User SAML / LDAP integration

today I have activated the SAML-Plugin in nextcloud 9.0.52 (stable).
Great that the core SAML PHP now is included in the basic installation.
I recognized that the SAML-Plugin “deactivates” LDAP User provisioning.
So it looks like, I have to decide which authentication method I want to use. (LDAP or SAML)
Is there any option to use both of them?
If I use SAML - is it also possible to modify the data store path per user - like the attribute/function with LDAP integration?
Are all (iOS, Android and Desktop) apps able to use SAML?

Thank you in advance

1 Like

The integrated SAML plugin should not deactivate LDAP user provisioning. Please post your config. You may also want to check the checkbox “Only allow authentication if an account is existent on some other backend. (e.g. LDAP)” which only allows logging-in if the user exists on the LDAP backend as well.

Hi Lukas,
Thanks for the fast reply.
Now I have read some other blog entries from SAML user. Maybe I have a misunderstanding about the SAML integration in nextcloud.
My situation:
I have two seperated user directories for different applications and usages.
In both directories are the same user (person) but with other IDs (username, passwords,rights …)
I wanted to use the SAML function to map the user from directory A with the user from directory B (same person). Like the ADFS function in Office365. I thought: if a user is still authenticated in directory A he get access via SAML/SSO to his mapped nextcloud user from directory B.

What I have done:
So I activated the LDAP plugin in nextcloud and created a LDAP connection to directory B for the user creation in nextcloud.
At this point all was working fine. I could login at nextcloud by input username and password from user in directory B. By activating SAML Plugin I realized that I couldn’t create new “local” nextcloud user and also no new created LDAP user in directory B appeared in nextcloud database.
When I disable the SAML Plugin, all is working as before.

So I think there must be a design failure in my scenario?!

One more question:
Do you have any information about the apps? Are these apps full SAML integrated (iOS, Android, desktop)

Please let me know - where my failure could be … !!
thx mx

Hi Maximilian,

I’d love to understand your use-case a little bit more, let’s move this to a private message so we can setup a call or so :slight_smile:


At the moment I’m facing a similar scenario I have a LDAP and an SAML IdP. If I enable just LDAP authentication, all the LDAP users can be authenticated through the Nextcloud auth page but if I enable SAML authentication, Nextcloud redirects the authentication to the IdP portal. Is there a way to let the users pick the authentication method at the begining? I mean if it is possible to enable the Nextcloud auth page and then show both authentication sources and let the users decide.



just for information to my last confusing post here:
I had a destroyed configuration in my test environment after database manipulation etc. - so there were some strange issues with SAML and LDAP functions.
After a clean installation everything works fine.

Now I have a similar question like janolara - is there any way (only for admin_login) to get the standard login form of nextcloud, when SAML is active?
I use nextcloud 10 with user_saml stable10.

I have found out, that in the “old” owncloud user_saml was an option like this:

There is a parameter in the settings named force_saml_login to avoid the login form, redirecting directly to the IdP when accesing owncloud.
If you are an admin and you want to log in using the login form, then use the GET param admin_login to deactivate the forced redirection.

It would be fine if anyone could give me short reply!
THX max

I’d be interested in this as well

Can you both elaborate on the use-cases behind this? It seems there are several use-cases here that may deem another solution.

(also note that the SAML implementation linked above in owncloud/apps is a third-party app and also not what ownCloud is officially distributing)

Hi Lukas,
thanks for the fast reply.
I’ll try to to explain my use-case behind this question:

I use the active user_saml app - so I automaticly get a redirection to the IdP URL for the authentication process.
Now it would be great to have any possibility to login via standard login form when user_saml is active.
With a custom URL like https://mynextcloudurl/index.php/admin_login or a special Parameter in the URL or something like this.
I know that the SAML implementation I have linked above - is something completely different. This should only be an example.

I have seen that the redirection is controlled at user_saml/appinfo/app.php:

if(!$userSession->isLoggedIn() && \OC::$server->getRequest()->getPathInfo() === ‘/login’) {
$redirectSituation = true;

So I thought a simple solution could be to add a command like this:

if(!$userSession->isLoggedIn() && \OC::$server->getRequest()->getPathInfo() === ‘/admin_login’) {
$redirectSituation = false;

But it didnt’t work for me. I allways get the /login suffix so the $redirectSituation = true

I hope my use case is clear :sunny: now - and maybe there is any simple solution to reach this.

Best thanks for your interest
greets max

use case here: users from our own organization should be able to login with LDAP (i.e. they should be able to use the client and/or WebDAV interface without workarounds) whereas users from other organizations (but within the SAML federation) should be able to use SAML login.

1 Like

Ditto to this. A simple ‘Federated Login’ button on the normal login screen would be adequate to support this setup and a tick box in the settings for those that want to force all logins via SAML.



I use Nextcloud 11.0.3 with user_saml module and user_LDAP module activated on a dedicated RHEL server, a backend server with postgresql DB.
The user data are stored on NFS Shares mounted to the Nextcloud Application Server.

So, now I think about a second V-Host on the application server with an equal installation of Nextcloud, the equal backend server as the SAML instance, database und user store (NFS Shares) BUT with user_saml DISABLED.
So there would be an instance for SAML-authentication a second instance for LDAP-auth with the ident DB and user storage in the backend.

Could this be a possibility to reach the goal of two auth. methods?