The Ultimate Guide to Configuring Nextcloud SSO with Keycloak

Jan 26 2024 - Category: Cloud Storage How To's

In today’s world, security is more important than ever, and this is especially true for cloud-based systems like Nextcloud. Nextcloud is an open-source file sharing and collaboration platform that allows users to store, share, and collaborate on files from anywhere. It’s a powerful tool, but as with any cloud-based system, security is a major concern.

One way to improve security and simplify authentication is to implement single sign-on (SSO) using an identity provider like Keycloak. Keycloak is an open-source software solution that manages user authentication and authorization for web applications and services, and it supports various protocols and standards like OAuth 2.0, OpenID Connect, and SAML.

By integrating Nextcloud with Keycloak, users can log in to Nextcloud using their Keycloak credentials, reducing the risk of password reuse and simplifying the authentication process. In this article, we’ll show you how to configure Nextcloud with Keycloak step-by-step, from setting up Keycloak and Nextcloud to configuring SSO and advanced options like user synchronization and two-factor authentication. By the end of this guide, you’ll have a secure, streamlined Nextcloud deployment that makes use of the powerful features of Keycloak.

In this guide we will take a 3 step arproach to configuring Nextcloud SSO to work with Keycloak:

  1. Install and setup Keycloak
  2. Insatall and setup Nextcloud
  3. Configure Keycloak and Nextcloud for SSO.

If you already have Keycloadk and Nextcloud installed and setup, start at step 3.

Install And Setup Keycloak

Keycloak is an open-source software solution that provides user authentication and authorization for web applications and services. It supports various protocols and standards like OAuth 2.0, OpenID Connect, and SAML, making it a versatile tool for securing web applications.

Setting up Keycloak is relatively straightforward and can be done in just a few steps. In this article, we’ll guide you through the process of setting up Keycloak on a Linux server using the standalone distribution.

Prerequisites

Before we begin, make sure you have the following prerequisites:

  • A Linux server running Ubuntu 18.04 or later, CentOS 7 or later, or any other Linux distribution that supports Java 8 or later.
  • Java 8 or later installed on your server.
  • Administrative access to your server to install and configure software packages.

Step 1: Download and Install Keycloak

The first step is to download and install Keycloak on your server. Here’s how to do it:

  1. Download the Keycloak standalone distribution from the official website: https://www.keycloak.org/downloads.html. Make sure you download the version that matches your server’s architecture (32-bit or 64-bit).
  2. Extract the downloaded file to a directory of your choice. For example, you can extract it to /opt.bash
sudo tar -xzf keycloak-<version>.tar.gz -C /opt/

Rename the extracted directory to keycloak:

sudo mv /opt/keycloak-<version> /opt/keycloak

Step 2: Start Keycloak

The next step is to start Keycloak. Here’s how to do it:

  1. Change to the bin directory of the Keycloak installation:

bash:

cd /opt/keycloak/bin

Start Keycloak using the following command:

bash:

./standalone.sh -b 0.0.0.0
  1. This will start Keycloak in standalone mode, listening on all network interfaces.
  2. Wait for Keycloak to start up. You should see log messages indicating that Keycloak is ready to accept connections.

Step 3: Access Keycloak Admin Console

Once Keycloak is running, you can access the Keycloak Admin Console using a web browser. Here’s how to do it:

  1. Open a web browser and navigate to http://<server-ip-address>:8080/auth/admin/. Replace <server-ip-address> with the IP address of your server.
  2. You will be prompted to create an initial admin user. Enter the required information and click “Create” to create the admin user.
  3. You will be redirected to the Keycloak Admin Console login page. Enter the username and password of the admin user you just created and click “Sign In” to log in.

Congratulations! You have successfully set up Keycloak on your server and logged in to the Keycloak Admin Console. From here, you can configure Keycloak to secure your web applications and services using various protocols and standards like OAuth 2.0, OpenID Connect, and SAML.

Step 4: Configure Keycloak

Once you have logged in to the Keycloak Admin Console, you can configure Keycloak for securing your web applications and services. Here are some basic configuration steps:

  1. Create a realm: A realm is a logical container for users, applications, and identity providers. Click “Add Realm” and enter a name for the realm.
  2. Create a client: A client is an application or service that uses Keycloak for authentication and authorization. Click “Clients” and then “Create” to create a client.
  3. Configure client settings: Set the client type, redirect URIs, and other settings as required.
  4. Configure authentication: Configure the authentication flow for the client. This includes setting up identity providers like social login, multi-factor authentication, and password policies.
  5. Configure authorization: Configure the authorization policies for the client. This includes setting up roles, permissions, and policies

Install and Setup Nextcloud

Prerequisites

Before we begin, make sure that you have a server running Linux, Apache, MySQL, and PHP (LAMP stack) and have administrative access to it. You will also need to have a domain name pointing to your server’s IP address.

Step 1: Install required packages

  1. Connect to your server using SSH.
  2. Update the package lists using the following command:

sql

sudo apt-get update
  1. Install the required packages using the following command:

vbnet

sudo apt-get install apache2 mysql-server php libapache2-mod-php php-mysql php-curl php-gd php-imagick php-intl php-json php-mbstring php-xml php-zip

Step 2: Configure Apache

  1. Open the Apache configuration file using the following command:

bash

sudo nano /etc/apache2/apache2.conf
  1. Add the following lines at the bottom of the file:

css

<Directory /var/www/html>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
  1. Save and close the file.
  2. Restart Apache using the following command:
sudo systemctl restart apache2

Step 3: Install Nextcloud

  1. Download the latest version of Nextcloud using the following command:

ruby

wget https://download.nextcloud.com/server/releases/nextcloud-22.2.0.tar.bz2
  1. Extract the downloaded file using the following command:

css

tar -xjf nextcloud-22.2.0.tar.bz2 -C /var/www/html/
  1. Set the appropriate permissions using the following commands:

bash

sudo chown -R www-data:www-data /var/www/html/nextcloud/
sudo chmod -R 755 /var/www/html/nextcloud/

Step 4: Create a MySQL database for Nextcloud

  1. Log in to MySQL using the following command:

css

sudo mysql -u root -p
  1. Enter your MySQL root password when prompted.
  2. Create a new database using the following command:

sql

CREATE DATABASE nextcloud;
  1. Create a new user and grant privileges to the database using the following commands:

sql

CREATE USER 'nextclouduser'@'localhost' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextclouduser'@'localhost';
FLUSH PRIVILEGES;
  1. Exit MySQL using the following command:

bash

exit

Step 5: Complete the Nextcloud setup

  1. Open your web browser and go to your server’s domain name.
  2. Follow the on-screen instructions to complete the Nextcloud setup.
  3. When prompted for the database credentials, use the following details:
    • Database user: nextclouduser
    • Database password: yourpassword
    • Database name: nextcloud
    • Database host: localhost
  4. Set the data directory to a location outside of the web server’s document root.
  5. Create an admin account and set a strong password.
  6. Click on the “Finish setup” button to complete the installation.

Configure Keycloak And Nextcloud For SSO

Single sign-on (SSO) is a method of authentication that allows users to access multiple applications and services with a single set of login credentials. In this tutorial, we will show you how to configure Keycloak and Nextcloud for SSO.

Before we begin, let’s define Keycloak and Nextcloud:

  • Keycloak: Keycloak is an open-source identity and access management solution that provides authentication, authorization, and user management capabilities.
  • Nextcloud: Nextcloud is an open-source file-sharing and collaboration platform that provides a range of features, including file storage, document editing, and video conferencing.

To configure Keycloak and Nextcloud for SSO, we need to perform the following steps:

  1. Install and Configure Keycloak
  2. Create a Realm and a Client in Keycloak
  3. Configure Nextcloud to use Keycloak for Authentication

Let’s start with step 1.

  1. Install and Configure Keycloak

To install Keycloak, follow the instructions on the official Keycloak website. Once you have installed Keycloak, you will need to configure it by following the steps below:

  • Launch Keycloak and log in as an administrator using the default credentials (username: admin, password: admin).
  • Create a new user and assign it the “manage-users” role. This user will be used to administer the Keycloak server.
  • Create a new realm. A realm is a container for users, authentication settings, and client applications. In this tutorial, we will create a realm named “myrealm”.
  • Create a new client. A client is an application that can use Keycloak for authentication. In this tutorial, we will create a client named “nextcloud”.

Once you have completed the above steps, you are ready to move on to step 2.

  1. Create a Realm and a Client in Keycloak

To create a realm and a client in Keycloak, follow the steps below:

  • Log in to the Keycloak admin console as an administrator.
  • Create a new realm by clicking on the “Add Realm” button on the left-hand side of the screen. Give the realm a name (e.g., “myrealm”) and click “Create”.
  • Once the realm has been created, click on the “Clients” tab and click “Create”.
  • Give the client a name (e.g., “nextcloud”) and click “Save”.
  • Under the “Settings” tab, set the following values:
  • Under the “Credentials” tab, click “Regenerate Secret” to generate a new client secret. Make a note of this secret, as you will need it later.

Once you have completed the above steps, you are ready to move on to step 3.

  1. Configure Nextcloud to use Keycloak for Authentication

To configure Nextcloud to use Keycloak for authentication, follow the steps below:

  • Log in to your Nextcloud instance as an administrator.
  • Install the “user_external” app by going to “Apps” and searching for “user_external”. Once installed, enable the app.
  • Configure the app by going to “Settings” -> “Authentication” -> “External user authentication”. Under “Backend”, select “HTTP Basic Auth”. Under “Configuration”, enter the following values:
    • “Server”: the URL of your Keycloak server (e.g., http://localhost:8080/auth)
    • “Username”: the username of the user you created in Keycloak in step 1
    • “Password”: the password of the user you created in Keycloak in step 1
    • “Authentication Realm

Wrapping Up

In conclusion, configuring Nextcloud SSO with Keycloak is an efficient way to provide users with a secure and streamlined authentication experience. By setting up Keycloak as the authentication provider for Nextcloud, you can leverage Keycloak’s powerful identity and access management capabilities, including multi-factor authentication and user federation.

This tutorial has covered the essential steps involved in configuring Keycloak and Nextcloud for SSO, from installing and configuring Keycloak, creating a realm and a client in Keycloak, to configuring Nextcloud to use Keycloak for authentication. By following these steps, you can enable SSO for your Nextcloud instance and simplify the login process for your users.

Overall, implementing SSO with Keycloak and Nextcloud is a great way to enhance the security and usability of your file-sharing and collaboration platform. By centralizing authentication and authorization in Keycloak, you can streamline your security operations and reduce the risk of unauthorized access to your organization’s sensitive data.