[TOC]
Gluu's OpenID Connect Single Sign-On (SSO) NextCloud APP will enable you to authenticate users against any standard OpenID Connect Provider (OP). If you don't already have an OP you can use Google or deploy the free open source Gluu Server.
In order to use the NextCloud APP you will need a standard OP (like Google or a Gluu Server) and the oxd server.
Compatibility : 11.x version
If you have already package, unzip it to your NextCloud site root/apps folder.
Activate the app by performing the following steps:
https://{site-base-url}/index.php/settings/apps
Not enabled
find OpenID Connect SSO APP By Gluu and click the Enable
button.
In your NextCloud admin menu panel you should now see the OpenID Connect menu tab. Click the link to navigate to the General configuration page:
nextcloud
. This is not configurable in all OP's. It is configurable if you are using a Gluu Server. Follow the instructions below to limit access based on an OP role. oxd-server/conf/oxd-conf.json
file).Register
to continue.If your OpenID Provider supports dynamic registration, no additional steps are required in the general tab and you can navigate to the OpenID Connect Configuration tab.
If your OpenID Connect Provider doesn't support dynamic registration, you will need to insert your OpenID Provider client_id
and client_secret
on the following page.
To generate your client_id
and client_secret
use the redirect uri: https://{site-base-url}/index.php/apps/gluusso/loginfromopenid
.
If you are using a Gluu server as your OpenID Provider, you can make sure everything is configured properly by logging into to your Gluu Server, navigate to the OpenID Connect > Clients page. Search for your
oxd id
.
Users
tab in the left hand navigation menu. Manage People
. User Permission
attribute to the person and specify the same value as in the app. For instance, if in the app you have limit enrollment to user(s) with role = nextcloud
, then you should also have User Permission
= nextcloud
in the user entry. See a screenshot example.permission
scope is requested (see below). Scopes are groups of user attributes that are sent from the OP to the application during login and enrollment. By default, the requested scopes are profile
, email
, and openid
.
To view your OP's available scopes, open a web browser and navigate to https://OpenID-Provider/.well-known/openid-configuration
. For example, here are the scopes you can request if you're using Google as your OP.
If you are using a Gluu server as your OpenID Provider, you can view all available scopes by navigating to the OpenID Connect > Scopes interface inside the Gluu Server.
In the APP interface you can enable, disable and delete scopes.
Bypass the local NextCloud login page and send users straight to the OP for authentication: Check this box so that when users attempt to login they are sent straight to the OP, bypassing the local NextCloud login screen. When it is not checked, users will see the following screen when trying to login:
Select ACR: To signal which type of authentication should be used, an OpenID Connect client may request a specific authentication context class reference value (a.k.a. "acr"). The authentication options available will depend on which types of mechanisms the OP has been configured to support. The Gluu Server supports the following authentication mechanisms out-of-the-box: username/password (basic), Duo Security, Super Gluu, and U2F tokens, like Yubikey.
Navigate to your OpenID Provider configuration webpage https://OpenID-Provider/.well-known/openid-configuration
to see supported acr_values
.
In the Select acr
section of the app page, choose the mechanism which you want for authentication. If the Select acr
value in the app is none
, users will be sent to pass the OP's default authentication mechanism.