[SOLVED] Authentication by SSO, Groups from LDAP


Is it possible to configure Nextcloud to authenticate users by SSO (using environment variable like REMOTE_USER) and retrieve group information from LDAP.

I tried to combine LDAP and SSO apps but they seem to be mutually incompatible.

Is there a way I could manage it ?


NC 14.0.3

Hi Pielo

This is most certainly possible. We have been doing this in production environment for a long time now. Although I am not sure what you mean by environment variable exactly?

Are you using the official SAML SSO app from NC?

We are using that, then we create our groups who needs to have access to it, in Grouper. These groups are then populated to LDAP, and we define our LDAP queries in such a manner that only these groups can have access to NC.

The SSO will only be used to validate your user’s auth token, and the LDAP rules will determine whether the user should have access.


Hi Starfish,
Thank you for your answer.
The fact is we’re presently only using the official LDAP authentication App to authenticate our users against an Active Directory and to retrieve Group Information for the authenticated users that we use for sharing (Group Folder App for example) and rights management.

What we would like to implement now is to authenticate users against our CAS server. From the CAS server we get the user ID, which is handled to Nextcloud through $_SERVER[‘REMOTE_USER’] environment variable. We would like then to retrieve Group Information for that user through querying our LDAP (Active Directory) server.

To sum up :
1- User types Nextcloud URL in browser
2- User is redirected to CAS server
3- User authenticates in CAS server and is redirected to Nextcloud
4- Nextcloud gets user uid from $_SERVER[‘REMOTE_USER’] variable
5- Nextcloud queries our LDAP server and retrieves group information for that user

We already have many other client/server applications that use this double step scheme.

I thought I could use the SSO-SAML App for authentication and the LDAP App for group retrieval. Is there a way I can configure these Apps so that they work together ?


Yes, as stated we use the SAML app as well, and we also auth to CAS server. But AFAIK we do not use any environment variables.

Under SAML/SSO App we have urn:oid:xxxxxxxxxx under General settings. The we have the following setting enabled:

Only allow authentication if an account exists on some other backend. (e.g. LDAP)

Further we just configured the idP settings, but that is about it. From there all is handled by LDAP.

Does this help at all? If not, I will consult with our CAS specialist on Monday to see if he maybe understand your question differently to the way I do, then I will reply again.


I followed instruction from here
and here

And it is now working :sweat_smile:

The main issue was that the configuration option "environment-variable’ was missing from the configuration page in admin. I had to set it “manually” by issuing following sql statement :

update oc_appconfig set configvalue='environment-variable' where appid='user_saml' and configkey='type';

I added both statements (although they could be set in the admin page then) :

update oc_appconfig set configvalue='REMOTE_USER' where appid='user_saml' and configkey='general-uid_mapping';
update oc_appconfig set configvalue='1' where appid='user_saml' and configkey='general-require_provisioned_account';


how did you solve this issue? Environment-variable is usually used for Kerberos-Authentication. The user_saml module provides an extension to work with ADFS, once it’s set up it usually works like a charm.