Google as a SAML Provider

Does anybody have the user_saml plugin working using Google as a back end?

I’m not finding anything in the way of documentation on running such a configuration.

Thanks in advance.

Hey there,

G Suite (Google Apps for Work) seems to have some kind of implementation :thinking:

I just found the following about that: https://support.google.com/a/answer/60224?hl=en
Unfortunatly, I can’t report about any experiences or provide you tutorials :grin:

Please report back, if you have more details - and if it is working :stuck_out_tongue_winking_eye:

Greetings

Marius

Hi,

The article Marius links to, is for setting up access to G-Suite using an alternate identity provider (IDP). So in that article G-Suite is the SAML Service Provider (SP) not the IDP.

What ddarcy wants to do, and what I am also interested in doing, is to use G-Suite as the SAML IDP to authenticate to our Nextcloud implementations i.e. Our Nextcloud would be the SP. This article https://support.google.com/a/answer/6087519 describes how to do the Google end of this, but I have thus far been unable to get it working with my Nextcloud test server.

Given that Nextcloud supports Active Directory Federation Services (ADFS) as the IDP and ADFS is Microsoft’s implementation of SAML, it ought to be possible given sufficient information. If anyone in the community has managed to get this working I would appreciate some pointers as, I’m sure, would ddarcy.

In the meantime I’ll keep chipping away at it when I get some spare time and I will report back if I’m successful.

Cheers
Keith

Got it.

Nextcloud ignores the NameID that Google passes through.

On the Google IdP side, pass through an additional attribute containing the email address.
On the Nextcloud side, the first entry box on the SAML app page will need to match the name of the attribute you created above.

Let me know if anything is unclear there. I can also post more complete instructions if need be…

Clear as mud at the moment :slight_smile: but when I get chance I’ll have another go bearing in mind your pointer. This is my first foray into SAML but I can usually get my head around stuff eventually.

That said I’m sure there are other folk, either already or in the future, that would appreciate a set of step by step instructions if you can find the time to document it.

Google Side

Note the SSO URL, Entity ID, and Certificate for later.

Application name: Nextcloud

[Next]

ACS URL: https://HOSTNAME/index.php/apps/user_saml/saml/acs

Entity ID: https://HOSTNAME/index.php/apps/user_saml/saml/metadata

Name ID: Basic Information - Primary Email
Name ID Format: EMAIL

[Next]

Add New Mapping

mail (attribute mapping) -> Basic Information - Primary Email

Nextcloud Side

General

mail (this goes in the unnamed text entry field. Needs to match above attribute name)

Check boxes, they’re self explainatory

Service Provider Data can be left empty.

Identity Provider Data

https://accounts.google.com/o/saml2?idpid=IDHERE (SSO URL)
https://accounts.google.com/o/saml2/idp?idpid=IDHERE (Entity ID)
URL Location of the IdP where SP will send the SLO request -> Empty
Enter the Certificate provided in the next text entry box.

You can leave security settings alone.

Let me know if this works. I’m copying settings verbatim out of both Google and Nextcloud, but it’s been 3 months since my initial attempt, so I may be missing something.

EDIT: Also know that this will cause the user’s email address to be their username. If you weren’t using that format before, users will be recreated @domain.com. I’m sure database changes to the user table are possible along with renaming user folders to move the pre-existing users over, but 100% not tested by me.

Users can either be autoprovisioned or not, depending on the state of the “Only allow authentication if an account is existent on some other backend. (e.g. LDAP)” checkbox.

1 Like

Dylan,

I finally found time to play today. In the main it works, so thank you for providing the pointers.

I say in the main because if I navigate to http://testservername/mycloud it behaves as I would expect. If I’m not already logged on to my G-Suite account I get directed to sign in to Google, as I would expect. If I am already logged on to my G-Suite account I’m straight into my account on my nextcloud instance, which I called mycloud. So far so good.

However, adding the custom SAML app into G-Suite adds the app to the G-Suite user hub https://apps.google.com/user/hub. To see these apps you obviously need to be logged on. If I click on the app in the user hub I get directed to https://testservername/mycloud/index.php/apps/user_saml/saml/acs and get a blank page. If I click refresh I get prompted to confirm form re-submission and then yet a message that says “User is already logged-in”. Do you experience similar or did you do something to resolve this. I’ve tried various URLs in the Google SAML definition Start URL field (various educated guesses) but not found the right option (not sure if this is how to fix it but it seemed logical).

Keith

A word of caution for anyone else that comes here and reads this. This does not currently seem to work with the Android mobile client.

Hi Keith,

I had the same issue and came up with a temporary hacky fix. In the file OnlyLoggedInMiddleware.php

 public function afterException($controller, $methodName, \Exception $exception) {
                if($exception->getMessage() === 'User is already logged-in') {
                        // HACK: Temp fix
                        header('Location: /');
                        exit;
                        //return new JSONResponse('User is already logged-in', 403);
                }

                throw $exception;
        }

That might break support for Desktop client or Mobile though I have to try.

EDIT: It does not break Desktop client support, will try mobile later.

Sonny,

Are you indirectly saying that SAML sign on works with the mobile client? In my tests I have had to set a password in Nextcloud and use that for the mobile client.

No I didn’t mean that. I never tested with mobile client for now acutally.

Hi!
Is there anything more that needs to be done? I followed all the steps described here and I still get errors like:
“403. That’s an error. Error: app_not_enabled_for_user” and “User not provisioned” even though I had registered that user in nextcloud GUI.
Could ye help me on that, please?

A bit OT, but you can probably also set up SimpleSAMLphp as an IDP with Google as a Oauth2/OpenID Connect auth backend. A bit of an extra steps, but if you want to use other auth sources as well it might be the best option.

Thanks @Krischan. Would you recommend anyone? Or how can I do that OAuth 2?
I did that and I have a Google token but I have no idea where to insert that.

I have not tried, but this might work:

That’s a Google error. The SAML app must be enabled on the Google side to authenticate, or it won’t work. Also know that they’re not exaggerating when they say it can take up to 48 hours for it to be enabled for all users.

Usernames in Nextcloud when using Google should take the format of username@mydomain.com. Google considers usernames to be the entire primary email address of the user when passing it to the service.

The notes in this post have enabled me to get my Nextcloud instance working with my legacy G-Suite implementation providing the authentication mechanism. I have written detailed notes for myself that assume I won’t remember any of this if I come to do it again. I figure these notes may be helpful to others who read this thread and feel that they would be more confident about doing this with click by click (almost) instructions. I have shared my notes and they can be viewed at https://docs.google.com/document/d/1yWk8Viov-1gKyen0UuERBiPgviAhJofcIabOHC0UnBg.

I will update this document if I work out a way to pass the Name ID rather than having to add the additional mapping or if I work out how to get the tile in the user hub to work reliably.

This sends my login page to a 404 error page at https://accounts.google.com/o/saml2/idp.... Did the URLS at google change? Is the provided info still valid?

URL looks to have changed I’ll try to provide an update but I probably
won’t have an opportunity to look at it until next week.

I realised that I had my Chromebook with me, so I took a look while I was on the train.

Correction the URLs have not changed. I therefore suspect one of two things are causing your 404 error. The first is that you may not have interpreted my instructions correctly and as a result did not follow them as I intended. The second, and probably more likely, is that the Google side has not had time to propagate fully before you’ve attempted to do the Nextcloud side. I would switch off SAML on Nextcloud (so that you don’t lose admin control if I’m wrong), wait a couple of days and then try again. I say this from bitter experience as when I first tried to do this I was frustrated by errors until I realised that even on a small G-Suite environment the propagation does not happen quickly.

I hope this helps, if it doesn’t message again and I will do my best to assist.

It worked fine. Until it stopped without any given reason.
I’m receiving that:

403. That’s an error.

Error: app_not_configured_for_user

App was configured for all users in domain.
I just cant find a reason why it stopped working.

I’m not sure how much use this will be;

That message is the message I encountered during my testing when the SAML app was not configured for the user in Google. For example when I was testing I had two users in a sub organisation called test, if I tried to access my test deployment from one of the other users I’m pretty sure that is the message I got. This seems contrary to what you are saying. I would suggest that you double check the Google side although I’m guessing that you have already done that. I would also check that the users exist in the Nextcloud user list.