Keycloak SSO - how to map only existing Keycloak users to Nextcloud users without creating new

Hi, I would like to use Keycloak as SSO provider fo Nextcloud 18.

I followed the instructions: https://devopstales.github.io/sso/nextcloud-sso/

I have installed Social Login app https://apps.nextcloud.com/apps/sociallogin

I do not want to auto-create users in nextcloud after they login using SSO. I just want to allow existing Nextcloud users to login via SSO using OpenID connect protocol.
Users in Keycloak and Nextcloud have the same login name and email. I also want to solve permissions and user groups in Nextcloud, not map it from Keycloak.

In social login app I have checked “Disable auto create new users”.

After I try to login using keycloak, I got following error: “Auto creating new users is disabled” and login fails. But user with the same login name exists in Nextcloud and Keycloak.

I need to keep the possibility of logging in with the local Nexcloud account without using SSO.

What I do bad?
Is it necessary to set Mappers in Keycloak client? But how? I tried everything possible, but still without success.
I think I need to set up login and email mapping.

Thanks for help.

the author of sociallogin app refuses to “auto-link” existing users to oidc providers (with reasons - I don’t agree but the reasons are reasonable)

Is it possible to manually link existing users to the keycloak instance?

yes. each user can login into Nextcloud and link his account to different providers from sociallogin

That (linking keycloak users to existing NC users - manually, if necessary) is something I was looking for and came across this thread. And I am very happy to find that this works.

But how?

I have an existing NC user account. And I have created a new user by logging in via Keycloak. When I am in my existing NC account and go to Social Login settings, I only see the option to “Disable password confirmation on settings change” but I don’t see any option to link the Keycloak created account. Where do I find this or how do I do that?

Thanks!

I don’t use sociallogin app because of this restriction - so can’t explain you how it works… But there is no way to merge an existing NC user with another user auto-created by OIDC. You need to remove the KC user, disable user auto-creation and link you OIDC login after logging in as NC user…

Okay, so there is this check box in admin settings of sociallogin to “allow users to link social accounts” (or something to that effect). After checking this box, I started seeing the option to link to an external account in the user’s settings. Linking was no problem at all and external authentication is now working (for the users that have linked out).

Thanks for your help!

1 Like