SSO with SAML, Keycloak and Nextcloud
I am trying to setup Keycloak as a IdP (Identity Provider) and Nextcloud as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page.
I am running a Linux-Server with a Intel compatible CPU. What is the correct configuration?
- Keycloak will be running as
https://kc.example.com - Nextcloud will be running as
https://nc.example.com
Prerequisite:
To use this answer you will need to replace example.com with an actual domain you own. Also, replace email@example.com with your working e-mail address.
It is assumed you have docker and docker-compose installed and running.
Setup your services with Docker
In addition to keycloak and nextcloud I use:
- nginx as a reverse-proxy
- letsencyrpt to generate the SSL-certificates for the sub-domains.
I'm setting up all the needed services with docker and docker-compose. This is how the docker-compose.yml looks like this:
version: '2'
nginx-proxy:
image: jwilder/nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/nginx/vhost.d"
- "./proxy-default.conf:/etc/nginx/conf.d/my-proxy.default.conf:ro"
- "/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:ro"
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
letsencrypt-nginx-proxy-companion:
image: jrcs/letsencrypt-nginx-proxy-companion
restart: unless-stopped
depends_on:
- nginx-proxy
container_name: le-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:rw"
volumes_from:
- nginx-proxy
keycloak:
image: jboss/keycloak
links:
- keycloak-postgres:postgres
ports:
- 8080:8080
volumes:
- ./keycloak:/opt/jboss/keycloak
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- "PROXY_ADDRESS_FORWARDING=true"
- VIRTUAL_PORT=8080
- VIRTUAL_HOST=kc.example.com
- LETSENCRYPT_HOST=kc.example.com
- LETSENCRYPT_EMAIL=email@example.com
keycloak-postgres:
image: postgres
environment:
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=keycloak
nextcloud:
image: hoellen/nextcloud
environment:
- UPLOAD_MAX_SIZE=10G
- APC_SHM_SIZE=128M
- OPCACHE_MEM_SIZE=128
- CRON_PERIOD=15m
- TZ=Europe/Berlin
- DOMAIN=nc.example.com
- ADMIN_USER=admin
- ADMIN_PASSWORD=admin
- DB_TYPE=mysql
- DB_NAME=nextcloud
- DB_USER=nextcloud
- DB_PASSWORD=nextcloud
- DB_HOST=nc-db
volumes:
- ./nc/nc-data:/data
- ./nc/nc-config:/config
- ./nc/nc-apps:/apps2
- ./nc/nc-themes:/nextcloud/themes
environment:
- VIRTUAL_HOST=nc.example.com
- LETSENCRYPT_HOST=nc.example.com
- LETSENCRYPT_EMAIL=email@example.com
nc-db:
image: mariadb
volumes:
- ./nc/nc-db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=nextcloud
- MYSQL_PASSWORD=nextcloud
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
I put my docker-files in a folder docker and within this folder a project-specific folder. Here keycloak. Create them with:
mkdir -p ~/docker/keycloak
Create the docker-compose.yml-File with your preferred editor in this folder. Start the services with:
cd ~/docker/keycloak
docker-compose up -d
Wait a moment to let the services download and start. Check if everything is running with:
docker-compose ps
If a service isn't running. Issue a second docker-compose up -d and check again.
Configure Keycloak, add a new Realm
Open a browser and go to https://kc.example.com. Click on Administration Console. As specified in your docker-compose.yml, Username and Password is admin.
On the top-left of the page, you need to create a new Realm. Click Add. Enter my-realm as the name. Click Save.
Click on the Keys-tab. Look at the RSA-entry. We will need to copy the Certificate of that line. Click on Certificate and copy-paste the content to a text editor for later use.
Prepare a Private Key and Certificate for Nextcloud
Open a terminal and issue:
openssl req -nodes -new -x509 -keyout private.key -out public.cert
This creates two files: private.key and public.cert which we will need later for the nextcloud service.
Configure Nextcloud
Open a browser and go to https://nc.example.com. As specified in your docker-compose.yml, Username and Password is admin.
You need to activate the SSO & Saml Authenticate which is disabled by default.
Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.
Click on the top-right gear-symbol and then on the + Apps-sign. On the left now see a Menu-bar with the entry Security. Click it. You now see all security-related apps. Click on the Activate button below the SSO & SAML authentication App.
Click on the top-right gear-symbol again and click on Admin. Click on SSO & SAML authentication.
Use the following values:
- Attribute to map UID to: username
- Enable "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)"
- Copy the content of
public.certinto the 'X.509 Certificate'-field - Copy the content of
private.keyinto the 'Private key of Service Provider'-field. - Identifier of the IdP:
https://kc.example.com/realms/my-realm - URL Target of the IdP where the SP will send the Authentication Request Message:
https://kc.example.com/realms/my-realm/protocol/saml - URL Location of IdP where the SP will send the SLO Request:
https://kc.example.com/realms/my-realm/protocol/saml - Public X.509 certificate of the IdP: Copy the certificate from Keycloak from the
Keys-tab ofmy-realm. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it. - In-Service Provider Data:
- Attribute, displayname: username
- Attribute, email address: email
- Security Settings, enable the following options:
- Indicates whether the
<samlp:AuthnRequest>messages sent by this SP will be signed. [Metadata of the SP will offer this info] - Indicates whether the
<samlp:logoutRequest>messages sent by this SP will be signed. - Indicates whether the
<samlp:logoutResponse>messages sent by this SP will be signed. - Indicates a requirement for the
<samlp:Response>,<samlp:LogoutRequest>and<samlp:LogoutResponse>elements received by this SP to be signed. - Indicates a requirement for the
<saml:Assertion>elements received by this SP to be signed. [Metadata of the SP will offer this info]
- Indicates whether the
- Check there is a
Metadata validbeside theDownload metadata XML-Button
- Click the
Download metadata XML-Button. This generates and sends an XML file. Save it for use in the next step.
Configure Keycloak, Client
Access the Administrator Console again. Click on Clients and on the top-right click on the Create-Button.
Next to Import, click the Select File-Button. Select the XML-File you've created on the last step in Nextcloud.
and click Save.
You are presented with a new screen. Change the following fields:
- Name: Nextcloud
- Valid Redirect URIs:
https://nc.example.com/* - Click
Save
On the Tab Mappers:
- Click
Delete-Button on the preassignedrole list(if it exists) - Click
Create- Name: username
- Mapper Type: User Property
- Property: username
- SAML Attribute Name: username
- SAML Attribute NameFormat: Basic
- Click
Save
- Click
Create- Name: email
- Mapper Type: User Property
- Property: email
- SAML Attribute Name: email
- SAML Attribute NameFormat: Basic
- Click
Save
- Click
Create- Name: Roles
- Mapper Type: Role List
- Role attribute name: Roles
- Friendly Name: roles
- SAML Attribute NameFormat: Basic
- Single Role Attrubute: On
- Click
Save
Configure Keycloak, Add user
- On the left side, click on
Users - On the top-right, click
Add users - Set the following values:
- Username: user
- Email:
user@example.com - Click
Save
- On the tab
Credentials:- New Password: user
- Password Confirmation: user
- Temporary: Off
- Click
Reset Password
- A Window pops up:
- Click
Change Password
- Click
Test run
Open a new browser window in incognito/private mode. Eg. for google-chrome press Ctrl-Shift-N, in Firefox press Ctrl-Shift-P. Keep the other browser window with the nextcloud setup page open. Else you might lock yourself out.
Access https://nc.example.com with the incognito/private browser window. You are presented with the keycloak username/password page. Enter user as a name and password. You should be greeted with the nextcloud welcome screen.
Acknowledgement
- This guide wouldn't have been possible without the wonderful http://int128.hatenablog.com/entry/2018/01/16/194048 blog entry. I've read it with google-translator in English.
- Thanks goes also to RMM. His wiki entry allowed me to create correct keys for nextcloud and enable message-signing, thus improving this answer.
- Verify Microsoft Access token on my ASP.NET Core Web API
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- StackOverflow with Keycloak as login provider returns empty email address
- IdentityServer4 and SSO
- Spring Boot + Security + MVC + LDAP AD + SSO
- Issue with Windows Authentication Type on IIS with Multiple Host Bindings
- Generate IDP Certificate in Azure AD for SSO
- Disqus SSO, "Your API key is not valid on this domain"
- Sign-in With Apple: Possibility To Create Duplicate Account Issue
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- MS Graph InteractiveBrowserCredential , Is a Client ID registered in Azure Portal really necessary?
- Logout from next-auth with keycloak provider not works
- How to validate access token from AzureAD in python?
- Outlook SSO NAA in pure JS without node.js
- How to create SSO from Liferay to another portal / service?
- How to add ForceAuthn flag on AWS cognito
- Download file from TeamCity with SSO using bash
- Which is the best sample/approach to start openiddict server to provide logins to wordpress?
- No Sustainsys.Saml2 for MVC 3? Are there any alternatives?
- Which lib to create an Identity provider to connect to service provider
- The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used
- Best way to implement Single-Sign-On with all major providers?
- Azure AD token for accessing Graph token
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Simple way to put AWS Lambda app behind SAML authentication
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- Log out from SSO kerberos
- Getting TypeError: client_secret_basic client authentication method requires a client_secret
- SSO not working in iOS when using AWS Cognito and Azure AD
- Azure b2c still authenticated after hitting logout