Yesterday I started to deploy SSO through my private infrastructure using keycloak. And after deploying Nextcloud and CodiMD with it, I start to question this decision.

Because it's nice to have a central place and only a single login for all services, but except of me, no one is using all services and I don't see an easy way, to restrict people from using certain services.

What to do…

@sheogorath Oh interesting. We chose Ipsilon instead of Keycloak for SSO. I'm curious to hear your experience, was it hard to configure?

@Gina Configuring itself is easy. The clients needed a bit more love, but worked out as well. was a bit more complicated but simply due to the lack of documentation.

I recommend to have a look at:

Things that bother me right now: The mentioned missing ability to easily restrict users from to a subset of apps without creating a new realm and the missing U2F/FIDO2 support.

Otherwise it seems fine and brings a nice UI.

@sheogorath @Gina what are you using for Nextcloud <-> Keycloak connection there?

The way we have it deployed is such that a user account needs to be explicitly created in Keycloak *and* Nextcloud for the user to be able to sign-in. A bit more work when adding a user, but a bit more control too. Using SocialLogin app here:

@rysiek I'm using the SAML authentication.

But actually made it to restrict access by adding a custom script for the login flow.

For now people who are not part of my Nextcloud group simply end up with a "Your account is not setup yet" screen.

Currently looking into Synapse and afterwards into Mastodon.


@sheogorath @Gina interesting. Looked at SAML thing, but SAML is very annoying to configure, I find.

Care to share your script?

Sign in to participate in the conversation
Sheogorath's Microblog

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!