NCv12.0.1 SAML/SSO integration Okta


#1

Hey all,

Has anyone had any success getting SAML/SSO to work with Okta? I’ve been having some issues getting these two systems to talk to each other properly. It is likely a simple configuration problem, but it seems like the developers are using differing terminology? I’m honestly not sure, Okta support kind of just threw their hands up in the air about the problem.

When I attempt to login to the site with what I’m guessing are the right configurations, I get the hand off to Okta for authentication, but after authenticating the page just goes blank. I can provide info from Firefox/Chrome developer tool logs, but I’m not certain if that’ll is overkill.

Here are some screenshots that might better highlight where I’m going wrong:

NCv12.0.1
OS: Ubuntu 16.04.2 LTS
Apache version: 2.4.18
PHP version: 7.0.18


#2

I’m having the same issue, were to able to figure out how to get this working?


#3

I’ve managed to configure Nextcloud with Okta using user_saml. It’s working properly with this config:

Okta:
You need to create new app:
SSO URL: https://${hostname}/apps/user_saml/saml/acs
Recepient URL: https://${hostname}/apps/user_saml/saml/acs
Destination URL: https://${hostname}/apps/user_saml/saml/acs
Audience URL: https://${hostname}/apps/user_saml/saml/metadata
You also need to add new attribute mapping:
Attribute name “uid” pointing to the emailAddress or username (it will be user login on the nextcloud side).

Nextcloud:
Attribute to map the UID to: uid
Identifier of the IdP entity: http://www.okta.com/${20 digit hash}
URL Target of the IdP where the SP will send the Authentication Request Message: https://${org}.okta.com/app/${uri}
Certificate of IdP: paste from okta config

Without having on the Okta side configured Attribute mapping to uid you’ll see error that account is notProvisioned.


#4

Just in case it isn’t clear from above, the “uid” can really be anything. In my case I use rfc822Name as that hooks into other apps I use with SSO:

image

As long as it matches in Okta, you’re good to go:

image