Migrating users to Keycloak SSO

Blubbman · June 3, 2022, 12:41pm

hey.

I’m moving a company ecosystem I’m managing to SSO (via Keycloak). Now, I need a solution: I want users to login to their sso account and still have all of their files and other data. How can I do that? Is there some fancy database magic or OCC command I can utilize?

wwe · June 3, 2022, 8:01pm

Social Login app allows you to integrate Identity providers through OpenID/Oauth …

mactrent · June 6, 2022, 3:21pm

I believe the problem discussed is: after setting up an alternative sign-in method as above, users end up with both existing Nextcloud-native accounts and the newly created externally-authenticated accounts. How would an admin transfer the user files and settings between those, for each user?

The process I know would mostly work (but scales poorly) would be to:

Admin can use Impersonate to export user settings, calendar events, etc from the old accounts manually.
You’ll need users authenticate to create their new account, then you can manually import those settings.
You can then transfer files from the old accounts to the new, hopefully preserving any share links. Folders shared between users will need to be re-shared to the new accounts.

But if, as Blubbman asks, there is some fancy database manipulation that saves all of this manual per-user work, I’d also be interested to hear it.

wwe · June 6, 2022, 7:03pm

as all the stuff which is not files is stored in the database you definitely can go this way. the problem is you need to reverse-engineer every single app you are using and fiddle with it’s settings and there is no generic approach. If the way is suitable for you you can decide depending on how many apps you are actively using…

Maybe there is a way to trick with new auth method to make it “pick-up” old accounts? by adding additional parameters so the system can detect/link same user?

Update: I’m wondering this setting will help you to link exisitign users with KC logins?

Source: Janik von Rotz - OpenID Connect with Nextcloud and Keycloak

[x] Prevent creating an account if the email address exists in another account

I’m sorry one more time the forum fails to add attachments - so no screenshot

wwe · June 25, 2022, 8:26pm

In fact Social Login app doesn’t allow to to auto-match users with OIDC backend… but oidc_login does. I played a little with the app and it gives you a chance to login using existing NC user (match by userid). At the moment I don’t fully understand the best way to manage users - allow auto-create or not, adopt attributes from OIDC provider or manage on NC side but this app looks for me like the way to go.

Little disappointing Social Login doesn’t have this functionality… the app really looks good but for me this limitation is a blocker.