I am searching for a way to authenticate admins via SAML SSO. In my initial testing I was able to add the user to the admin group manually in Nextcloud. However after I added the group attribute mapping so that I could add groups to Nextcloud from the SAML provider (Azure AD) the admin group is removed at login. Even if I use a user that isn’t mapped to any groups on SAML provider. I have considered adding an admin group on the provider, however that’s very generic, it would be a lot better if I could use nextcloud-admin or something as the SAML provider is providing authentication for a lot of different services.
1 Like
It appears the group ‘admin’ is fixed and the only way for SSO & SAML app to grant admin rights to a SAML user is to have them be joined to the group ‘admin’. I agree this is generic and would not be appropriate for enterprise environments.
I think a feature request in the user_saml plugin to allow a custom mapping to the ‘admin’ group would be an appropriate way to handle this.
UPDATE: Created issue Grant Admin Rights to custom SAML group · Issue #561 · nextcloud/user_saml (github.com)
I use a cron script to update accounts in the “admin” group from a SAML group. When a group parameter is passed into Nextcloud, it creates the group with a prefix of “SAML_” so a Group called “Nextcloud Admin” would become “SAML_Nextcloud Admin”.
To sync accounts from “SAML_Nextcloud Admin” into the native “admin” group, I have a script that loops through the list of users and adds or removes them from the admin group every few minutes.
php occ group:list --output="json pretty"
The headache is the occ command will pull all groups and users. I would like to pull from just the “admin” group and “SAML_Nextcloud Admin” group, but the granularity in the command is not available.