Skip to main content


Support level: Community

What is Nextcloud



Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.


This setup only works, when Nextcloud is running with HTTPS enabled. See here on how to configure this.


In case something goes wrong with the configuration, you can use the URL to log in using the built-in authentication.


The following placeholders will be used:

  • is the FQDN of the Nextcloud install.
  • is the FQDN of the authentik install.

Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications -> Providers. Create a SAML provider with the following parameters:

  • ACS URL:
  • Issuer:
  • Service Provider Binding: Post
  • Audience:
  • Signing certificate: Select any certificate you have.
  • Property mappings: Select all Managed mappings.

Depending on your Nextcloud configuration, you might need to use instead of

You can of course use a custom signing certificate, and adjust durations.


In Nextcloud, ensure that the SSO & SAML Authentication app is installed. Navigate to Settings, then SSO & SAML Authentication.

Set the following values:

  • Attribute to map the UID to:

    Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is not recommended due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, disable username changing in authentik and set the UID attribute to "".

  • Optional display name of the identity provider (default: "SSO & SAML log in"): authentik
  • Identifier of the IdP entity (must be a URI):
  • URL Target of the IdP where the SP will send the Authentication Request Message:<application-slug>/sso/binding/redirect/
  • URL Location of IdP where the SP will send the SLO Request:<application-slug>/slo/binding/redirect
  • Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate

Under Attribute mapping, set these values:

  • Attribute to map the displayname to.:
  • Attribute to map the email address to.:
  • Attribute to map the users groups to.:

You should now be able to log in with authentik.


If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS. To do this you will need to add the line 'overwriteprotocol' => 'https' to config.php in the Nextcloud config\config.php file See for additional information

Group Quotas

Create a group for each different level of quota you want users to have. Set a custom attribute, for example called nextcloud_quota, to the quota you want, for example 15 GB.

Afterwards, create a custom SAML Property Mapping with the name SAML Nextcloud Quota.

  • Set the SAML Attribute Name to nextcloud_quota.
  • Set the Expression to:
return user.group_attributes().get("nextcloud_quota", "1 GB")

where 1 GB is the default value for users that don't belong to another group (or have another value set).

Then, edit the Nextcloud SAML Provider, and add nextcloud_quota to Property mappings.

In Nextcloud, go to Settings, then SSO & SAML AuthenticationUnder Attribute mapping, set this value:

  • Attribute to map the quota to.: nextcloud_quota

Admin Group

To give authentik users admin access to your Nextcloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in Nextcloud and cannot be changed.

Create a custom SAML Property Mapping:

  • Set the SAML Attribute Name to
  • Set the Expression to:
for group in user.ak_groups.all():
if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
yield "admin"

Then, edit the Nextcloud SAML Provider, and replace the default Groups mapping with the one you've created above.