Enable Nextcloud SAML SSO Authentication through Microsoft Azure Active Directory

Nate Russell
Mar 3 · 8 min read

The notion that over 60% of companies most likely already have some form of Azure AD tenant in place means that user authentication through Nextcloud’s official SSO & SAML authentication app should be the obvious and logical first choice for new Nextcloud deployments.

In a world where attacks against corporate data are becoming more prevalent and sophisticated, modern authentication for a newly deployed Nextcloud instance should be a top concern.

Steps to Enable User Authentication to Nextcloud through Microsoft Azure Active Directory

Download and enable the “SSO & SAML authentication” app, available from Nextcloud’s app catalog.
Once installed, navigate to Nextcloud Settings page, and select SSO & SAML authentication from the left navigation pane. Then, select the first option, Use built-in SAML authentication as shown above.
After selecting the previous option above, you will be directed to Nextcloud’s SSO & SAML authentication configuration page. Leave this window open, we will come back to it shortly.
In the Microsoft Azure console, navigate to Azure Active Directory > Enterprise Applications > New Application
Select “Non-gallery application” and give it a name, in this case, Nextcloud. Click add at the bottom of the blade.
In the properties blade of your newly created Enterprise Application, select Users and Groups from the left side navigation and add your test user(s)
Be sure to select at least one user for testing purposes, the configuration will not succeed otherwise.
Next, navigate to Single sign-on settings right below users and groups. Select SAML option.
In the single sign-on configuration blade, edit the Basic SAML Configuration, adding the Identifier (Entity ID) and Reply URL associated with your Nextcloud instance.
Once Basic SAML Configuration values are entered, navigate to SAML Signing Certificate card and download the Federation Metadata XML file. We will insert data from this file into our Nextcloud configuration next.
Fill the values for the fields outlined in red. Ignore the Public X.509 certificate of the IDP for now, we will come back to this shortly.
Configuration values for Identity Provider Data are found in the SSO configuration section of the Azure Portal
Open the XML file using your favorite text editor, find and copy the the certificate value as shown above and paste into the Public X.509 certificate of the IdP.
With this value now in place, setup is now complete and we are ready to test the configuration.
If SSO configuration was successful, you should be directed to your Azure Tenant’s Microsoft sign in page
Enter the credentials for the test user you set up at the beginning and sign in
If you see this page after signing in with your Azure AD test user credentials, congratulations! You have successfully configured SSO authentication for your Nextcloud users using Microsoft Azure Active Directory SAML.
Full Names and Email Addresses for your Azure AD users will pass to Nextcloud during authentication.
Occasional error shown on first log in in Safari

Nate Russell

Written by

Technology Innovator Finding the Harmony between Business and Technology

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade