Yesterday I started to deploy SSO through my private infrastructure using keycloak. And after deploying Nextcloud and CodiMD with it, I start to question this decision.
Because it's nice to have a central place and only a single login for all services, but except of me, no one is using all services and I don't see an easy way, to restrict people from using certain services.
What to do…
@sheogorath Oh interesting. We chose Ipsilon instead of Keycloak for SSO. I'm curious to hear your experience, was it hard to configure?
I recommend to have a look at:
Things that bother me right now: The mentioned missing ability to easily restrict users from to a subset of apps without creating a new realm and the missing U2F/FIDO2 support.
Otherwise it seems fine and brings a nice UI.
The way we have it deployed is such that a user account needs to be explicitly created in Keycloak *and* Nextcloud for the user to be able to sign-in. A bit more work when adding a user, but a bit more control too. Using SocialLogin app here:
@rysiek I'm using the SAML authentication.
But actually made it to restrict access by adding a custom script for the login flow.
For now people who are not part of my Nextcloud group simply end up with a "Your account is not setup yet" screen.
Currently looking into Synapse and afterwards into Mastodon.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!