Yesterday I started to deploy SSO through my private infrastructure using keycloak. And after deploying Nextcloud and CodiMD with it, I start to question this decision.

Because it's nice to have a central place and only a single login for all services, but except of me, no one is using all services and I don't see an easy way, to restrict people from using certain services.

What to do…

@sheogorath Oh interesting. We chose Ipsilon instead of Keycloak for SSO. I'm curious to hear your experience, was it hard to configure?

@Gina Configuring itself is easy. The clients needed a bit more love, but worked out as well. was a bit more complicated but simply due to the lack of documentation.

I recommend to have a look at:

Things that bother me right now: The mentioned missing ability to easily restrict users from to a subset of apps without creating a new realm and the missing U2F/FIDO2 support.

Otherwise it seems fine and brings a nice UI.

@sheogorath @Gina what are you using for Nextcloud <-> Keycloak connection there?

The way we have it deployed is such that a user account needs to be explicitly created in Keycloak *and* Nextcloud for the user to be able to sign-in. A bit more work when adding a user, but a bit more control too. Using SocialLogin app here:

@rysiek I'm using the SAML authentication.

But actually made it to restrict access by adding a custom script for the login flow.

For now people who are not part of my Nextcloud group simply end up with a "Your account is not setup yet" screen.

Currently looking into Synapse and afterwards into Mastodon.


@sheogorath @Gina interesting. Looked at SAML thing, but SAML is very annoying to configure, I find.

Care to share your script?

@sheogorath Nice! I've been meaning to do this for a while. Is it any good?

I mean, you already expressed your discomfort with it. But I still want to try it I guess.

I tried it once but couldn't quite get it working and just gave up.

@one Well, when I start things I do them in most cases. And once setup it shouldn't be too crazy to maintain.

I already migrated two out of 6 services to use this central login. Seems to work so far. Also got some workarounds for things that didn't work as expected. Have to do some long term testing to see how well I like it.

Sign in to participate in the conversation
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy