This article will guide you through configuring Nextcloud to utilize SAML Single Sign-On (SSO) with Apereo CAS 7.x. You'll learn how to seamlessly integrate Nextcloud with CAS, enabling users to log in to Nextcloud using their CAS credentials..
Prerequisites
- Installed and configured Nextcloud instance
- Installed and configured Apereo CAS 7.x instance
- Administrator accounts with the above two systems
1. Configuring SAML in Apereo CAS
1.1 Turn on SAML2 support in Apereo CAS
Including the following dependency in your CAS build.
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-saml-idp"
}
1.2 Configuring SAML in CAS settings
And then, we need to include the following settings in cas.properties:
cas.authn.saml-idp.core.entity-id=https://sso.example.com:8443/saml/idp
cas.authn.saml-idp.metadata.file-system.location=file:/your/path/to/saml-idp/metadata
CAS will automatically generate identity provider metadata at the specified path only if existing metadata files are not found or are missing. If valid metadata files already exist at the location, CAS will reuse them, ensuring a smooth and efficient startup.
1.3 registering Nextcloud instance with CAS
After successfully deploying your SAML-enabled CAS server, you can begin registering Nextcloud instance with CAS. This is an example of registering your Nextcloud instance in CAS using JSON file.
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "^https://doc.yournextcloud.com/.*",
"name": "NextCloud",
"metadataLocation": "https://doc.yournextcloud.com/index.php/apps/user_saml/saml/metadata",
"id": 10001,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
}
}
1.4 Get the certificate of the SAML IdP
To retrieve the content of the certificate, follow these steps:
- Navigate to the saml-idp/metadata folder as specified in step 1.2.
- Locate the file named idp-signing.crt.
- Run the command cat idp-signing.crt in your terminal to display the certificate's content.
- Copy the entire content and paste it into a text editor, such as Notepad.
2. Configuring SAML in Nextcloud
2.1 Install and enable SAML SSO Application in Nextcloud
- Login in to your Nextcloud as administrator,
- navigate to the Profile Icon from the top right side and click on Apps,
- Search for SSO & SAML authentication and click the Download and enable button.
2.2 Configure SSO & SAML authentication in Nextcloud
- Navigate to the Profile Icon from the top right side and click on Administration settings.
- From the left navigation panel, scroll down and click on SSO & SAML authentication.
- Click on the Use built-in SAML authentication button.
- Under Global settings, enable the checkbox Allow the use of multiple user back-ends. (e.g. LDAP)
2.3 configure setting using your CAS as Idp
In General, enter the following information in the corresponding text fields.
Attribute to map the UID to
id
Optional display name of the identity provider (default “SSO & SAML log in”)
Enter the Application name as CAS Login or any meaningful name
In Identity Provider Data, enter the following information in the corresponding text fields.
Identifier of the IdP entity (must be a URI)
https://sso.example.com:8443/saml/idp
URL Target of the IdP where the SP will send the Authentication Request Message
https://sso.example.com:8443/cas/idp/profile/SAML2/Redirect/SSO
Then, click on the Show optional Identity Provider settings ... link.
Paste the previously copied Certificate ( from step 1.4 ) into the Public X.509 certificate of the IdP text field.

3. Testing and Troubleshooting
After saving the settings, attempt to log in to Nextcloud using CAS SAML SSO. If you encounter any issues, please check the following:
- Review the CAS and Nextcloud logs for any error messages.
- Verify that the SAML certificates are configured correctly.
- Ensure that the network connection between CAS and Nextcloud is functioning properly.
By following these steps, you can successfully configure Nextcloud to use CAS SAML Single Sign-On (SSO) for authentication.
Comments