Skip to main content
  1. Posts/

Nextcloud SSO with Azure Active Directory (AAD)

·1786 words·9 mins· loading · loading · ·
English Azure SSO Expert Docker Nextcloud SAML
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents

Nextcloud is a file sharing platform like Sharepoint. Providing SSO for this application for your Azure Active Directory users is easy - especially if you know which SAML properties you have to setup on both ends, Nextcloud and AAD. This article shows you how to do it.


Nextcloud is a popular file sharing platform which can be hosted anywhere. Of course it makes only real sense if it is available for the internet. To make it convienint for your Azure Active Directory (AAD) users to use this platform it should provide SSO. In the following sections the procedure will be documented.

What you will get at the end:

  • SSO with Nextcloud
  • Automatic account provisioning within Nextcloud
  • SP (Nextcloud) initiated authentication (means you call your Nextcloud URL and will be redirected to Azure AD for Authentication)
  • IdP (AAD) initiated authentication (means you call Nextcloud as application from your user dashboard )

Known Issues:

  • Logout from Nextcloud is not possible
  • Even if you logout of AAD your session in Nextcloud is still valid until session expires

We will do the following steps:

  1. Install Nextcloud as a test instance with docker (super easy quick start)
  2. Setup SSO with Azure Active Directory
  3. Preparing Nextcloud for SSO

To follow this article you need the following:

  • A publicly reachable Linux based VM with docker installed, eg. you can use the Oracle Free Tier Cloud offer: . I will use Ubuntu 22.04 in this lab. For Tipps regarding network setup in the Oracle Cloud see my blog post .
  • A DNS entry pointing to your VM (I will use in this documentation)
Note: All URLs containing and certificates have to be adapted to your configuration. They are provided as examples only.

Nextcloud Installation

As already mentioned we will use Nextcloud in a docker image. To simplify the setup process we will use the internal sqlite database.

Imporant! This setup is not recommended for productive sites - it is just for testing purposes.

The setup consists basically of two steps:

  1. Installation of a Reverse Proxy: we will use Traefik. It will also do the certificate handling provided by Let’s Encrypt.
  2. Installation of Nextcloud itself.

For the following steps I assume that you have successfully installed docker in your VM. To verify you could issue docker --version. On my VM I get following output:

ubuntu@plnx-srv01:~$ docker --version
Docker version 23.0.1, build a5ee5b1

Installation of Traefik

First we have to create a directory for persistent data of Traefik and we have to create a simple configuration file.

mkdir -p $PWD/traefik

Now create the config file ($PWD/traefik/traefik.yml) and put following content into it:

## traefik.yml

# Docker configuration backend
    defaultRule: "Host(`{{ trimPrefix `/` .Name }}.docker.local`)"

# API and dashboard configuration
  dashboard: true
  insecure: true

    address: ":80"
    address: ":443"

      email: your-name@some-domain.tld
      storage: /letsencrypt/acme.json
        entryPoint: http
Important! Replace email your-name@some-domain.tld with your valid email address!

After this preparation work we are ready to launch Traefik:

docker run -d -p 8080:8080 -p 80:80 -p 443:443 \
  -v $PWD/traefik/traefik.yml:/etc/traefik/traefik.yml \
  -v $PWD/traefik:/letsencrypt \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --name traefik traefik

Now open your web browser and go to Url http://public-ip-of-your-vm:8080/ and you should see the dashboard of Traefik.

Dashboard of Traefik showing some details of your instance.

Installation of Nextcloud

Again first we have to make sure that we have the required directories for persistent data. For Nextcloud we need more than one directory - but can be created with a simple single command:

mkdir -p $PWD/nextcloud/config $PWD/nextcloud/data $PWD/nextcloud/custom_apps

Next step is to start the corresponding docker image:

docker run -d -p 8180:80 --env TRUSTED_PROXIES="" \
  --label "traefik.enable=true" \
  --label "traefik.http.routers.nextcloud.rule=Host(\`\`)" \
  --label "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt" \
  --label "traefik.http.routers.nextcloud.middlewares=nc-redrex01,nc-redrex02" \
  --label "" \
  --label "[^/]*)/.well-known/(card|cal)dav" \
  --label "\${1}/remote.php/dav/" \
  --label "" \
  --label "[^/]*)(/.well-known[^#]*)" \
  --label "\${1}/index.php\${2}" \
  -v $PWD/nextcloud/config:/var/www/html/config \
  -v $PWD/nextcloud/data:/var/www/html/data \
  -v $PWD/nextcloud/custom_apps:/var/www/html/custom_apps \
  --name nextcloud nextcloud
Important! Replace email your.dns.entry with your previously created DNS entry for your VM!

Shortly after you started your Nextcloud docker image it should be available publicly. Just go to https://your.dns.entry/ and you should get the initial setup prompt from Nextcloud:

Nextcloud Install prompt - you have to define an admin user. Additional you get informed that sqlite will be used as backend which is only a valid option for testing purposes.

Finish Installation by defining the admin account. You will get asked if you wan to install recommended apps - just skip this step because for our use case those are not needed.

After successfull installation Nextcloud shows you the welcome screen (Dashboard).

Now one final tweak is needed to make sure that pretty Urls are working:

ubuntu@plnx-srv01:~$ docker exec --user www-data nextcloud php occ maintenance:update:htaccess
.htaccess has been updated

Setup Enterprise Application in Azure Active Directory

Create Enterprise Application

To be able to setup SSO with AAD we have to create an Enterprise Application with corresponding SAML authentication enabled.

  • Log into Entra Portal
  • under Applications select Enterprise applications
  • Hit New application
  • Hit Create your own application (there is no pre-defined application for Nextcloud)

Create your own application.

  • Fill in following information
    • What’s the name of your app? Nextcloud
    • What are you looking to do with your application? Integrate any other application you don't find in the gallery (Non-gallery)
    • Hit on Create

Basic definition for your application.

Assign Users and/or Groups

Only assigned users and/or groups can use this application. So you have to assign corresponding users/groups to this application.

  • Select Users and groups
  • Hit on Add user/group
  • Select appropriate user and/or group and hit Assign

Setup single sign-on method

Now we have to define the single sign-on method.

  • Select Single sign-on
  • Select SAML
    Selecting single sign-on method SAML.
    Set up Single Sign-On with SAML Overview.

Now we have to fill in the required information for SAML authentication according to the sections:

Basic SAML Configuration

  • Identifier:
  • Reply URL (Assertion Consumer Service URL): with index 1
  • Sign on URL (Optional):
  • Relay State (Optional): (left it empty)
  • Logout Url (Optional): (left it empty)
  • Hit Save
    Basic SAML settings for Nextcloud.

Attributes & Claims

First we have to change the existing required claim for Unique User Identifier:

  • Name: nameidentifier (can not be changed)
  • Namespace: (can not be changed)
  • Name identifier format: Email address
  • Source: Attribute
  • Source attribute: user.mail
  • Hit Save

Defined claim for nameidentifier (should be already defined as showed here).

I always try to stick to the defaults if possible. For the Nextcloud integration we have to add additional claims.

  • Name: displayname
  • Namespace:
  • Source: Attribute
  • Source attribute: user.displayname
  • Hit Save

Additional claim for displayname.

Next claim we have to define:

  • Name: name
  • Namespace:
  • Source: Attribute
  • Source attribute: user.userprincipalname
  • Hit Save
Note: Account mapping between AAD and Nextcloud will be done based on this attribute.

Additional claim for name which will be filled with user.userprincipalname.

Here you see the summary of all defined Attributes & Claims:

All defined Attributes & Claims.

SAML Certificates

Download here the Certificate in Base64 Format - we need it later when setting up Nextcloud for SSO.

The certificate looks like:


Set up Nextcloud

Copy following URLs for later use when setting up Nextcloud for SSO:

  • Login URL:
  • Azure AD Identifier:
Note: Those URLs contains the tenantId (0ae2e4bc-355f-4422-be74-bd55df366c42). Use your URLs with your own tenantId!

Setup Nextcloud for SSO

Application installation

Now we have to prepare Nextcloud for SSO. By default Nextcloud is not able to do SSO - for this purpose we have to install a so called “App”. This are add-ons to extend functionality of Nextcloud.

  • Just go to the Menu in the top right corner and hit Apps.
  • Select Featured apps (on the left side)
  • Search for SSO & SAML authentication; hit there the button Download and enable (probably you get asked for your admin password)

Go to Apps, Featured Apps und Download and enable SSO & SAML authentication.

  • Just go to the Menu in the top right corner and hit Administration settings.
  • Search for SSO & SAML authentication in the Administration section
  • Hit on Use built-in SAML authentication

Activate Use built-in SAML authentication.

Setup Identity Provider


  • Attribute to map the UID to:
  • Optional display name of the identity provider: Azure AD

Service Provider Data

We don’t have to fill in any thing in this section.

Identity Provider Data

  • Identifier of the IdP entity (must be URI): (value you saved for later use in section Set up Nexcloud in AAD).
  • URL Target of the IdP where the SP will send the Authentication Request Message: (value you saved for later use in section Set up Nexcloud in AAD).

Expand optional Identity Provider settings:

  • Public X.509 certificate of the IdP: Paste in Public certificate of your Enterprise Application (value you saved for later use in section SAML Certificates in AAD).

Attribute mapping

Expand attribute mapping settings:

  • Attribute to map the displayname to:
  • Attribute to map the email address to:
  • Attribute to map the quota to: (left it empty)
  • Attribute to map the users groups to: (left it empty)
  • Attribute to map the users home to: (left it empty)

Security settings

We don’t have to fill in any thing in this section.

User filtering

We don’t have to fill in any thing in this section.

Saving config

Nextcloud will automatically save as soon as you leave a field.

Note: If you setup everything correctly you should see on the right side of the button Download metadata XML a green message Metadata valid.

To summarize here are all settings as screenshot:

Nextcloud SSO Settings - Summary (1/4).

Nextcloud SSO Settings - Summary (2/4).

Nextcloud SSO Settings - Summary (3/4).

Nextcloud SSO Settings - Summary (4/4).


Your app “Nextcloud” is now listed in “MyApps” ( ) and available for users like other applications with single sign-on.

Nextcloud available as app in .

Note: If you want to have administrative access to your Nextcloud instance use the following URL: - use here your admin user you defined during setup of your Nextcloud instance.

Accessing Nextcloud from

How it looks like if you acccess Nextcloud from your “MyApps” portal page:

Look and feel if calling Nextcloud from the MyApps portal.

Accessing Nextcloud directly

This vidoe shows how the user authentication flow looks like if he is accessing Nextcloud directly with the corresponding URL :

Look and feel if calling Nextcloud directly.