Hi
I have a nextcloud running SSO with SAML Authentication. Now I want to change it to OpenidConnect. I have already done the configuration but I want to test it before fully changing to OpenidConnect. How can I test that and how do I make the switch from SAML to OpenidConnect?
Hello @Rom200,
Without additional information the community members cannot help you. what did you do so far what is your problem? by default all SSO papps I’m aware of integrate “sign in with ” button into login page.. if you enforced SSO you must RTFM how to disable it and recover the default login form. sometimes there is also a special URL to access the form..
Regards,
wwe
Hello
My problem is that I was not able to find the right manual for changing sso authentication in nextcloud.
Regards
Try cl
Still not a 100% sure what you mean by that, but if the problem is simply that, as @wwe already mentioned, you can’t log in with your newly added OpenID Connect provider because SSO is enforced, try accessing your Nextcloud via:
https://cloud.yourdomain.tld/login?direct=1
This should bring up the login screen, where you should see a button labeled Log in with "name of OIDC provider".
If that doesn’t help, or if you’re experiencing a different issue, please provide a more detailed description of the problem, and explain what isn’t working, what steps you’ve already taken, which OIDC integration app you’re using and how it’s configured. Otherwise, no one here will be able to help you and it will remain a guessing game. 
That helped finding the link for testing the authentication.
But I still do not know how I change the default method for the users from SAML to Openidconnect. With default method. I mean the authentication method that I get redirected to when accessing the nextcloud via https://cloud.yourdomain.tld.
To be honest, I’m not sure if they can co-exist. You might have to disable SAML completely for this to work, but I’m not sure as I don’t know much about it.
Unfortunately, the docs for the user_saml app seem to be locked away behind an enterprise subscription login. However, the small snippet you can see there suggests that it could be exactly as I suspect: Configuring Single-Sign-On
Addition:
For the user_oidc app (documentation here), there is an occ command where you can configure it as the default authentication backend:
occ config:app:set user_oidc allow_multiple_user_backends --value=0
value=0: Login screen disabled, user is logged in directly when authenticated with OIDC.
value=1: Login screen is shown, user must click on the “Login with OIDC provider” button.
There may be a similar commands/config options for the user_saml app. However, as the documentation for this is not public, I don’t know.
I have generally managed to do the openidconnect implementation but unfortunately the accountname of a new user is a uid instead of the email from the AD. The Issunance Transform Rule is a rule with E-Mail-Addresses as LDAP Attribute and email as Outgoing claim type and no other claim in that rule. The nextcloud OpenidConnect App is configured to use email as the claim for user_id. What could be the problem?
Do I have to use preferred_username for that field? Because I have my email claim already mapped to that field.
you can use whatever you want as a mapping. If you want IdP mail attribute to become NC username then use mail there.
I did the mapping but the nextcloud still takes the uid as user id mapping. Below you can see my configuration.
Is “E-Mail-Adresses“ a valid LDAP Attribute (what about “mail” if the source is an AD?)? What is the source of your users? What ist your OIDC Provider? We nearly have no information about your systems so we can not help..
I have E-Mail-Addresses in an other working OIDC Instance for another Application so I believe it is a valid attribute. I can not choose mail as an LDAP-Attribut because it does not exist in the dropdown menu and manual writing mail in the field does not let me save mail. My user source is the Active Directory and my OIDC-Provider is Microsoft AD FS.
