Integrate with Nextcloud
Support level: Community
What is Nextcloud?
Nextcloud is an open-source content collaboration platform for file sync and share, groupware, and related productivity apps that can be self-hosted or run as a managed service.
If you require Nextcloud server-side encryption with per-user keys, use LDAP. OIDC and SAML do not provide Nextcloud with the user's cleartext password, which can prevent encrypted user data from being decrypted.
OIDC and SAML login require Nextcloud to run with HTTPS enabled. If Nextcloud is behind a reverse proxy, configure Nextcloud's overwrite parameters so generated URLs use https.
If an OIDC or SAML configuration issue prevents users from logging in, visit https://nextcloud.company/login?direct=1 to use Nextcloud's built-in authentication.
Preparation
The following placeholders are used in this guide:
nextcloud.companyis the FQDN of the Nextcloud installation.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Nextcloud can use OIDC, SAML, or LDAP for authentication. OIDC is usually the simplest SSO method for a new Nextcloud deployment. Use LDAP when Nextcloud needs direct password authentication, such as deployments that rely on server-side encryption with per-user keys.
authentik configuration
- OIDC
- SAML
- LDAP
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of Nextcloud with authentik over OIDC, you need to create an application/provider pair. If you want authentik to send Nextcloud storage quotas, group membership, or existing Nextcloud user IDs, also create a custom scope mapping.
Create a scope mapping
If you do not need storage quota, group information, administrator assignment, or existing-user matching in Nextcloud, skip to the next section.
This mapping reads Nextcloud-specific groups from application entitlements. After you create the application below, create entitlements with names that match the group names Nextcloud should receive. To grant Nextcloud administrator access, create an entitlement named admin and bind the appropriate users or groups to it.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property mappings and click Create.
- Select type: select Scope Mapping.
- Create Scope Mapping:
-
Name:
Nextcloud Profile -
Scope name:
nextcloud -
Expression:
groups = [entitlement.namefor entitlement in request.user.app_entitlements(provider.application)]quota = (request.user.app_entitlements_attributes(provider.application).get("nextcloud_quota")or request.user.group_attributes().get("nextcloud_quota"))return {"name": request.user.name,"groups": groups,"quota": quota,"user_id": request.user.attributes.get("nextcloud_user_id", str(request.user.uuid)),}
-
-
Click Finish.
To set a quota, define the nextcloud_quota attribute on a user, group, or Nextcloud application entitlement. For example, setting it to 1 GB restricts the user to 1 GB of storage. To connect an authentik user to an existing Nextcloud account, set the user's nextcloud_user_id attribute to the existing Nextcloud username.
Create an application and provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because it will be required later.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add a Redirect URI of type
StrictAuthorizationashttps://nextcloud.company/apps/user_oidc/code. - Add a Redirect URI of type
StrictPost Logoutashttps://nextcloud.company. - Select any available signing key.
- Under Advanced protocol settings:
- Subject Mode: select
Based on the User's UUID. - If you created the
Nextcloud Profilescope mapping, add it to Selected Scopes.
- Subject Mode: select
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
If you created the Nextcloud Profile scope mapping and want authentik to send Nextcloud-specific group values, open the new application, click the Application entitlements tab, and create the entitlements that Nextcloud should receive in the groups claim. Bind the appropriate users or groups to each entitlement.
Configure the OpenID Connect user backend
- In Nextcloud, install the OpenID Connect user backend app.
- Log in to Nextcloud as an administrator and navigate to Settings > OpenID Connect.
- Click the + button and enter the following settings:
- Identifier:
authentik - Client ID:
<Client ID from authentik> - Client secret:
<Client Secret from authentik> - Discovery endpoint:
https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration - Scope:
email profile openid - If you created the
Nextcloud Profilescope mapping, addnextcloudto the Scope value. - Under Attribute mapping:
- User ID mapping:
sub - Display name mapping:
name - Email mapping:
email - If you created the
Nextcloud Profilescope mapping:- User ID mapping:
user_id - Quota mapping:
quota - Groups mapping:
groups - Enable Use group provisioning.
- User ID mapping:
- User ID mapping:
- Disable Use unique user ID if you use
user_idto match existing Nextcloud users or if you send theadmingroup for administrator access.
- Identifier:
If authentik and Nextcloud are running on the same host and Nextcloud cannot reach authentik, add 'allow_local_remote_servers' => true to the Nextcloud config/config.php file.
Enable OIDC back-channel logout (optional)
To automatically log users out of their Nextcloud sessions when they log out of authentik, enable back-channel logout.
- In Nextcloud, navigate to Settings > OpenID Connect.
- Under Registered Providers, locate the provider with the identifier used earlier.
- Copy the back-channel logout URL for that provider. For example,
https://nextcloud.company/apps/user_oidc/backchannel-logout/authentik. - In authentik, navigate to Applications > Providers and edit the Nextcloud provider.
- Under Protocol settings, set Logout URI to the copied back-channel logout URL.
- Set Logout Method to
Back-channel. - Click Update.
Make OIDC the default login method (optional)
If this is the only configured OpenID Connect provider, run the following command on the Nextcloud host to redirect users to authentik automatically when they access the Nextcloud login page:
sudo -u www-data php /var/www/nextcloud/occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends
Administrators can still use Nextcloud's built-in authentication with https://nextcloud.company/login?direct=1.
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
To support the integration of Nextcloud with authentik over SAML, you need to create an application/provider pair. If you want authentik to send Nextcloud storage quotas or group memberships, also create SAML property mappings.
Create SAML property mappings
If you do not need storage quota or group information in Nextcloud, skip to the next section.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property mappings and click Create.
- Select type: select SAML Provider Property Mapping.
- Create SAML Provider Property Mapping:
-
Name:
Nextcloud quota -
SAML Attribute Name:
nextcloud_quota -
Expression:
return (request.user.app_entitlements_attributes(provider.application).get("nextcloud_quota")or request.user.group_attributes().get("nextcloud_quota"))
-
-
Click Finish.
-
Click Create again.
- Select type: select SAML Provider Property Mapping.
- Create SAML Provider Property Mapping:
-
Name:
Nextcloud groups -
SAML Attribute Name:
http://schemas.xmlsoap.org/claims/Group -
Expression:
for entitlement in request.user.app_entitlements(provider.application):yield entitlement.name
-
-
Click Finish.
This mapping reads Nextcloud-specific groups from application entitlements. After you create the application below, create entitlements with names that match the group names Nextcloud should receive. To grant Nextcloud administrator access, create an entitlement named admin and bind the appropriate users or groups to it.
Create an application and provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because it will be required later.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://nextcloud.company/apps/user_saml/saml/acs. - Set the Audience to
https://nextcloud.company/apps/user_saml/saml/metadata. - Under Advanced protocol settings, select an available Signing certificate.
- If you created SAML property mappings for Nextcloud, add them to Property mappings.
- Set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
If you created the Nextcloud groups property mapping, open the new application, click the Application entitlements tab, and create the entitlements that Nextcloud should receive as SAML group values. Bind the appropriate users or groups to each entitlement.
Download the signing certificate
- Navigate to Applications > Providers and click the name of the newly created Nextcloud provider.
- Under Download signing certificate, click Download. The contents of this certificate will be required when configuring Nextcloud.
Configure SSO & SAML authentication
- Log in to Nextcloud as an administrator and navigate to Apps by clicking your profile picture in the top-right corner.
- Install the SSO & SAML authentication app.
- Click your profile picture in the top-right corner and select Administrative settings.
- Under SSO & SAML authentication, click Use built-in SAML authentication.
- In the General section, set:
- Attribute to map the UID to:
http://schemas.goauthentik.io/2021/02/saml/uid - Optional display name:
authentik
- Attribute to map the UID to:
Using the UID attribute as username is not recommended because of its mutable nature. If you map to the username instead, disable username changing and set Attribute to map the UID to to http://schemas.goauthentik.io/2021/02/saml/username.
- In the Identity Provider Data section, set:
- Identifier of the IdP entity:
https://authentik.company/application/saml/<application_slug>/metadata/ - URL Target of the IdP where the SP will send the Authentication Request Message:
https://authentik.company/application/saml/<application_slug>/ - Under Show optional Identity Provider settings:
- URL Location of the IdP where the SP will send the SLO Request:
https://authentik.company/application/saml/<application_slug>/ - X.509 certificate of the IdP: paste the contents of the certificate file downloaded from authentik.
- URL Location of the IdP where the SP will send the SLO Request:
- Identifier of the IdP entity:
- In the Attribute mapping section, set:
- Attribute to map the display name to:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - Attribute to map the email address to:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - If you created the
Nextcloud quotaproperty mapping, set Attribute to map the quota to tonextcloud_quota. - If you created the
Nextcloud groupsproperty mapping, set Attribute to map the user's groups to tohttp://schemas.xmlsoap.org/claims/Group.
- Attribute to map the display name to:
To support the integration of Nextcloud with authentik over LDAP, you need to create an application/provider pair and deploy an LDAP outpost.
Create an application and provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select LDAP as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the bind flow to use for this provider, and the following required configuration.
- Note the Base DN because it will be required later.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
Create an LDAP outpost
- Navigate to Applications > Outposts and click Create.
- Name: provide a suitable name for the outpost.
- Type: select
LDAP. - Applications: add the newly created Nextcloud application to Selected Applications.
- Click Create.
Configure the LDAP user and group backend
- In Nextcloud, install the LDAP user and group backend app.
- Log in to Nextcloud as an administrator.
- Navigate to Settings > LDAP user and group backend.
- On the Server tab:
- Click the + icon.
- Host: enter the hostname or IP address of the authentik LDAP outpost, preceded by
ldap://orldaps://. - Port: enter
389for LDAP or636for LDAPS. - Under Credentials, enter the Bind DN of the authentik LDAP provider and the associated user password.
- Under Base DN, enter the Base DN of the authentik LDAP provider.
- On the Users tab, set Only these object classes to
user. - On the LDAP/AD integration tab:
- Clear LDAP/AD Username.
- Set Other Attributes to
cn. - Click Expert in the top-right corner and set:
- Internal Username Attribute:
uid - UUID Attribute for Users:
uid - UUID Attribute for Groups:
gidNumber
- Internal Username Attribute:
- Click Advanced in the top-right corner and set:
- Under Connection Settings:
- Configuration Active: checked
- Under Directory Settings:
- User Display Name Field:
name - Base User Tree:
ou=users,<Base DN from authentik> - Group Display Name Field:
cn - Base Group Tree:
ou=groups,<Base DN from authentik> - Group-Member Association:
member (AD)
- User Display Name Field:
- Under Special Attributes:
- Email Field:
mail
- Email Field:
- Under Connection Settings:
- On the Groups tab:
- Set Only these object classes to
group. - Select the authentik groups that require Nextcloud access.
- Set Only these object classes to
Configuration verification
To confirm that authentik is properly configured with Nextcloud, log out of Nextcloud and use the login method you configured:
- For OIDC, click Login with authentik. You should be redirected to authentik and then returned to the Nextcloud dashboard.
- For SAML, click SSO & SAML log in. You should be redirected to authentik and then returned to the Nextcloud dashboard.
- For LDAP, log in with an LDAP user from authentik.
Resources
- Nextcloud App Store - OpenID Connect user backend
- Nextcloud user_oidc app documentation
- Nextcloud user_saml app source
- Nextcloud Administration Manual - User authentication with LDAP
- Nextcloud Administration Manual - Reverse proxy overwrite parameters
- Nextcloud Administration Manual - Server-side encryption