Integration with B2ACCESS#
B2DROP uses B2ACCESS for the user management. The integration can be handled using the SAML or OIDC protocol. If you have decided which protocol you want to use, you need to request/register your service at B2ACCESS. Read more about this in the B2ACCESS documentation. We recommend to use OIDC, however this is quite new for Nextcloud and might not be fully implemented yet.
Configuration using SAML#
We expect that Nextcloud’s user_saml app is used for the integration with B2ACCESS. After you have requested your client on B2ACCESS, you need to configure it in Nextcloud itself.
- Switch to the administration configuration and select SSO & SAML authentication
- Click on
Add identity provider
- Make sure you show all settings and enter the configuration below
General section:
Name | Value |
---|---|
Attribute to map the UID to: | urn:oid:1.3.6.1.4.1.25178.4.1.6 |
Optional Displayname of the provider: | B2ACCESS |
Service Provider Data:
Name | Value |
---|---|
Name format list: | Unspecified |
X.509 certificate of the Service Provider | your certificate file’s contente |
Private key of the Service Provider | your certificat key file’s content |
Configure your IdP settings:
Name | Value |
---|---|
Identifier of the IdP entity | https://b2access.eudat.eu:8443/saml-idp/metadata |
URL Target of the IdP where the SP will send the Authnetication Request Message | https://b2access.eudat.eu/saml-idp/saml2idp-web |
URL Location if the IdP where the SP will send the SLO Request | https://b2access.eudat.eu/saml-idp/SLO-WEB |
URL Location of the IDP’s SLO Response | let it empty |
Public X.509 certificate of the IdP | Request it from B2ACCESS team |
Attribute mapping:
Name | Value |
---|---|
Attribute to map the displayname to. | urn:oid:2.5.4.3 |
Attribute to map the email address to. | urn:oid:0.9.2342.19200300.100.1.3 |
Attribute to map the quota to. | let it empty |
Attribute to map the users groups to. | let it empty |
Attribute to map the users home to. | let it empty |
Security settings:
- Tick every box in the signatures and encryption offered block
- Tick second, fourth and sixth box in signatures and encryption required block
Configuration using OIDC#
Still work in progress. We hope to give you the configuration soon.
Group, quota, home mapping#
The mapping of the user home is not offered by B2ACCESS, so you are forbidden to set this. Since Nextcloud will create a group for every entry of the users groups attribute, you may not want to map all user groups into your service, but only those which you want to support. For this reason you need to make an agreement with the B2ACCESS team about this attribute and which groups are transferred from B2ACCESS. The quota may also be specific to the service and you have the make an agreement with the B2ACCESS team, too.
If you use the group mapping from B2ACCESS, make sure you have a local administrator account, which can’t login with B2ACCESS or that the admin group is send by B2ACCESS, too.
Authorization#
Since Nextcloud is not able to perform authorization, if you do not use an additional backend, you need to hand it over to B2ACCESS. B2ACCESS can perform authorization for Nextcloud, based on group membership information. If you are interested to authorization by B2ACCESS, please contact the B2ACCESS team.
Last update: 09.11.2023