diff --git a/admin_manual/configuration_server/images/saml_app_overview.png b/admin_manual/configuration_server/images/saml_app_overview.png new file mode 100644 index 000000000..48afb4ec9 Binary files /dev/null and b/admin_manual/configuration_server/images/saml_app_overview.png differ diff --git a/admin_manual/configuration_server/index.rst b/admin_manual/configuration_server/index.rst index 40d84de8c..49802776a 100644 --- a/admin_manual/configuration_server/index.rst +++ b/admin_manual/configuration_server/index.rst @@ -8,6 +8,7 @@ Nextcloud Server Configuration security_setup_warnings occ_command activity_configuration + sso_configuration caching_configuration background_jobs_configuration config_sample_php_parameters diff --git a/admin_manual/configuration_server/sso_configuration.rst b/admin_manual/configuration_server/sso_configuration.rst new file mode 100644 index 000000000..5d38e5bd4 --- /dev/null +++ b/admin_manual/configuration_server/sso_configuration.rst @@ -0,0 +1,68 @@ +========================== +Configuring Single-Sign-On +========================== + +Using the SSO & SAML app of your Nextcloud you can make it easily possible to integrate your existing Single-Sign-On +solution with Nextcloud. In addition, you can use the Nextcloud LDAP user provider to keep the convenience for users. (e.g. +when sharing) + +The following providers are supported and tested at the moment: + +- SAML 2.0 + - OneLogin + - Shibboleth + - Active Directory Federation Services (ADFS) +- Authentication via Environment Variable + - Kerberos (mod_auth_kerb) + - Any other provider that authenticates using the environment variable + +While theoretically any other authentication provider implementing either one of those standards is compatible, we like +to note that they are not part of any internal test matrix. + +Enabling the SSO & SAML app +--------------------------- + +.. warning:: Make sure to configure an administrative user that can access the instance via SSO. Logging-in with your +regular Nextcloud account won't be possible anymore. + +The "SSO & SAML" App is shipped and disabled by default. To enable the app enabled simply go to your Nextcloud Apps page +to enable it. It can then be found in the "SSO & SAML authentication" section of your Nextcloud. + +Configuring SAML 2.0 +-------------------- + +To configure using SAML choose the "SAML authentication" in the setup wizard of the application. Then configure the application +as required by your Service Provider. + + .. figure:: ./images/saml_app_overview.png + + +Configuring environment based authentication +-------------------------------------------- +It is possible to authenticate against Nextcloud using an environment variable. This is for example relevant in case you +use an service provider incompatible with SAML such as Kerberos or don't want to configure SAML in the software yourself. + +To enable that choose the "Environment variable" authentication provider in the application and then specify the environment +variable. (e.g. `REMOTE_USER` for Kerberos) + +Once done you also need to protect the login route properly. On an Apache server with mod_auth_kerb the following configuration +would protect the login route: + +.. code-block:: httpd + + + AuthType Kerberos + AuthName "Kerberos Login" + KrbServiceName HTTP + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbSaveCredentials Off + KrbVerifyKDC On + KrbAuthRealms NEXTCLOUD-AD.LOCAL + Krb5KeyTab /etc/apache2/webpage.HTTP.keytab + Require valid-user + + + +.. warning:: If this authentication approach is used clients do require an application specific password for authentication. +A better integration into our desktop and mobile clients is considered for the future though. \ No newline at end of file