[Freeipa-users] Re: Nextcloud/SSO with FreeIPA

Fri, 11 Oct 2024 09:58:09 -0700 


On 2024-10-09 20:35, Daniel Pätzold via FreeIPA-users wrote:

Hello, i have setup Freeipa (on Docker) and was able to logon via pam / 
SSSD on some host. Klist shows a valid Ticket and in Firefox i am able 
to log into FreeIPAs WebUI using SSO/Kerberos as the User i am logged 
in.

 

I would like to have Nextcloud (also on Docker) use SSO Kerberos. There 
are many Apps in Nextcloud and i don't know howto start: SSO/SAML, 
Social Logon, Backend LDAP, OpenID, OAuth...
I only found one Documentation an SSO in Nextcloud but its behind a 
paywall (and our Company is too small to get a subscription).

 

Does anybody got this working? Which Nextcloud Apps should be used and 
how would they be configured?



SSO/SAML is the one that handles kerberos. I got it working with it 
once.



What you want to do basically is to configure the webserver you have in 
front of Nextcloud to use Kerberos (that is, you create a service 
principal on FreeIPA for that host), get its keytab and then configure 
your webserver to use it.



Basically it works this way: the webserver gets the user's HTTP ticket, 
and set up a variable (you choose which, if I'm not mistaken), and the 
SSO/SAML application will read that variable from the webserver.



I remember it was tough to configure it. Most documentation was based on 
a deprecated apache module, so I had to figure out how to configure it 
with the modern module.



If I could suggest anything, would be to drop this webserver 
configuration, use Keycloak instead for authentication. It was a breeze 
to get keycloak to work with FreeIPA, including kerberos. Of course, it 
is one more component, but Keycloak might be useful for other 
applications anyway.


Good luck!

Best,

---
Francis Augusto Medeiros-Logeay
Oslo, Norway


--
Francis Augusto Medeiros-Logeay
Oslo, Norway
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to