Overview

This document explains how to integrate Nextcloud with the RCDevs OpenOTP Identity Provider (IdP) using the User SAML application.
The integration enables Single Sign-On (SSO) for Nextcloud users, allowing authentication through the OpenOTP Authentication Server.

Prerequisites

Install and Enable the User SAML App

  1. Log in as Nextcloud administrator.
  2. Navigate to:
    Settings → Apps → Integration → SAML authentication
  3. Click Enable to activate the User SAML plugin.

Configure Nextcloud as Service Provider (SP)

  1. In Nextcloud, go to
    Settings → Administration → Security → SSO & SAML authentication
    Ensure the User SAML app is enabled.

  2. Configure the following parameters:

General

Setting Value
Attribute to map the UID to uid
Display name of the Identity Provider OpenOTP Authentication
Use POST method for SAML request Optional. Enable only if required by the IdP (default method: GET).

Service Provider Data

Setting Value
NameID Format Unspecified
X.509 Certificate of the Service Provider Paste the following certificate:

<YOU CAN ISSUE A CERTIFICAT & ITS KEY FROM WEBADM>

| Private Key of the Service Provider | <YOU CAN ISSUE A CERTIFICAT & ITS KEY FROM WEBADM> |
| Service Provider Entity ID (optional) | https://netcloud.rcdevsdocs.com/share/apps/user_saml/saml/metadata |

Identity Provider Data

Setting Value
Identifier of the IdP entity (must be a URI) https://sso.rcdevsdocs.com/openid/index.php
URL Target of the IdP (Authentication Request endpoint) https://sso.rcdevsdocs.com/openid/index.php
X.509 Certificate of IdP Upload or paste the certificate obtained from the IdP metadata at https://sso.rcdevsdocs.com/ws/saml.

Attribute Mapping

Setting Value
Attribute to map the display name to displayname
Attribute to map the email address to email

Security Settings

Setting Value
Signatures and encryption offered (optional)
Signatures and encryption required (optional)
Signing Algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Configure Nextcloud as a Client in WebADM (IdP Configuration)

Create Client Policy

  1. Log in to WebADM Administrator Portal.
  2. Go to AdminClient PoliciesAdd Client.
  3. Name the policy Nextcloud and click Proceed → Create Object.

Configure Policy Settings

Parameter Value
Friendly Name Nextcloud
Client Name Aliases Use the Entity ID from Nextcloud. (e.g https://netcloud.rcdevsdocs.com/share/apps/user_saml/saml/metadata)
Default Domain Your organization domain (e.g., rcdevsdocs.com)

Scroll to Default Application Settings, enable Application Settings, then click Edit. From Application box, navigate to OpenID & SAML Provider and configure:

Parameter Value
Name Identifier UserID
Peer Certificate Upload Nextcloud SP certificate (public key - optional)
Encrypt SAML Response Yes (optional)
Assertion Consumer Service (ACS) URL Use ACS URL from Nextcloud

Once your SAML settings are configured, navigate to MFA Authentication Server in the Applications box and define the authentication policies you want to apply for Nextcloud logins.

Apply your setting and save your client policy.

Verification

  1. Log out of Nextcloud.
  2. Access your instance (e.g., https://nextcloud.rcdevsdocs.com).
  3. You should be redirected to RCDevs OpenOTP login.
  4. Authenticate with your OpenOTP credentials or MFA.
  5. Upon success, you are redirected back to Nextcloud as the authenticated user.

Troubleshooting

  • Invalid certificate: Ensure both SP and IdP certificates match and are valid.

  • Looping redirect: Check Entity ID consistency between Nextcloud and WebADM.

  • Attribute mismatch: Verify that NameID and user attributes correspond to those provided by the IdP.

  • Debug logs: Enable SAML debugging in Nextcloud’s config.php:

    'debug' => true,
'loglevel' => 0,

Review logs at data/nextcloud.log.

References