I am trying to setup Keycloak as a IdP (Identity Provider) and Nextcloud as a service. I want to setup Keycloak as to present a SSO (single-sign-on) page.
I am running a
Here is a slightly updated version for nextcloud 15/16:
Open a browser and go to https://kc.domain.com . Click on Administration Console. As specified in your docker-compose.yml, Username and Password is admin.
On the top-left of the page you need to create a new Realm. Click Add. Enter my-realm as name. Click Save.
Click on the Keys-tab. Look at the RSA-entry. We will need to copy the Certificate of that line. Click on Certificate and copy-paste the content to a text editor for later use. Prepare a Private Key and Certificate for Nextcloud
Open a terminal and issue:
openssl req -nodes -new -x509 -keyout private.key -out public.cert
This creates two files: private.key and public.cert which we will need later for the nextcloud service. Configure Nextcloud
Open a browser and go to https://nc.domain.com . As specified in your docker-compose.yml, Username and Password is admin.
You need to activate the SSO & Saml Authenticate which is disabled by default.
Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.
Click on top-right gear-symbol and the then on the + Apps-sign. On the left now see a Menu-bar with the entry Security. Click it. You now see all security realted apps. Click on the Activate button below the SSO & SAML authentication App.
Click on top-right gear-symbol again and click on Admin. Click on SSO & SAML authentication.
Use the following values:
Attribute to map UID to:username
Enable "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)"
Copy the content ofpublic.cert into the 'X.509 Certificate'-field
Copy the content ofprivate.key into the 'Private key of Service Provider'-field.
Identifier of the IdP: https://kc.domain.com/auth/realms/my-realm
URL Target of the IdP where the SP will send the Authentication Request Message: https://kc.domain.com/auth/realms/my-realm/protocol/saml
URL Location of IdP where the SP will send the SLO Request: https://kc.domain.com/auth/realms/my-realm/protocol/saml
Public X.509 certificate of the IdP: Copy the certificate from Keycloak from the Keys-tab of my-realm. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it.
In Identity Provider Data:
Attribute, displayname: username
Attribute, email adress: email
Attribute, Quota: nextcloudquota
Click Download metadata XML and save the file for the next step.
Security Settings, enable the following options:
Indicates whether the messages sent by this SP will be signed. [Metadata of the SP will offer this info]
Indicates whether the messages sent by this SP will be signed.
Indicates whether the messages sent by this SP will be signed.
Indicates a requirement for the , and elements received by this SP to be signed.
Indicates a requirement for the elements received by this SP to be signed. [Metadata of the SP will offer this info]
Check there is a Metadata valid beside the Download metadata XML-Button
Click the Download metadata XML-Button. This generate and send a XML file. Save it.
Configure Keycloak, Client
Access the Administror Console again. Click on Clients and on the top-right click on the Create-Button.
Next to Import, Click the Select File-Button. Select the XML-File you've create on the last step in Nextcloud.
Change:
Client SAML Endpoint: https://kc.domain.com/auth/realms/my-realm
and click Save.
You are presented with a new screen. Change the following fields:
Name: Nextcloud
Valid Redirect URIs: https://nc.domain.com/ *
Click Save
On the Tab Matters:
Click Delete-Button on the preassigned role list
Click Create
Name: username
Mapper Type: User Property
Property: username
SAML Attribute Name: username
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: email
Mapper Type: User Property
Property: email
SAML Attribute Name: email
SAML Attribute NameFormat: Basic
Click Save
Click Create
Name: Roles
Mapper Type: Role List
Role attribute name: Roles
Friendly Name: roles
SAML Attribute NameFormat: Basic
Single Role Attrubute: On
Click Save
Click Create
Name: nextcloudquota
Mapper Type: User Property
Property: nextcloudquota
SAML Attribute Name: nextcloudquota
SAML Attribute NameFormat: Basic
Click Save
Configure Keycloak, Add user
On the left side, click on Users
On the top-right, click Add users
Set the following values:
Username: user
Email: user@domain.com
Click Save
On the tab Credentials:
New Password: user
Password Confirmation: user
Temporary: Off
Click Reset Password
A Window pops up:
Click Change Password
Prerequisite:
To use this answer you will need to replace domain.com
with an actual domain you own. Also, replace email@domain.com
with your working e-mail address.
It is assumed you have docker and docker-compose installed and running.
In addition to keycloak and nextcloud I use:
I'm setting up all the needed services with docker and docker-compose. This is how the docker-compose.yml
looks like this:
version: '2'
nginx-proxy:
image: jwilder/nginx-proxy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- "/etc/nginx/vhost.d"
- "./proxy-default.conf:/etc/nginx/conf.d/my-proxy.default.conf:ro"
- "/usr/share/nginx/html"
- "/var/run/docker.sock:/tmp/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:ro"
labels:
com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
letsencrypt-nginx-proxy-companion:
image: jrcs/letsencrypt-nginx-proxy-companion
restart: unless-stopped
depends_on:
- nginx-proxy
container_name: le-proxy-companion
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "./le-cert:/etc/nginx/certs:rw"
volumes_from:
- nginx-proxy
keycloak:
image: jboss/keycloak
links:
- keycloak-postgres:postgres
ports:
- 8080:8080
volumes:
- ./keycloak:/opt/jboss/keycloak
environment:
- KEYCLOAK_USER=admin
- KEYCLOAK_PASSWORD=admin
- "PROXY_ADDRESS_FORWARDING=true"
- VIRTUAL_PORT=8080
- VIRTUAL_HOST=kc.domain.com
- LETSENCRYPT_HOST=kc.domain.com
- LETSENCRYPT_EMAIL=email@domain.com
keycloak-postgres:
image: postgres
environment:
- POSTGRES_DB=keycloak
- POSTGRES_USER=keycloak
- POSTGRES_PASSWORD=keycloak
nextcloud:
image: hoellen/nextcloud
environment:
- UPLOAD_MAX_SIZE=10G
- APC_SHM_SIZE=128M
- OPCACHE_MEM_SIZE=128
- CRON_PERIOD=15m
- TZ=Europe/Berlin
- DOMAIN=nc.domain.com
- ADMIN_USER=admin
- ADMIN_PASSWORD=admin
- DB_TYPE=mysql
- DB_NAME=nextcloud
- DB_USER=nextcloud
- DB_PASSWORD=nextcloud
- DB_HOST=nc-db
volumes:
- ./nc/nc-data:/data
- ./nc/nc-config:/config
- ./nc/nc-apps:/apps2
- ./nc/nc-themes:/nextcloud/themes
environment:
- VIRTUAL_HOST=nc.domain.com
- LETSENCRYPT_HOST=nc.domain.com
- LETSENCRYPT_EMAIL=email@domain.com
nc-db:
image: mariadb
volumes:
- ./nc/nc-db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=nextcloud
- MYSQL_PASSWORD=nextcloud
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
I put my docker-files in a folder docker
and within this folder a project-specific folder. Here keycloak
. Create them with:
mkdir -p ~/docker/keycloak
Create the docker-compose.yml
-File with your preferred editor in this folder. Start the services with:
cd ~/docker/keycloak
docker-compose up -d
Wait a moment to let the services download and start. Check if everything is running with:
docker-compose ps
If a service isn't running. Issue a second docker-compose up -d
and check again.
Open a browser and go to https://kc.domain.com . Click on Administration Console. As specified in your docker-compose.yml
, Username and Password is admin
.
On the top-left of the page, you need to create a new Realm. Click Add
. Enter my-realm as the name. Click Save
.
Click on the Keys
-tab. Look at the RSA
-entry. We will need to copy the Certificate of that line. Click on Certificate
and copy-paste the content to a text editor for later use.
Open a terminal and issue:
openssl req -nodes -new -x509 -keyout private.key -out public.cert
This creates two files: private.key
and public.cert
which we will need later for the nextcloud service.
Open a browser and go to https://nc.domain.com . As specified in your docker-compose.yml
, Username and Password is admin
.
You need to activate the SSO & Saml Authenticate
which is disabled by default.
Important From here on don't close your current browser window until the setup is tested and running. If you close the browser before everything works you probably not be able to change your settings in nextcloud anymore. In such a case you will need to stop the nextcloud- and nextcloud-db-container, delete their respective folders, recreate them and start all over again.
Click on the top-right gear-symbol and then on the + Apps
-sign. On the left now see a Menu-bar with the entry Security
. Click it. You now see all security-related apps. Click on the Activate
button below the SSO & SAML authentication
App.
Click on the top-right gear-symbol again and click on Admin
. Click on SSO & SAML authentication
.
Use the following values:
public.cert
into the 'X.509 Certificate'-fieldprivate.key
into the 'Private key of Service Provider'-field.Keys
-tab of my-realm
. You will need to add '-----BEGIN CERTIFICATE-----' in front of the key and '-----END CERTIFICATE-----' to the end of it.Download metadata XML
and save the file for the next step.Metadata valid
beside the Download metadata XML
-Button
Download metadata XML
-Button. This generates and sends an XML file. Save it.Access the Administrator Console again. Click on Clients
and on the top-right click on the Create
-Button.
Next to Import, click the Select File
-Button. Select the XML-File you've created on the last step in Nextcloud.
Change:
and click Save
.
You are presented with a new screen. Change the following fields:
Save
On the Tab Matters
:
Delete
-Button on the preassigned role list
Create
Save
Create
Save
Create
Save
Users
Add users
Save
Credentials
:
Reset Password
Change Password
Open a new browser window in incognito/private mode. Eg. for google-chrome press Ctrl-Shift-N
, in Firefox press Ctrl-Shift-P
. Keep the other browser window with the nextcloud setup page open. Else you might lock yourself out.
Access https://nc.domain.com with the incognito/private browser window. You are presented with the keycloak username/password page. Enter user
as a name and password. You should be greeted with the nextcloud welcome screen.