Enable Nextcloud SAML SSO Authentication through Microsoft Azure Active Directory
User management and authentication in Nextcloud has notoriously been an area that has received little to no support through Nextcloud’s official documentation, and posts from the community are often outdated or hard to understand. In my opinion, this is perhaps one of the main reasons why more companies have not made the decision to self-host their corporate cloud storage with Nextcloud, as the open source platform already checks off just about every other box on the Dropbox or Box.com replacement checklist…..all at a literal fraction of the cost.
In 2019, it’s hard to run a business and not subscribe to Microsoft Office 365 in some capacity or another. Although Google’s G Suite has gained notable traction in recent years, Microsoft continues to maintain its commanding lead in this department with an average monthly market share of around 60%. Not unlike its O365 counterpart, Microsoft Azure Active Directory falls into an area of product that I don’t believe Microsoft will ever be beat at its own game with, and is included free with every Office 365 subscription.
The notion that over 60% of companies most likely already have some form of Azure AD tenant in place means that user authentication through Nextcloud’s official SSO & SAML authentication app should be the obvious and logical first choice for new Nextcloud deployments.
Having tested and worked with both LDAP and ADFS deployments in Nextcloud in the past prior to (finally) deploying a production solution using Azure AD, I came to a few noteworthy conclusions as to why I feel that authenticating to Nextcloud through Microsoft Azure AD is superior when compared to the above-mentioned counterparts:
LDAP/LDAPS is legacy at this point. Perhaps LDAPS is keeping this protocol from completely falling out of production, but with respect to Nextcloud deployments it has some limitations:
Assumes you have an on-premises Microsoft (or equivalent) AD, and the Nextcloud machine is attached to it. Since I would say the majority of corporate Nextcloud deployments will be cloud hosted, this is probably unlikely.
Even if you do have this infrastructure in place, or if you are using a solution like a VPN connection to your on-prem AD or AWS’ Managed Microsoft AD, Nextcloud and community documentation is limited, and success is marginal at best.
ADFS still assumes you have an on-premises Microsoft AD, but allows you more flexibility in the sense that a federated trust may be established between your ADFS server and the Nextcloud instance for authentication, allowing you to place the Nextcloud instance in the cloud.
As with the others, ADFS setup docs are dismal, however provided you have the prerequisite infrastructure already in place, this option is easier to set up and more secure than LDAP/LDAPS by far.
Although possible through federation to Azure AD connect, support for modern authentication methods (2FA, MFA) in ADFS is fairly recent, and Azure AD has a strong lead in this department as well. At the very least, locking down access to your Nextcloud instance via Microsoft Azure MFA is a solid way to mitigate questions concerning the security of Nextcloud when compared to commercial offerings.
In a world where attacks against corporate data are becoming more prevalent and sophisticated, modern authentication for a newly deployed Nextcloud instance should be a top concern.
Notable Mention — Auth0
It’s worth mentioning, I tested a solution found posted online providing Azure AD SAML to Nextcloud via Auth0. Although a much lengthier setup process than what I’m about to detail below, the solution did work as documented. The problem though, is that you are now tied to Auth0 as a middleman between your Azure tenant and Nextcloud, which of course carries an additional, unnecessary cost. Full disclosure, I tested this integration with a trial subscription to Auth0, and authentication through Azure AD was a feature that fell into their “Enterprise” tier, for which pricing was not listed publicly on their website. For reference, the tier before enterprise was priced at $20/user a month. If the whole point is to save money in Dropbox and Box license fees, this would be a non-starter to any systems architect.
Steps to Enable User Authentication to Nextcloud through Microsoft Azure Active Directory
This post assumes you have the following prerequisites:
A running Nextcloud instance, publicly accessible through a TLD (https://nextcloud.domain.com)
An active Microsoft Azure AD tenant w/ Global Administrator privileges
For the purposes of this post, I have already set up a Nextcloud instance that is publicly accessible via the domain ‘nextcloud.greatbayconsult.com’· I also have an active Azure subscription with the ‘greatbayconsult.com’ domain verified and test user “Johnny Cash” (firstname.lastname@example.org)
Prepare your Nextcloud instance for SSO & SAML Authentication
Add Nextcloud as an Enterprise Application in the Microsoft Azure console and configure Single sign on for your Azure Active Directory users.
Identifier (Entity ID): https://nextcloud.yourdomain.com/index.php/apps/user_saml/metadata
The instance of Nextcloud used in this tutorial was installed via the Nextcloud Snap package. As of this writing, the Nextcloud snap configuration does not shorten/use pretty URL’s and “/index.php/” appears in all links. Don’t get hung up on this. If your Nextcloud installation has a modified PHP config that shortens this URL, remove “/index.php/” from the above link.
Add new Microsoft Azure AD configuration to Nextcloud SSO & SAML authentication app settings.
Attribute to Map the UID to:
Identity Provider Data
Identifier of the IdP entity (must be a URI):
https://sts.windows.net/[unique to your Azure tenant]/
This is your Azure AD Identifier value shown in the above screenshot.
URL Target of the IdP where the SP will send the Authentication Request Message:
https://login.microsoftonline.com/[unique to your Azure tenant]/saml2
This is your Login URL value shown in the above screenshot.
URL Location of the IdP where the SP will send the SLO Request:
This value is not unique and can be copy/pasted, however is the Logout URL in the above screenshot.
Attribute to map the displayname to:
Attribute to map the email address to:
At this point you should have all values entered into the Nextcloud SAML & SSO configuration settings. In order to complete the setup configuration and enable our Nextcloud instance to authenticate users via Microsoft Azure Active Directory SAML based single sign-on, we must now provide the public signing certificate from Azure AD.
The value for the Identity Provider Public X.509 Certificate can be extracted from the Federation Metadata XML file you downloaded previously at the beginning of this tutorial.
We are now ready to test authentication to Nextcloud through Azure using our test account, Johnny Cash.
Before we do this, make sure to note the failover URL for your Nextcloud instance. In the event something goes awry, this ensures we cannot be locked out of our Nextcloud deployment:
Open a a private tab in your browser (as to not interrupt the current admin user login) and navigate to your Nextcloud instance’s URL.
Switching back to our non private browser window logged into Nextcloud via the initially created Admin account, you will see the newly created user “Johnny Cash” has been added to the user list. In a production environment, make sure to immediately assign a user created from Azure AD to the admin group in Nextcloud. This will prevent you from being locked out of Nextcloud’s admin settings when authenticating via SSO.
If after following all steps outlined you receive an error stating when attempting to log in from Microsoft saying the “Application w/ Identifier cannot be found in directory…” don’t be alarmed.
As bizarre as it is, I found simply deleting the Enterprise application from the Azure tenant and repeating the steps above to add it back (leaving Nextcloud config settings untouched) solved the problem. I’ve tested this solution about half a dozen times, and twice I was faced with this issue. Your mileage here may vary.
When testing the configuration on Safari, I often encountered the following error immediately after signing in with an Azure AD user for the first time. Simply refreshing the page loaded solved the problem, which only seems to happen on initial log in. When testing in Chrome no such issues arose.
Please feel free to comment or ask questions. This has been an issue that I have been wrangling for months and hope that this guide perhaps saves some unnecessary headache for the deployment of an otherwise great cloud business solution.