Skip to content

Integration with B2ACCESS#

B2DROP uses B2ACCESS for the user management. The integration can be handled using the SAML or OIDC protocol. If you have decided which protocol you want to use, you need to request/register your service at B2ACCESS. Read more about this in the B2ACCESS documentation. We recommend to use OIDC, however this is quite new for Nextcloud and might not be fully implemented yet.

Configuration using SAML#

We expect that Nextcloud’s user_saml app is used for the integration with B2ACCESS. After you have requested your client on B2ACCESS, you need to configure it in Nextcloud itself.

  1. Switch to the administration configuration and select SSO & SAML authentication
  2. Click on Add identity provider
  3. Make sure you show all settings and enter the configuration below

General section:

Name Value
Attribute to map the UID to: urn:oid:1.3.6.1.4.1.25178.4.1.6
Optional Displayname of the provider: B2ACCESS

Service Provider Data:

Name Value
Name format list: Unspecified
X.509 certificate of the Service Provider your certificate file’s contente
Private key of the Service Provider your certificat key file’s content

Configure your IdP settings:

Name Value
Identifier of the IdP entity https://b2access.eudat.eu:8443/saml-idp/metadata
URL Target of the IdP where the SP will send the Authnetication Request Message https://b2access.eudat.eu/saml-idp/saml2idp-web
URL Location if the IdP where the SP will send the SLO Request https://b2access.eudat.eu/saml-idp/SLO-WEB
URL Location of the IDP’s SLO Response let it empty
Public X.509 certificate of the IdP Request it from B2ACCESS team

Attribute mapping:

Name Value
Attribute to map the displayname to. urn:oid:2.5.4.3
Attribute to map the email address to. urn:oid:0.9.2342.19200300.100.1.3
Attribute to map the quota to. let it empty
Attribute to map the users groups to. let it empty
Attribute to map the users home to. let it empty

Security settings:

  • Tick every box in the signatures and encryption offered block
  • Tick second, fourth and sixth box in signatures and encryption required block

Configuration using OIDC#

Still work in progress. We hope to give you the configuration soon.

Group, quota, home mapping#

The mapping of the user home is not offered by B2ACCESS, so you are forbidden to set this. Since Nextcloud will create a group for every entry of the users groups attribute, you may not want to map all user groups into your service, but only those which you want to support. For this reason you need to make an agreement with the B2ACCESS team about this attribute and which groups are transferred from B2ACCESS. The quota may also be specific to the service and you have the make an agreement with the B2ACCESS team, too.

If you use the group mapping from B2ACCESS, make sure you have a local administrator account, which can’t login with B2ACCESS or that the admin group is send by B2ACCESS, too.

Authorization#

Since Nextcloud is not able to perform authorization, if you do not use an additional backend, you need to hand it over to B2ACCESS. B2ACCESS can perform authorization for Nextcloud, based on group membership information. If you are interested to authorization by B2ACCESS, please contact the B2ACCESS team.

 

Last update: 09.11.2023