authentik/website/docs/integrations/services/nextcloud/index.md

---
title: NextCloud
---

## What is NextCloud

From https://en.wikipedia.org/wiki/Nextcloud

:::note
Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
:::

:::warning
This setup only works, when NextCloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
:::

:::warning
In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
:::

## Preparation

The following placeholders will be used:

- `nextcloud.company` is the FQDN of the NextCloud install.
- `authentik.company` is the FQDN of the authentik install.

Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:

- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.

You can of course use a custom signing certificate, and adjust durations.

## NextCloud

In NextCloud, ensure that the `SSO & SAML Authentication` app is installed. Navigate to `Settings`, then `SSO & SAML Authentication`.

Set the following values:

- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end/<application-slug>/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate

Under Attribute mapping, set these values:

- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`

:::note
If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS.
To do this you will need to add the line `'overwriteprotocol' => 'https'` to `config.php` in the Nextcloud `config\config.php` file
See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters for additional information
:::

## Group Quotas

Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.

Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
Set the *SAML Name* to `nextcloud_quota`.
Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).

## Admin Group

To give authentik users admin access to your NextCloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in NextCloud and cannot be changed.

Create a SAML Property mapping with the SAML Name "http://schemas.xmlsoap.org/claims/Group" and this expression:

```python
for group in user.ak_groups.all():
    yield group.name
if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
    yield "admin"
```

Then, edit the NextCloud SAML Provider, and replace the default Groups mapping with the one you've created above.
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00			`---`
			`title: NextCloud`
			`---`

			`## What is NextCloud`

			`From https://en.wikipedia.org/wiki/Nextcloud`

			`:::note`
			`Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.`
			`:::`

			`:::warning`
website/docs: add note for nextcloud Reverse proxy and extension closes #750 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-21 08:22:40 +00:00			`This setup only works, when NextCloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.`
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00			`:::`

			`:::warning`
			In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
			`:::`

			`## Preparation`

			`The following placeholders will be used:`

docs: cleanup, add 2021.3 to sidebar 2021-03-02 21:10:54 +00:00			- `nextcloud.company` is the FQDN of the NextCloud install.
			- `authentik.company` is the FQDN of the authentik install.
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00
			`Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:`

docs: cleanup, add 2021.3 to sidebar 2021-03-02 21:10:54 +00:00			- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
			- Issuer: `https://authentik.company`
			- Service Provider Binding: `Post`
			- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
			`- Signing Keypair: Select any certificate you have.`
			`- Property mappings: Select all Managed mappings.`
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00
			`You can of course use a custom signing certificate, and adjust durations.`

			`## NextCloud`

policies/reputation: fix race condition in tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-14 17:54:31 +00:00			In NextCloud, ensure that the `SSO & SAML Authentication` app is installed. Navigate to `Settings`, then `SSO & SAML Authentication`.
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00
			`Set the following values:`

Managed objects (#519) * managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * : load .managed in apps managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * : use ObjectManager in tests to ensure objects exist ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * : make PropertyMapping SerializerModel web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting 2021-02-03 20:18:31 +00:00			- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00			- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
			- Identifier of the IdP entity (must be a URI): `https://authentik.company`
			- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
core: move end-session to core Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-06 11:24:27 +00:00			- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end/<application-slug>/`
docs: fix nextcloud docs using wrong fields 2021-01-26 21:10:00 +00:00			`- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate`
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00
			`Under Attribute mapping, set these values:`

Managed objects (#519) * managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * : load .managed in apps managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * : use ObjectManager in tests to ensure objects exist ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * : make PropertyMapping SerializerModel web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting 2021-02-03 20:18:31 +00:00			- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
			- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
			- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
docs: add nextcloud docs 2020-12-22 19:09:15 +00:00
website/docs: Add a note about Protocol Overwrite (#1031) Added a note in the Nextcloud section for Protocol overwrite when behind a reverse proxy 2021-06-16 17:38:34 +00:00			`:::note`
website/docs: fix call to group_attributes for nextcloud Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-22 11:00:48 +00:00			`If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS.`
website/docs: Add a note about Protocol Overwrite (#1031) Added a note in the Nextcloud section for Protocol overwrite when behind a reverse proxy 2021-06-16 17:38:34 +00:00			To do this you will need to add the line `'overwriteprotocol' => 'https'` to `config.php` in the Nextcloud `config\config.php` file
			`See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters for additional information`
			`:::`

docs: add nextcloud docs 2020-12-22 19:09:15 +00:00			`## Group Quotas`

			Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.

			Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
			Set the SAML Name to `nextcloud_quota`.
website/docs: fix call to group_attributes for nextcloud Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-06-22 11:00:48 +00:00			Set the Expression to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
Managed objects (#519) * managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * : load .managed in apps managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * : use ObjectManager in tests to ensure objects exist ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * : make PropertyMapping SerializerModel web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting 2021-02-03 20:18:31 +00:00
			`## Admin Group`

			`To give authentik users admin access to your NextCloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in NextCloud and cannot be changed.`

			`Create a SAML Property mapping with the SAML Name "http://schemas.xmlsoap.org/claims/Group" and this expression:`

			```python
			`for group in user.ak_groups.all():`
			`yield group.name`
			`if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):`
			`yield "admin"`
			```

			`Then, edit the NextCloud SAML Provider, and replace the default Groups mapping with the one you've created above.`