Multiple user back-ends and stand-alone SAML SP


I would like to request a feature that I don’t think is currently there. I would like to be able to use two authentication methods side by side on the same Nextcloud instance:

  • direct authentication via an LDAP
  • authentication via a stand-alone Shibboleth SP using an environment variable

I have the latter working fine, but this does not seem to be combinable with the “multiple user back-ends” option, because that assumes that the built-in SP is used. As far as I understand, Nextcloud would need to trigger a SAML authentication with the stand-alone SP when a user clicks the “SSO & SAML log in” button for this to work, and once the user is authenticated and redirected back, log them in automatically (like it does when “multiple user back-ends” is not selected).

Just for reference: The Drupal Shibboleth Authentication module ( has this option. You can configure the login/logout handler URLs of your stand-alone SP (in fact that’s the only option, it does not provide a built-in SP). When the module is enabled, the standard Drupal authentication still works, but you get an extra “login with Shibboleth” link on the login page that directs the user to the SAML login via the stand-alone SP.

I saw on GitHub that in version 1.6.2 the multiple user back-ends option has now been disabled in combination with the environment variable option :slight_smile: Still, I think that this is a useful feature to have, for a scenario where you’re part of an identity federation (which means you can’t just add additional SPs at will) but would like to offer access to certain users who are not part of the federation as well.

do you now manage to authenticate against a shibboleth standalone sp and ldap ?

I have the exactly same need … and don’t know how to handle it on nextcloud 14 or 15 …