docs: add nextcloud docs

authentik/policies/views.py

@@ -82,7 +82,7 @@ class PolicyAccessView(AccessMixin, View):
         policy_engine.build()
         result = policy_engine.result
         LOGGER.debug(
-            "AccessMixin user_has_access",
+            "PolicyAccessView user_has_access",
             user=user,
             app=self.application,
             result=result,

website/docs/integrations/services/nextcloud/index.md

@@ -0,0 +1,61 @@
+---
+title: NextCloud
+---
+
+## What is NextCloud
+
+From https://en.wikipedia.org/wiki/Nextcloud
+
+:::note
+Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
+:::
+
+:::warning
+This setup only works, when NextCloud is running with HTTPS enabled.
+:::
+
+:::warning
+In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `nextcloud.company` is the FQDN of the NextCloud install.
+-   `authentik.company` is the FQDN of the authentik install.
+
+Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
+
+-   ACS URL: `https://nextcloud.company/apps/user_saml/saml/metadata`
+-   Audience: `https://nextcloud.company/apps/user_saml/saml/acs`
+-   Issuer: `https://authentik.company`
+-   Service Provider Binding: `Post`
+-   Property mappings: Select all Autogenerated mappings.
+
+You can of course use a custom signing certificate, and adjust durations.
+
+## NextCloud
+
+In NextCloud, navigate to `Settings`, then `SSO & SAML Authentication`.
+
+Set the following values:
+
+- Attribute to map the UID to.: `urn:oid:0.9.2342.19200300.100.1.1`
+- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
+- Identifier of the IdP entity (must be a URI): `https://authentik.company`
+- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
+
+Under Attribute mapping, set these values:
+
+- Attribute to map the displayname to.: `urn:oid:2.16.840.1.113730.3.1.241`
+- Attribute to map the email address to.: `urn:oid:0.9.2342.19200300.100.1.3`
+- Attribute to map the users groups to.: `member-of`
+
+## Group Quotas
+
+Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
+
+Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
+Set the *SAML Name* to `nextcloud_quota`.
+Set the *Expression* to `return user.group_attributes.get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).

website/sidebars.js

@@ -103,6 +103,7 @@ module.exports = {
                         "integrations/services/gitlab/index",
                         "integrations/services/harbor/index",
                         "integrations/services/home-assistant/index",
+                        "integrations/services/nextcloud/index",
                         "integrations/services/rancher/index",
                         "integrations/services/sentry/index",
                         "integrations/services/sonarr/index",