privacyIDEA on a different server, than sipmleSAMLphp and Nextcloud.
In this case, we use the Apache2 setup on a fresh installed Ubuntu 16.04.
During the installation, you will be asked for a mysql root password.

• Adding the repository apt-add-repository ppa:privacyidea/privacyidea
• Update with apt update
• Installing privacyIDEA for apache2 apt install privacyidea-apache2
• Create administrator account with pi-manage admin add <username>

Congratulations you installed privacyIDEA successfully.

Now privacyIDEA needs to know, where your users are stored. Please check our documentation for more information about this.

Installing simpleSAMLphp as an identity provider

Please follow the instructions from simpleSAMLphp

Installing the privacyIDEA module for simpleSAMLphp

First of all you need to install the module privacyIDEA. You can get the current version on GitHub.

Put the files in the directory modules/privacyidea.

The privacyIDEA module can be used in two different ways:
Method 1: The user’s first and second factor will be authenticated against privacyIDEA
Method 2: Only the second factor will be authenticated against privacyIDEA

In this how-to, we only show the simplest way to configure. Especially the method 2 can be configured way more.

Method 1

We will install privacyIDEA as an authentication source.
To do that, we have to append the configuration to config/authsources.php

This is the basic configuration

'example-privacyidea' => array(
    'privacyidea:privacyidea',
    'privacyideaserver' => 'https://your.server.com/pi',
),

If you want to edit more details, please check the documentation on GitHub.

After editing the configuration, please enable the authentication source in the metadata metadate/saml20-idp-hosted.php
Add 'auth' => 'example-privacyidea'

Method 2

If you want to use the second method, you have to use another authentication source (e.g. LDAP)
After that, activate privacyIDEA as an authentication processing filter.
Append in the array in your metadata metadata/saml20-idp-hosted.php the following lines.

This is the basic configuration

'authproc.idp' => array(
    20 => array(
        'class'             => 'privacyidea:serverconfig',
        'privacyideaserver' => 'https://your.server.com/pi',
    )
    25 => array(
        'class'             => 'privacyidea:privacyidea',
    ),
),

If you want to configure the authentication processing filter in more details, please check the documentation on GitHub.

Installing Nextcloud

Please follow the instructions from Nextcloud

Install and configure the app ‘SSO & SAML authentication’

This app can be installed via the marketplace.

After installing the app, it has to be configured like it is done in the following.

Attribute to map the UID to.
This depends on the authentication source.
If you use method 1 (privacyIDEA as an authentication source) and you did not change the attribute map, enter username

Identifier of the IdP entity (must be a URI)
https://your.server.com/simplesamlphp/saml2/idp/metadata.php

URL Target of the IdP where the SP will send the Authentication Request Message
https://your.server.com/simplesamlphp/saml2/idp/SSOService.php

URL Location of the IdP where the SP will send the SLO Request
https://your.server.com/simplesamlphp/saml2/idp/SingleLogoutService.php

Public X.509 certificate of the IdP
You can get it from https://your.server.com/simplesamlphp/module.php/saml/idp/certs.php/idp.crt

If you want to, you can add additional attribute mappings or security settings, but for this how-to it should be enough.

When everything is configured, you can click on ‘Download metadata XML’. To add this is your saml20-sp-remote.php, you need to parse it. Use https://your.server.com/simplesamlphp/admin/metadata-converter.php to do so.

You can copy the result in your metadata/saml20-sp-remote.php.

That’s it

privacyIDEA, simpleSAMLphp and Nextcloud are now configured in the correct way.
You and your users will be able to authenticate now!

Since the 2nd factors can be managed within privacyIDEA, these can also be used throughout the complete network or your whole company.

privacyIDEA supports a whole lot more authentication devices in addition to TOTP.