What is NextCloud
Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
This setup only works, when NextCloud is running with HTTPS enabled. See here on how to configure this.
In case something goes wrong with the configuration, you can use the URL
http://nextcloud.company/login?direct=1 to log in using the built-in authentication.
The following placeholders will be used:
nextcloud.companyis the FQDN of the NextCloud install.
authentik.companyis the FQDN of the authentik install.
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications->Providers. Create a SAML provider with the following parameters:
- ACS URL:
- Service Provider Binding:
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
You can of course use a custom signing certificate, and adjust durations.
In NextCloud, ensure that the
SSO & SAML Authentication app is installed. Navigate to
SSO & SAML Authentication.
Set the following values:
- Attribute to map the UID to.:
- Optional display name of the identity provider (default: "SSO & SAML log in"):
- Identifier of the IdP entity (must be a URI):
- URL Target of the IdP where the SP will send the Authentication Request Message:
- URL Location of IdP where the SP will send the SLO Request:
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
Under Attribute mapping, set these values:
- Attribute to map the displayname to.:
- Attribute to map the email address to.:
- Attribute to map the users groups to.:
You should now be able to log in with authentik.
If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS.
To do this you will need to add the line
'overwriteprotocol' => 'https' to
config.php in the Nextcloud
See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters for additional information
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called
nextcloud_quota, to the quota you want, for example
Afterwards, create a custom SAML Property Mapping with the name
SAML NextCloud Quota.
Set the SAML Name to
Set the Expression to
return user.group_attributes().get("nextcloud_quota", "1 GB"), where
1 GB is the default value for users that don't belong to another group (or have another value set).
To give authentik users admin access to your NextCloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in NextCloud and cannot be changed.
Create a SAML Property mapping with the SAML Name "http://schemas.xmlsoap.org/claims/Group" and this expression:
for group in user.ak_groups.all():
if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
Then, edit the NextCloud SAML Provider, and replace the default Groups mapping with the one you've created above.