lemonldap-ng/doc/sources/admin/applications/nextcloud.rst

NextCloud
=========

|image0|

Presentation
------------

`NextCloud <https://nextcloud.com/>`__ is a fork of Owncloud, suite of
client-server software for creating file hosting services and using
them.

This documentation explains how to interconnect LemonLDAP::NG and
NextCloud using SAML 2.0 protocol.

Pre-requisites
--------------

.. _nextcloud-1:

NextCloud
~~~~~~~~~

You need to `install the
software <https://docs.nextcloud.com/server/10/admin_manual/installation/index.html>`__.


.. tip:: 

    If your NextCloud is behind a proxy (thus having a private
    IP), metadata generated by NextCloud won't work.
    
    Consider changing the configuration of NextCloud to force the domain, in
    **$nextcloudrootwww/config/config.php**, add the following:
    
    .. code:: php
    
       'overwritehost' => 'nextcloud.example.com',
    


You also need to enable the "SAML authentication" plugin in your
NextCloud. <code> + Apps -> Not enabled -> SAML authentication</code>

LL:NG
~~~~~

You need to enable SAML 2.0 issuer module in LL:NG:

::

   "General Parameters -> Issuer modules -> SAML -> Activation"

|image1|

NextCloud, SAML 2.0 configuration
---------------------------------

Configuration of SAML 2.0 in NextCloud is pretty straightforward.

::

   Administration -> SAML authentication

You will find the following fields:

-  **Attribute to map the UID to**: Identity attribute provided by your
   LL:NG that will be used as UID in NextCloud.
-  **Identity Provider Data**:

   -  **Identifier of the IdP entity**: SAML Metadata URL of your LL:NG
   -  **URL Target of the IdP where the SP will send the Authentication
      Request Message**: SingleSignOn URL of your LL:NG
   -  **URL Location of the IdP where the SP will send the SLO
      Request**: SingleLogOut URL of your LL:NG
   -  **Public X.509 certificate of the IdP**: Certificate of your LL:NG
      (see below for instructions)

We need a few steps to generate our LL:NG certificate (unless you
already have one). You first need to create a pair of SSH Keys in LL:NG:

::

   SAML 2 Service -> Security Parameters -> Signature

and click "New keys" |image2|

Take the private key in a private.key file, and run the following:

::

   openssl req -new -key private.key -out cert.csr
   openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pem

Copy/Paste the content of your new cert.pem in the "Public X.509
certificate of the IdP" field of your NextCloud.

Your fields should look like this: |image3|

You can now download your metadata xml file.

LL:NG, SAML 2.0 Service Provider configuration
----------------------------------------------

We now have to define a service provider (e.g our nextcloud) in LL:NG.

Go to "SAML service providers", click on "Add SAML SP" and name it as
you want (example : 'NextCloud')

In the new subtree 'NextCloud', open 'Metadata' and paste the content of
your previously downloaded file (or upload the file)

|image4|

Now go in "Exported attributes" and add, at least, the 'uid'

|image5|

Don't forget to save your configuration.

You are now good to go, and you can add the application in
:doc:`your menu<../portalmenu>` and
:doc:`your virtual hosts<../configvhost>`.

.. |image0| image:: /applications/nextcloud-logo.png
   :class: align-center
.. |image1| image:: /applications/nextcloud_saml_activation.png
   :class: align-center
.. |image2| image:: /applications/nextcloud_certificate_keys.png
   :class: align-center
.. |image3| image:: /applications/nextcloud_saml_configuration.png
   :class: align-center
.. |image4| image:: /applications/nextcloud_service_metadata.png
   :class: align-center
.. |image5| image:: /applications/nextcloud_service_exportedattributes.png
   :class: align-center