This documentation has been tested and approved by Kelvin Zero's team

This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Nextcloud using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.

To set up Multi-Pass with Nextcloud, ensure you meet the following requirements:

- Nextcloud with SSO & SAML addon (Nextcloud v30.0.6, SSO & SAML v6.5.0)

- MPAS Subscription

- X509 certificate and key

Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

Configuration of Nextcloud

1. Sign in to Nextcloud using an Administrator account
   
2. Access the Apps menu:
   
1. Click on Apps in the main menu.
   
3. Search for the SSO & SAML authentication app:
   
1. Click in the search bar and type SAML.
   
2. Click on Search everywhere to ensure all results are shown.
   

1. Enable the app:
   
1. If the app is already installed, click on Enable.
   

1. If not, click Download and Enable to install it.
   

This ensures that the SAML authentication module is available for configuration.

1. Click on Administration Settings in the Nextcloud menu.
2. Navigate to SSO & SAML authentication
   

This will open the configuration panel for setting up SAML authentication in Nextcloud.

1. Under Global Settings:
   
1. Allow the use of multiple user back-ends (e.g. LDAP)
   
2. Under General Settings, enter the following information:
   
1. Attribute to map the UID to: username
   
2. Optional display name of the identity provider: Multi-Pass (default is “SSO & SAML log in”)
   

This configuration ensures that Nextcloud correctly maps user identities and displays the appropriate identity provider name.

1. Generate a Self-Signed X.509 Certificate (if needed)
   

If you do not have a PKI tool in your enterprise, you can generate a certificate and key using OpenSSL with the following command:

1. openssl req -nodes -new -x509 -keyout private.key -out public.cert

private.key → Private key for the Service Provider

public.cert → X.509 certificate for the Service Provider

1. Enter the Generated Certificate and Key
   
1. X.509 Certificate of the Service Provider: Copy and paste the contents of public.cert.
   
2. Private Key of the Service Provider: Copy and paste the contents of private.key
   
2. Set the Name ID Format
   
1. Name ID Format: Unspecified
   

This step ensures that Nextcloud is correctly configured as a SAML Service Provider (SP).

1. Enter Identity Provider (IdP) Information (The requested details can be found at: https://ca.auth.kzero.com/realms/<realmname>/protocol/saml/descriptor)
   
1. Identifier of the IdP entity (must be a URI): https://ca.auth.kzero.com/realms/<realmname>
2. URL Target of the IdP where the SP will send the Authentication Request Message: https://ca.auth.kzero.com/realms/<realmname>/protocol/saml
2. Retrieve and Enter the Public X.509 Certificate of the IdP
1. Locate the certificate in MPAS, Navigate to your realm settings page: https://ca.auth.kzero.com/admin/<realmname>/console/#/<realmname>/realm-settings/keys
   

1. Locate the RS256 RSA key, click on Certificate to display the X.509 certificate.
2. Copy and paste the certificate into the Public X.509 certificate of the IdP field in Nextcloud.
   

1. In the Attribute Mapping section, enter the following information:
1. Attribute to map the email address to: email
2. Attribute to map the user groups to: Role
   

1. Signing for outgoing requests:
   
1. Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. (Metadata of the SP will confirm this setting.)
   
2. Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.
   
3. Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.
   
2. Signing requirement for incoming responses:
   
1. Requires that <samlp:Response>, <samlp:LogoutRequest>, and <samlp:LogoutResponse> elements received by this SP are signed.
   
2. Requires that <saml:Assertion> elements received by this SP are signed. (Metadata of the SP will confirm this setting.)
   

Once all the steps above have been completed, click on Download metadata XML at the bottom of the page (ensure that the UI indicates that the metadata is valid)

1. Navigate to your MPAS administration console.
2. Click on Clients.
3. Click on Import Client.
4. Drag and drop the XML metadata file you downloaded from Nextcloud into the Resource file field.
   

1. Give your client a name and click Save
   

To map user attributes correctly, follow these steps:

1. Click on Add Mapper
   
2. Select Configure a New Mapper
   
3. Choose User Property as the mapper type.
   

Next, you will need to configure specific mappers for user attributes. Let me know if you need me to specify which attributes to map!

1. Enter the following details:
   
1. Name: email
   
2. Property: email
   
3. Friendly Name: email
   
4. SAML Attribute Name: email
   
5. SAML Attribute NameFormat: Basic
   
2. Click Save to apply the changes.

1. Choose User Property as the mapper type
   
2. Enter the following details :
   
1. Name: username
2. Property: username
3. Friendly Name: username
4. SAML Attribute Name: username
5. SAML Attribute NameFormat: Basic
   
3. Click Save to apply the changes.

1. Choose Role list as the mapper type
   
2. Enter the following details :
   
1. Name: roles
2. Role attribute name: Roles
3. Friendly Name: Roles
4. SAML Attribute NameFormat: Basic
   
5. Single Role Attribute: On
   
3. Click Save to apply the changes.

Test the Multi-Pass Login Method

1. Open a new browser session (or use an incognito/private browsing window).
2. Navigate to your Nextcloud login page.
3. You should see two login options.
4. Click on Multi-Pass to initiate SAML authentication.
   

1. Login using your preferred Multi-Pass method
   

1. Your user should automatically be provisioned and signed in if successful