When deploying NextCloud in the enterprise across a large number of users, integrating NextCloud with single sign on is almost always a project requirement. Single sign on (SSO) enhances the security of your users’ NextCloud credentials by requiring them to remember only a single username and password to access all of your corporate services. It also simplifies the deployment of NextCloud by auto-provisioning accounts based on your user directory, which can reside at a cloud-based SSO service such as OneLogin, or an on-premises LDAP / Active Directory server.
OneLogin is one of the identity providers that are officially supported by the NextCloud core developers who maintain the SSO & SAML Authentication app, although NextCloud can be integrated with other SAML 2.0 identity providers (IdP) such as Auth0 or Okta as well. The pricing for OneLogin is based on the number of users in your organization, starting from a minimum of $40/month for 10 users ($4/user) on the Enterprise plan supporting multiple directory integration with G Suite, AD, and LDAP and multi-factor authentication (MFA). The basic plan for $50/month supports a minimum of 25 users ($2/user) but it supports only single directory integration, and no MFA. With either plan, users can be manually created through the OneLogin dashboard.
Integrating NextCloud with Single Sign On is a detailed process that can easily result in unexpected errors, or being locked out of your NextCloud instance if it’s not carefully planned in advance. OneLogin is just one of the cloud-based SSO services that you can choose to provide your organization’s NextCloud users with single sign on. Auth0 is a popular alternative that has strong support for social logins such as Facebook, Google, and Twitter, and it has a “free forever” developer plan to try. Integrating with Active Directory does however, require upgrading to the Developer Pro plan for the AD Connector, starting at $200/month for 100 internal users. Okta also provides identity management services with a Single Sign-on plan that is charged $2 per user per month, with basic MFA included, and a $1,500 annual contract minimum.
Our expert consultants can help you determine which SSO solution fits your business needs for integrating with NextCloud (and other apps), or integrate NextCloud with an existing SAML and LDAP/AD server. This article provides an overview of how the process for integrating NextCloud with OneLogin’s SAML IdP connector looks like. The process is similar with Auth0 or Okta.
Step 1 – After creating a OneLogin account (a 30-day free trial is available), create an app in the OneLogin dashboard using the OneLogin SAML Test (IdP) connector. The name of the application (e.g. “NextCloud”) is what you want your users to see when logging in through the OneLogin portal – and you can upload a custom image as well.
Step 2 – Once the NextCloud app is created in the OneLogin dashboard for authentication, select the app by its name, then navigate to the Configuration page. Here, you will need to fill in some values based on the URL of your NextCloud instance.
SAML Consumer URL: https://nextcloud.example.com/
SAML Audience: https://nextcloud.example.com/apps/user_saml/saml/metadata
SAML Recipient: https://nextcloud.example.com/apps/user_saml/saml/acs
ACS URL Validator: https://nextcloud.example.com/
Some outdated instructions available in blogs & forums for integrating NextCloud with OneLogin SSO direct the administrator to add index.php after the NextCloud domain or subdomain, which causes the following fatal error message to be logged:
The response was received at https://nextcloud.example.com/apps/user_saml/saml/acs instead of https://nextcloud.example.com/index.php/apps/user_saml/saml/acs
Step 3 – Next, go to the Parameters page for the app, and add a new parameter by clicking the + icon. A modal window titled New Field will appear.
This parameter is used to map the OneLogin user directory values to the username (UID) for the provisioned accounts in NextCloud. Name the field name something such as “username”, then select the checkbox for Include in SAML assertion. Click the Save button to create the parameter.
If this SAML assertion checkbox is not selected, the single sign on to NextCloud will fail with an error message like “Account not provisioned. Your account is not provisioned, access to this service is thus not possible” after OneLogin redirects back to NextCloud.
In such event, this error message will also be recorded in the NextCloud log:
IDP parameter for the UID (username) not found. Possible parameters are: []
Step 4 – Once the parameter is created, select the value from the OneLogin user directory which should be mapped to this parameter – from the Edit Field modal window. If you wish to assign NextCloud users with a username based on the part before the “@” in their work email address, select Email name part. Then, click the Save button.
Step 5 – Now in the OneLogin dashboard, navigate to the SSO page for the NextCloud app. Copy and paste the displayed values into Configuration > SSO & SAML Authentication in the NextCloud dashboard as follows:
| OneLogin administration panel | NextCloud dashboard |
| OneLogin username field | Attribute to map the UID to |
| Issuer URL | Identifier of the IdP entity |
| SAML 2.0 Endpoint (HTTP) | URL Target of the IdP where the SP will send Authentication Request Message |
| SLO Endpoint (HTTP) | URL Location of the IdP where the SP will send the SLO Request |
| X.509 certificate | Public X.509 certificate of the IdP |
OneLogin SSO issuer URL, SAML 2.0 Endpoint (HTTP), SLO Endpoint (HTTP)
OneLogin X.509 Certificate – click the View Details link on the previous page.
After configuration, the SSO & SAML authentication page in the NextCloud admin dashboard should look something similar to this.
To allow your users to login using single sign on from the NextCloud desktop and mobile clients, you should select the Use SAML auth for the NextCloud desktop clients (requires user re-authentication) checkbox.
Also, we recommend selecting Allow the user of multiple user back-ends (e.g. LDAP) so users who were not provisioned through single-sign on are still able to login using the Direct login option.
If you accidentally lock yourself out of your admin account when enabling SAML & SSO in NextCloud, you can skip the redirect to the SAML login page by appending login?direct=1 to your NextCloud URL.
Step 6 – Assuming everything was configured correctly, your NextCloud instance should now be integrated with OneLogin or a similar SAML IdP for single sign on. In an incognito or private browsing window, try signing into your NextCloud instance. You should see a login screen similar to this.
Click the SSO & SAML login button and you should be redirected to OneLogin.
Using any user that has been granted access to the NextCloud application from the OneLogin administration panel (you can set up additional users from the Users tab), you should now be able to sign into NextCloud. If the username does not already exist in NextCloud, a new NextCloud user account will be auto-provisioned for the corresponding OneLogin user.
From the NextCloud Users page (as an admin user), you can view the list of users who have logged into to NextCloud through the SAML integration, and been auto-provisioned as a result. Hovering over those users will show a message “The backend does not support changing the display name” as the username is controlled by the OneLogin integration.
If you need help troubleshooting your NextCloud SSO integration, or setting up a new instance of NextCloud with single sign on, we provide paid support which you can inquire about through our contact form.
