OpenID Connect Login - mapping multiple EntraID groups

Hello all,

Attempting to configure OpenID Connect Login 3.2.0 with NextCloud 30.0.4

We have named user groups in NextCloud that we want to map to Security Groups in EntraID - this way we can configure them in EntraID and have users mapped to groups and group folders in NextCloud.

In all of our testing ‘oidc_create_groups’ => true is the default.

When configuring groups matching we have set Azure to GroupID as well as sAMAccountName.

In the config.php we have the following setting for “oidc_login_attributes”:
‘groups’ => ‘groups’, // Groups claim for group mapping
When this is set everything works for user mapping (id => upn) without blocking EntraID integrated user login.

However, this does create one group in NextCloud for each user logging in, name is the Azure GUID of the group, and places that user in that group when the Azure group claim type is GroupID. No group is created when the group claim type is sAMAccountName.

If we set groups to an array (text below) logins break, error messages appear.

‘groups’ => array(
‘ABCDEFG-1234-ABCD-1234-1234ABCD5678EFGH’ => ‘EntraIDGroup1’,
‘ABCDEFG-1234-ABCD-1234-1234ABCD5678EFG1’ => ‘EntraIDGroup2’,
),

When this is configured when a user logs in “Internal Server Error” appears after a login attempt, they are unable to login. Enabling debugging in config.php we see the following error:

Type: TypeError
Code: 0
Message: Cannot assign array to property OCA\OIDCLogin\Service\AttributeMap::$_groups of type string
File: /var/www/html/custom_apps/oidc_login/lib/Service/AttributeMap.php
Line: 61

In the documentation @ github for nextcloud-oidc-login it mentions that groups can be an array or space separated string of nextcloud groups for the user but the error message seems to contradict this (citation below).

“* groups: Array or space separated string of Nextcloud groups for the user. Note that the name here corresponds to the GID of the group and not the display name. In the admin panel, the GID may be obtained from the URL when editing a group”

Maybe what we’re attempting is simply impossible. We’ve tried all of the OpenID apps on the app store, as well as the SAML app from NextCloud, and none of them work for EntraID group mapping.

Any assistance is appreciated.

I’m sorry your journey sounds like try and error to me. I have successfully mapped groups attribute using both user_oidc and sociallogin app (in the past). There is nothing special to do - your IdP should provide an attribute with the list of the groups/roles of the member, which in turn could be pre-created or auto-provisioned using user_oidc (I think sociallogin can provision groups as well)

The requirement is trivial:

this user_oidc config:

image1091×712 34.2 KB

with following ID token (with keycloak it is possible to visualize the token):

image510×947 38.3 KB

add the user into “users” group (and creates the group if required)

I have no detailed steps to achieve this with EntraID but I’m confident there is an attribute listing group memberships - ask their support if in trouble.

" I’m sorry your journey sounds like try and error to me"
aka “Given the lack of documentation blame the customer”.

“I have successfully mapped groups attribute using both user_oidc and sociallogin app (in the past)…” and "…“I’m confident there is an attribute listing group memberships - ask their (Azure) support if in trouble.”
That’s akin to saying you’ve made oatmeal before but you are confident I should have no issue making a souffle without instructions - but you want me to call the oven manufacturer for assistance with how to make a souffle. That makes zero sense.

“The requirement is trivial:”
Your citation is for “OpenID Connect user backend”, not “OpenID connect Login” using the variable “roles” where “group” is the valid default according to the editor & their limited docs but hey, when OIDC Login states “groups” is an acceptable key I should use “role”.

“I have no detailed steps to achieve this with EntraID but…” so you can’t answer the question relevant to the software being used - OpenID Connect Login and EntraID. You should lead with that next time.

BTW none of this was helpful, unless you’re simply trying to be condescending.

I’m sorry you are really wrong.

1. groupprovisioning works with user_oidc
2. shows the right config for user_oidc app

which fully covers the Nextcloud side of this integration. The missing part remains in EntraID which is not in scope of this community and you should address related issues to their commercial support.

For those who want to use EntraID and OpenID here is what I found that works to enable both SSO and Groups mapping.

When you set up your EntraID enterprise application you’ll want to include the following permissions for API permissions, Add a Permission, Microsoft Graph, to pull user information:

• email, openid, offline_access and profile.
  To pull group information we added Group.Read.All as a delegated permission for the application.

Without the Group.Read.All could we could not get “OpenID Connect Login” to return anything but a single group GUID. Once we added Group.Read.All it returned a string of GUID comprised of the groups a user was a member of. We could not get it to map groups by GUID separately. So we uninstalled “OpenID Connect Login” and removed the settings from config.php (OpenID Connect Login does not have a GUI for admin, all settings are made to config.php).

When we re-installed “OpenID Connect user backend” (which has a GUI) and set it using the same Azure settings as “OpenID Connect Login” we could map users via GUID or UPN with no issue, and were able to have groups auto-provisioned by GUID.

For Token Configuration we have just email and UPN as optional claims of type “ID” and a groups claim, type “GroupID”.

You can select to map all groups or just security groups in EntraID. Since OpenID has a limit on the total number of groups returned when you limit group mapping to only a certain group type and/or have an Azure subscription allowing you to provide selective group access you can manage the number of groups sent to NextCloud.

One of the issues we’re experiencing is that the groups in EntraID are mapped to NextCloud as GUID and when we renamed the groups in NextCloud they reverted to their GUID name. Changing the type in Azure didn’t carry the group name from EntraID but we’ll see if we can address that later. For now we have a map of GUID to group names.

We installed the Group Folders app and then assigned the user groups to the corresponding Group folder. This way we have AD groups → NextCloud groups → NextCloud group folders.

So far it is working well using “OpenID Connect user backend”, no additional issues.

No, I’m not wrong about you being condescending.

I’m also not wrong about the lack of documentation being an issue, and the fact that we appear to have run into an issue with the groups string returned from “OpenID Connect Login” not able to be mapped to separate groups. Due to that we had to move to “OpenID connect user backend”.

What is needed to provide the groups claim info is a setting in EntraID to provide the groups mapping. Simple enough to include in documentation regarding the configuration of the application, but hey - what’s a little “expert syndrome” when talking down to the people who didn’t write the code.

PS - I needed no Azure commercial support, just good old troubleshooting - aka trial, error and error logs.

Thank you for sharing the settings required for EntraID, this likely will help future users

Thank you.

I will share whatever I learn without hesitation to assist others using NextCloud.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.