Disable only Direct Login button and allow via SAML login

Dear All,

I am running with latest NC on Ubuntu.

may be my requirement is not correct :slight_smile:

I have tested LDAP and SAML both, now I want all user should sync from LDAP but login must go via SAML only ( this is just to make sure we use our centralized 2FA system which is not working with LDAP )

can anyone please help me on this, how to achieve this. was thinking if there is option to restrict login from LDAP ( from Direct Login ) allow to login from SAML only.
I cannot disable LDAP App because thinking to sync users from LDAP only.

Any help please.

Dear All,
Any help please ?

I was able to pull this off, but it was harry. Basically your LDAP users are not regular users at all and probably don’t even have user ids, they have UUIDs mapped in LDAP to a user id.

My solution was a very involved set of SQL hacks to find and replace all the UUIDs with usernames that matched by SAML provider so I could use it directly without LDAP’s help. This is not something that Nextcloud supports out of the box.

My need is only to hide “ direct login “ button, nothing else.
In backend, user sync will happen using ldap only, but login will be via SAML.
Any way to hide this login with Direct button.

Hiding the login form will come with NC22. See Allow admins to hide the login form by rullzer · Pull Request #25910 · nextcloud/server · GitHub

That part is trivially easy. Uncheck the box in the SAML config that says multiple backends are allowed. You can also do this from occ (helpful in the event you can’t login to your admin account to change this setting:

$ occ config:app:set user_saml general-allow_multiple_user_back_ends --value 1

Thank you so much, restricting users from “Direct login” have other method as well, we can play with Attribute.
But i was looking for option where user should see only “Login with SAML” option on login page and no other login option.

Note- i cannot remove LDAP app as user sync will have from LDAP.


I use LDAP sync to, but my users never see an option to login directly or with LDAP. When they hit my NC site address they are immediately redirected to the SAML iDP (Keycloak in my case). Once they login there they are redirected back to NC. This seems to fit the situation you are in as well. Did you even try the setting I suggested?

Thank you so much, i am also using Keycloak with SAML where when i open main NC page, it gives me two option to login.
How to achieve they way you have an option where it directly redirect to Keycloak page for login ?

Hi @alerque,
Thank you so much, could you please suggest how you achieved this. We want similar setup when hit login url it should go to Keycloak.


I already did, here. You have to disable other backends (this doesn’t mean disable the ldap app, keep that so your user setting sync, you just have to tell the SAML app not to let anything else do the login part.

Ohh thank you so much, i got it. It worked. Really appreciate.
Only i need to remember the OCC commons to enable if need to enable local login.
Thank you so much