Nextcloud v12 with SAML SSO integration


I wonder about a couple of things about the user_saml app. I managed to integrate Keycloak with Nextcloud, but the results leave a lot to be desired. For instance:

  • I’ve had to patch one file. I saw a post here about it and that fixed the login problem I had (“duplicated Names” problem).

  • We want to be sure that if the user changes his email, the user is still paired with the correct one in Nextcloud. For that, we have to use Keycloak’s user unique id which it’s an UUID, 4 pairs of strings connected with dashes. That would be ok, if this uid mapping isn’t shown in the user interface, but the user_saml app puts it as the “Full Name” in Nextcloud user’s profile. And the federated cloud id uses it of course. Ideally, mapping the uid must work in a way that it’s not shown to the user, at least as “Full Name”.

Although I guess part of the reason is that federated cloud id… if it changes, old links won’t work or will be linked to the wrong person. If that’s the case, maybe the uid can be used just for the federated cloud id (a bit cumbersome for users, but if there’s no alternative…), but not for the “Full Name” field which looks wrong.

  • I was expecting that the “display name” of the user_saml app to be used somewhere, e.g. as “Full Name”, but I don’t see it, so I don’t know its use.

  • I don’t know how to make a user which came from SAML to be an admin. I thought it all was about adding that user as an admin, but it seems that users aren’t created in the regular user table, so when I disable the user_saml app (to become admin), I was expecting SAML users to appear in “Users”, but they don’t. Can you point me out in the documentation how to do it? Maybe I missed it. EDIT: Ok, I need to provision the admin user beforehand. As long as the username matches the one which comes from the SAML identity provider, it will work.

What are your recommendations? Are you aware of anything I explained?


Nextcloud version: 12.0
Operating system and version: Ubuntu 16.04.2 LTS
Apache version: 2.4.18
PHP version: 7.0.15

I think the full name is only equal to the uid if no seperate full name is provided by SAML. I think recent versions of the user_saml app allow specifying this.