Skip to content

AAI Integration

To integrate Nextcloud with the Helmholtz AAI you need the official SSO & SAML authentication, aka user_saml, app. The configuration for the integration of the development and operational instances of the Helmholtz AAI are the same. Only the URLs and certificate are different.

Registration at AAI

To register your service at the AAI you need to provide some information to the AAI Administrators. This information is:

  • URL of your Nextcloud service
  • Name of your service which is shown to the users in the AAI consent screen
  • URL to a logo of your service, which is shown to the users in the AAI consent screen
  • Seperate signed email where the service administrator confims that the service follows the GÉANT Data Protection Code of Conduct (needed for the eduGAIN participation of Helmholtz AAI)

UID mapping for already existing users

If you have more than one user backend enabled, user mapping is important to avoid duplicate users. This is because your Nextcloud instance does not know the Helmholtz AAI’s eduPersonUniqueID before the users attributes have been transmitted at least once.

Example HZB internal UIDs

The HZB Nextcloud authenticates HZB internal users via LDAP. The internal UID is transmitted to the Helmholtz AAI as the first part of the eduPersonPrincialName. To allow proper user mapping, the Helmholtz AAI will send the first part of the eduPersonPrincialName as Value of the eduPersonUniqueID Attribute for all HZB users, since Nextcloud may have only one UID-Attribute per IdP. This workaround should be possible for all kind of UIDs, as long as they are presented to the Helmholtz AAI via the Center’s IdP.

Group attribute

Nextcloud can not handle eduPersonEntitlement attribute values, which the Helmholtz AAI sends in the format urn:geant:h-df.de:group:GROUP#login.helmholtz.de. To avoid Nextcloud using the whole attribute value as group name, Helmholtz AAI can be configured to send the attribute member-of to the Nextcloud instance, which will use the format GROUP#login.helmholtz.de. #login.helmholtz.de was kept in place deliberately, to distinguish local groups from Helmholtz AAI groups. Helmholtz AAI can also be configured to send only relevant groups.

Nested groups

Nested groups are still WIP, as soon as a solution is found for this, it will be added here.

Overriding of local groups

Warning

If groups via Helmholtz AAI are used, Nextcloud local groups of users who authenticate via Helmholtz AAI will be removed from the user! This also affects the by default local admin group! This is a known issue and expected to be patched by Nextcloud, however not anytime soon.

Groups from other Backends like LDAP are not affected by this.

Expected changes with user_oidc

Nextcloud is currently developing their OIDC implementation. We expect this new app to be able to handle groups in a natively.

Configure the Nextcloud SSO & SAML authentication app

This section describes only the relevant part for Identity Provider Data, Attribute mapping and Security settings.

General

Attribute to map the UID to

  • urn:oid:1.3.6.1.4.1.5923.1.1.1.13 (eduPersonUniqueId - unique ID generated by the Helmholtz AAI)

Identity Provider Data

Attribute mapping

  • Attribute to map the displayname to: urn:oid:2.5.4.3
  • Attribute to map the email address to: urn:oid:0.9.2342.19200300.100.1.3
  • Attribute to map the quota to:
  • Attribute to map the users group to: member-of **only if you expect groups to be sent by Helmholtz AAI, otherwise leave empty! **
  • Attribute to map the users home to:

Security settings

Signatures and encryption offered

  • Indicates that the nameID of the sent by this SP will be encrypted: not checked
  • Indicates whether the message sent by this SP will be signed: check
  • Indicates whether the message sent by this SP will be signed: check
  • Indicates whether the message sent by this SP will be signed: check
  • Whether the metadata should be signed: check

Signatures and encryption required

  • Indicates a requirement for the , and elements received by this SP to be signed: not checked
  • Indicates a requirement for the elements received by this SP to be signed: check
  • Indicates a requirement for the elements received by this SP to be encrypted: not checked
  • Indicates a requirement for the nameID element on the SAMLResponse received by this SP to be present: check
  • Indicates a requirement for the nameID received by this SP to be encrypted: not check
  • Indicates if the SP will validate all received XML: check