Log into nextcloud using JumpCloud SAML authentification

Hello,

I am running Nextcloud v17 and I would like to use JumpCloud SAML service to authentificate to my nextcloud account.
JumpCloud has a Nextcloud connector available, which I activated and configured.
I tried and configure the Nextcloud SSO plugin on the other side, but it doesnt work.

Has anyone succeded in this and can help with the config options I have to use, both in Nextcloud an JumpCloud ?

Thanks

Here is my Jumpcloud IDP settings

User a SAML 2.0 template not the NextCloud template and fill it in as follows (BTW this is for
Nextcloud 18.0.4 installed via snap on Ubuntu 18.0.4 LTS)

Note to get around the post issue of only 4 urls per post I changed // to slash slash…

IDP Identity ID = JumpCloud
SP Identity ID = https:slash slash mynextcloud.local/index.php/apps/user_saml/saml/metadata
ACS URL = https:slash slash mynextcloud.local/index.php/apps/user_saml/saml/acs
SAMLSUBJECT NameID = username
SAMLSUBJECT NameID Format = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Signature Algorithm = RSA-SHA256
Default RelayState: https: slash slash mynextcloud.local/index.php
IDP URL = https: slash slash jumpcloud.com/saml2/mynextcloud

USER ATTRIBUTE MAPPING:
displayname -> fullname
email -> email
username -> username

Enable the groups attribute and set the field to “memberOf”

Here is Nextcloud SP configuration

Attribute to map the uuid to = username
Identifier of the idP entity (must be uri) = JumpCloud
URL target of IDP = https: slash slash sso.jumpcloud.com/saml2/bizcubed-nextcloud

Under Show optional Identity Provider settings …
SLO = https:slash slash console.jumpcloud.com/userconsole
Paste in IdP certificate from JumpCloud

Enter the Attribute mapping
displayname -> displayname
email -> email
groups -> memberOf

Under Show security settings…
Check the first option (logoutRequest)
Check the Last option (ADFS)
The only problem that I’m getting is sometimes if I log out

1 Like

I am getting the following error in the login screen of nextcloud

Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.

any suggestions ?
@JohnnyB75 I have followed your above steps

What do you settings look like?

What happens when you put in the url https://mynextcloud.local/index.php/apps/files/ after you get the “Account not provisioned” message?

we are running nextcloud on
Ubuntu 20.04 LTS (actually it is the vmware template from nextcloud)
Version: 7.4.3

The settings I used are identical to yours except “SAMLSUBJECT NameID Format”
because I dont see that setting there (SAML 1.1) instead I used 1.0

image

when I put the url https://mynextcloud.local/index.php/apps/files/ after I get the message …it redirect back to the nextcloud login page…

also we have tested https://www.okta.com/ SSO on this nextcloud instance and it worked fine.

Hi everybody. First off, thanks for your guides so far… I’ve followed the Jumpcloud setup guide further up in this thread, but to no avail.
I’ve also tried the article on medium that explains how to setup Azure ADFS SAML setup…
For both, I’m getting the same issue… the dreaded account is not provisioned.
I wish that there was some way to do further logging or testing in order to narrow this down.
Does anybody have any ideas?

Here are my current settings:
Jumpcloud:
ldP entity ID: JumpCloud
SP ENtityID : https.//users.obhecc.com/index.php/apps/user_saml/saml/metadata
acs url: https.//users.obhecc.com/index.php/apps/user_saml/saml/acs

SAML Subject NameID: username
SAMLSubject NameID format: urn:oasis:names:tc:SAML:1:1:nameid-format-unspecified
Sig: Algorithm: RSA-SHA256
Default Relay State: https://users.obhecc.com/index.php

Attributes:
displayname --> fullname
email --> email
username --> username

NextCloud

Attribute to map the UID to: username
Identifier: JumpCloud
URL Target of where the SP will send the auth request: https://sso.jumpcloud.com/saml2/nextcloud

Attribute mapping
displayname
email
username

I’ve checked the first and the last checkboxes under security settings

OK… after days and days and days… I seem to have gotten this working. I believe that using the email address as the subject name ID is what got things working…

image

1 Like