I’m using Nextcloud 30.0.4.1 (standalone on Ubuntu 24.04.1 LTS, not a docker container) and SAML app version 6.4.1.
I’m using Microsoft Entra ID for the SAML authentication.
It works well, but it seems the SAML app now lacks the option to specify which claims from the IdP should be mapped to Nextcloud account attributes such as mail and displayname. When I did this like 2 years ago, one could do this on the configuration page / web gui of the saml app. This option is not present any more.
Since I didn’t find any place where to configure this as of now (neither web gui nor backend), all I could do was trial and error (i.e. trying out different namespaces and value names for the target attributes - it seems there’s no easily accessessible info on this on the web), but didn’t succeed so far. For instance, my Entra ID provisioned users still show with their account names as display names, and with no e-mail configured at all.
Does anyone happen to know:
if there is still any possiblity to specify the claims that should be mapped to the respective nextcloud attributes?
if there is no such possibility any more, what are the default claims nextcloud / the SAML app uses for displayname, email and quota?
Thx for your quick answer, but with the version of the SAML app I mentioned, there is no such custom attribute mapping option any more (maybe in an effort to simplify things?). The screenshot I’m attaching is from a version that is much older where this was still possible (it’s in German, but I think the point should be clear):
Anyways, I might give OIDC a shot.
EDIT: at least at the time of writing this, there are some guides on how to do this with various IdPs such as authentik, keycloak, but none for Entra ID…I guess not being an expert in authentication / authorization protocols, and having Entra ID as central IdP, it might make sense to stick to SAML for a while…
The reason why EntraID integrations might be documented less frequent is likely the fact people using Nextcloud often want to get rid of the monopoly products but nevertheless tutorials exist and would have found them in a second e.g.: Configuration SAML login using AzureAD
There are enterprise scenarios where it makes sense to combine Entra for Auth and Nextcloud for data. I won’t go into more detail here, but we’re definitely not the only company with this combination.
Other than that, the Microsoft learn page is a general reference on how to set it up, and does not - of course - specifically cover Nextcloud as a SP.
The link you’re providing here is about SAML…There are, of course, plenty of tutorials on SAML with Entra out there. What I meant was tutorials specifically about the combination of Entra with OIDC and Nextcloud (which should have been clear from what I stated before - I have SAML fully setup and working and the only stuff missing is a couple of attributes not being mapped…)
All I wanted to find out with this post was whether someone knows the default claim values for the attributes I mentioned. I spent quite some time researching this online but didn’t find anything other than outdated tutorials that still seem to use an older version of the SAML app where custom mapping was still possible.
I was not looking for general guidance as to which protocol to use etc…thx
@wwe you were right in claiming OIDC is probably the better option.
Turns out this is not just more modern, easier to setup and probably the better option in terms of future support, but just as with SAML it is possible to customize claims (at least in Entra, the exact same options are present as with SAML claims - transformations, conditional claims and the like, which in our scenario is a must because we have existing local accounts with little consistent user IDs so we have to do some trickery here to avoid duplicate account creation). More importantly, one can customize even more attribute mappings as with SAML (see screenshot below).
I thought it would be harder to switch from SAML to OIDC (which was why I was rather looking for the concrete claim mappings for SAML), but some initial tests in a lab environment with the “OpenID Connect user backend” app proved me wrong. I can recommend it to anyone wanting to achieve SSO with Entra (and also in general).
but nevertheless tutorials exist and would have found them in a second e.g.: 