如何配置Nextcloud集成Keycloak?
- By : Will
- Category : Cloud storage, Keycloak
1 前言
一个问题,一篇文章,一出故事。
本章将在Nextcloud应用中使用Keycloak作为身份提供者。
即Nextcloud支持Keycloak直接登陆。
2 最佳实践
2.1 配置环境
2.1.1 部署Keycloak环境
Keycloak作为身份提供者(idP),我们需要预先获取他的idP证书,
单击【Manage realms】->【cmdschool】选中需要复制证书的领域
单击【Realm settings】->【Keys】
选中“Algorithm”等于“RS256”并且“Type”等于“RSA”的证书
单击【Certificate】并在弹出的窗口中复制证书的内容,一般证书内容如下(“#…”表示证书内容有省略),
MIICnzCC#…
2.1.2 部署Nextcloud环境
Nextcloud作为服务提供者(SP),我们需要预先创建他的SP证书,
openssl req -nodes -new -x509 -keyout private.key -out public.cert
配置向导如下,
#... Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:Dongguan Organization Name (eg, company) [Default Company Ltd]:cmdschool.org Organizational Unit Name (eg, section) []:CA Common Name (eg, your name or your server's hostname) []:cmdschool.org CA Email Address []:
如果你使用如下命令查看公钥内容,
cat public.cert
可见如下显示(“#…”表示证书内容有省略),
-----BEGIN CERTIFICATE----- MIIDyTCCAr#… -----END CERTIFICATE-----
如果你使用如下命令查看公钥内容,
cat private.key
可见如下显示(“#…”表示证书内容有省略),
-----BEGIN PRIVATE KEY----- MIIEvAIBADA#… -----END PRIVATE KEY-----
2.2 设置Nextcloud
2.2.1 启用插件
occ app:enable user_saml
以上命令启用插件“user_saml”,如果你不熟悉命令行,请在Web界面启用。
2.2.2 设置SSO & SAML认证
单击右上角【头像】->【Personal Settings】
在左边的“Administration”选项卡中单击【SSO & SAML authentication】
– Global settings
-- 选项“Allow the use of multiple user back-ends (e.g. LDAP)”选择“True”
– General
-- 选项“Attribute to map the UID to.”填写“userPrincipalName” -- 选项“Optional display name of the identity provider (default: "SSO & SAML log in")”填写“cmdschool WebSSO”
– Service Provider Data
-- 选项“X.509 certificate of the Service Provider”导入SP证书公钥文件“public.cert”的值“MIIDyTCCAr#…” -- 选项“Private key of the Service Provider”导入SP证书公钥文件“private.key”的值“MIIEvAIBADA#…”
– Identity Provider Data
-- 选项“Identifier of the IdP entity (must be a URI)”填写“https://websso.cmdschool.org/realms/cmdschool” -- 选项“URL Target of the IdP where the SP will send the Authentication Request Message”填写“https://websso.cmdschool.org/realms/cmdschool/protocol/saml” -- 选项“URL Location of the IdP where the SP will send the SLO Request”填写“https://websso.cmdschool.org/realms/cmdschool/protocol/saml” -- 选项“Public X.509 certificate of the IdP”导入idP证书的值并加上证书头尾声明,范例如下,
-----BEGIN CERTIFICATE----- MIICnzCC#… -----END CERTIFICATE-----
– Attribute mapping
-- 选项“Attribute to map the displayname to.”填写“displayname” -- 选项“Attribute to map the displayname to.”填写“email”
– Security settings中选中如下选项
-- Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. [Metadata of the SP will offer this info] -- Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed. -- Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed. -- Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed. -- Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed. [Metadata of the SP will offer this info]
– User filtering
单击【Download metadata XML】会得到名称为“metadata.xml”的配置文件。
2.2 设置Keycloak
2.2.1 导入配置
单击【Manage realms】->【cmdschool】选中需要导入客户配置的领域
单击【Client】->【Clients List】->【Import client】
在“Resource file”中单击【Browse…】选中名称为“metadata.xml”的配置文件
单击【Save】
2.2.2 设置根URL
在新窗口中“Root URL”参数填写“https://nextcloud.cmdschool.org”
单击【Save】
2.2.3 设置重定向URI
在新窗口中“Valid redirect URIs”参数
单击“Add valid redirect URLs”并填写“https://nextcloud.cmdschool.org/*”
单击【Save】
2.2.4 设置Client scopes
在新窗口中单击【Client scopes】
单击“Assigned client scope”值为“role_list”行的“Assigned type”值并选择“Optional”
注:该值如果是“Default”会影响用户正常的登陆。
2.2.5 设置Mappers
在新窗口中单击【Client scopes】
单击“Assigned client scope”值为【https://nextcloud.cmdschool.org/index.php/apps/user_saml/saml/metadata-dedicated】的按钮
在“Mappers”选项卡中单击【Configure a new mapper】->【User Attribute】并增加如下属性
– 属性“sAMAccountName”
— 选项“Mapper type *”选择“User Attribute” — 选项“Name *”中填写“sAMAccountName” — 选项“User Attribute”中填写“sAMAccountName” — 选项“Friendly Name”中填写“sAMAccountName” — 选项“SAML Attribute Name”中填写“sAMAccountName” — 选项“SAML Attribute NameFormat ”选择“Basic” — 选项“Aggregate attribute values”选择“Off”
单击【Save】
– 属性“email”
— 选项“Mapper type *”选择“User Attribute” — 选项“Name *”中填写“email” — 选项“User Attribute”中填写“email” — 选项“Friendly Name”中填写“email” — 选项“SAML Attribute Name”中填写“email” — 选项“SAML Attribute NameFormat ”选择“Basic” — 选项“Aggregate attribute values”选择“Off”
单击【Save】
– 属性“mail”
— 选项“Mapper type *”选择“User Attribute” — 选项“Name *”中填写“mail” — 选项“User Attribute”中填写“mail” — 选项“Friendly Name”中填写“mail” — 选项“SAML Attribute Name”中填写“mail” — 选项“SAML Attribute NameFormat ”选择“Basic” — 选项“Aggregate attribute values”选择“Off”
单击【Save】
– 属性“objectGUID”
— 选项“Mapper type *”选择“User Attribute” — 选项“Name *”中填写“objectGUID” — 选项“User Attribute”中填写“objectGUID” — 选项“Friendly Name”中填写“objectGUID” — 选项“SAML Attribute Name”中填写“objectGUID” — 选项“SAML Attribute NameFormat ”选择“Basic” — 选项“Aggregate attribute values”选择“Off”
单击【Save】
– 属性“userPrincipalName”
— 选项“Mapper type *”选择“User Attribute” — 选项“Name *”中填写“userPrincipalName” — 选项“User Attribute”中填写“userPrincipalName” — 选项“Friendly Name”中填写“userPrincipalName” — 选项“SAML Attribute Name”中填写“userPrincipalName” — 选项“SAML Attribute NameFormat ”选择“Basic” — 选项“Aggregate attribute values”选择“Off”
单击【Save】
2.3 测试WebSSO登陆
2.3.1 测试默认登陆与WebSSO登陆可选界面
https://nextcloud.cmdschool.org/
2.3.2 测试WebSSO登陆界面
https://nextcloud.cmdschool.org/index.php/apps/user_saml/saml/login?originalUrl=&idp=1
2.3.3 测试默认登陆界面
https://nextcloud.cmdschool.org/index.php/login?direct=1
参阅文档
=========
插件首页
—————
https://apps.nextcloud.com/apps/user_saml
插件的github
—————-
https://github.com/nextcloud/user_saml
第三方配置范例
—————
https://stackoverflow.com/questions/48400812/sso-with-saml-keycloak-and-nextcloud
https://janikvonrotz.ch/2020/04/21/configure-saml-authentication-for-nextcloud-with-keycloack/
https://help.nextcloud.com/t/sso-saml-documentation/173282
错误修复
———
https://github.com/nextcloud/user_saml/issues/222
没有评论