Nextcloud version (eg, 29.0.5): 29.0.4.1
Operating system and version (eg, Ubuntu 24.04): Ubuntu 22.04-LTS
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.52 (Ubuntu)
PHP version (eg, 8.3): 8.2.21
The issue you are facing:
My goal is to offer a SSO Service for my users by using Keycloak connected to LDAP and passing their identity to Nextcloud via OpenID. I decided to use the user_oidc app for that matter.
For legacy reasons all my users on NC have a User-ID not matching anything provided by LDAP and Keycloak. But email address and name are matching.
I tried to use the “Email mapping” option of the user_oidc app but always ended up creating an new user account with Keycloak’s User-ID instead of matching the user to the existing account.
Have I totally misunderstood the feature “Mapping”? Is there any chance of mapping an OpenID user to a existing NC user? I’m kind of lost here, my last resort wold be to create a User Attribute “legacyID” in Keycloak.
Any ideas or second thoughts are appreciated. Thanks!
you can map users from IdP to Nextcloud but on Nextcloud side you must map some IdP attribute to the user ID. As you want to keep your existing users untouched you must extend your IdP users with values matching existing Nextcloud user ids. This attribute you can in turn map as Nextcloud user ID.
Small example:
IdP
Nextcloud
userID
bob
nc-bob23
mail
bob@mydomain.tld
bob@mydomain.tld
somenewAttribute
nc-bob23
you can not map both users using the mail attribute… but one you add someNewAttribute with value nc-bob23 to the user bob in your IdP you can map the attribute somenewattribute as UserId of Nextcloud user:
@wwe Thank You for your hints! I’ve created a new attribute called “legacyName” wich is set in Keycloak.
Unfortunately I get an error when I try to login via Keycloak:
“Access denied. Failed to provision the user” Funny thing is, that I don’t see anything in the NC Protocol.
Maybe I missed something in the configuration?
I would double check if the attribute legacyName is included in a token KC generates (not attributes are included by default). you can review the token in KC console…
If this is the case increase NC log verbosity and try again.
@wwe Thanks for the hint and the great support!
I’ve simply forgotten to include this new attribute “legacyName” to the dedicated scopes within Keycloak. Therefore it was not sent.
