| Both sides previous revision Previous revision | |
| en:2.0:single_sign_on:saml_joomla [2025/04/27 10:10] – [Configuring the Service Provider (Joomla)] kainhofer | en:2.0:single_sign_on:saml_joomla [2025/04/27 10:24] (current) – kainhofer |
|---|
| |
| |
| Paste the metadata URL copied from Nextcloud into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Nextcloud and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. | Paste the metadata URL copied from Joomla into the corresponding input field at the top and click "Load Client Metadata". This should load all settings from Joomla and pre-fill the following fields correctly. Only the Client Name needs to be entered. Choose any name to clearly identify the client in the list of SAML clients. There is no functionality depending on the name. |
| {{ :en:2.0:sso:sso_saml_02-05_nc_admidio_clientsetup1.png?direct&600 |}} | {{ :en:2.0:sso:sso_saml_joomla_05_saml_client.png?direct&600 |}} |
| |
| | The only other setting that is relevant for the limited features of the free Joomla plugin is the User ID field. The Joomla plugin insists on matching only E-Mail Addresses, so make sure to select it: |
| | {{ :en:2.0:sso:sso_saml_joomla_06_saml_userid.png?direct&600 |}} |
| |
| In addition to the Entity ID and URLs to connect SP and IdP and the certificate, which are configured automatically, one also needs to define the attribute and role mapping. The username is the most relevant. To use Admidio's group memberships as Nextcloud groups, make sure to include the "Roles" field and provide the correct field name in Nextcloud. Internally, Nextcloud will add a prefix to the role names, which makes it impossible to assign admin rights to SAML groups (Nextcloud uses the group with internal name "admin" for administrators). If you want to assign admin rights through SAML, too, then you must enter a single space into the prefix field. This causes Nextcloud to take the role names verbatim as Nextcloud group names, including "admin". | The other advanded features like fields or group mapping can be ignored or cleared in the client config. The restriction to certain groups, however, is implemented in Admidio and works with Joomla, too. |
| |
| {{ :en:2.0:sso:sso_saml_02-06_nc_admidio_clientsetup1.png?direct&600 |}} | |
| |
| <WRAP center round todo 60%> | ==== Setup completed, test Single-Sign-On ==== |
| TODO: Describe signing and encryption settings (synced) | Admidio and Joomla should now be set up to use Admidio for logging in to Nextcloud. To check, you can go back to the plugin config page and use the "Test Configuration" button at the bottom of the page. |
| </WRAP> | |
| {{ :en:2.0:sso:sso_saml_02-07_nc_admidio_clientsetup3.png?direct&600 |}} | |
| |
| | If you log out of Joomla (or open the page in an incognito browser window), you should see the login screen with the choice of logging in with password or via SAML. |
| ==== Setup completed, test Single-Sign-On ==== | {{ :en:2.0:sso:sso_saml_joomla_07_login_form.png?direct |}} |
| Admidio and Nextcloud should now be set up to use Admidio for logging in to Nextcloud. If you log out of Nextcloud, you should see the login screen with the choice of logging in with password or via SAML. | |
| {{ :en:2.0:sso:sso_saml_02-08_nc_saml_login.png?direct&400 |}} | |
| |
| After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. | After choosing SAML login and loggin in with a user from Admidio, you should be logged in to Nextcloud. |
| {{:en:2.0:sso:sso_saml_02-09_nc_saml_loggedin.png?direct&200|}} | {{ :en:2.0:sso:sso_saml_joomla_08_joomla_login_form.png?direct |}}{{ :en:2.0:sso:sso_saml_joomla_09_logged_in.png?direct |}} |
| {{:en:2.0:sso:sso_saml_02-10_nc_saml_users.png?direct&600|}} | |
| |
| |
| ==== Caveats and Things to Consider ==== | ==== Caveats and Things to Consider ==== |
| |
| * For security reasons, Nextcloud will prepend **SAML_ prefix to the group names** obtained from the SAML IdP. This makes hybrid environments quite hard in practice, where some users authenticate via SAML, others via local accounts or other network accounts. In these hybrid cases, the SAML-generated groups will be different than the local groups and all group permissions need to be set twice! As a **workaround**, one can **enter a single space into the prefix input box**. This will cause Nextcloud's SAML extension to clear the prefix, but the input field will appear empty in the future, so it is not clarly visible whether the prefix was "cleared" or the default prefix will be applied! | * The miniOrange Joomla plugin requires the email address to be used as the user ID, so only users with a valid email in Admidio can log in! Oone also has to make sure the Admidio SAML client is configured to use the email as the user ID. |
| |
