#!/bin/sh -eu occ="./occ" current_nc_saml="$("${occ}" saml:config:get --output=json)" prov_id="1" if [ "${current_nc_saml}" = "{}" ] || [ "${current_nc_saml}" = "[]" ]; then prov_id="$("${occ}" saml:config:create)" fi # Gather variables ## When keycloak gets updated, /auth disappears idp_entityid_port="https://sso.${DOMAIN}:8443/auth/realms/master" idp_entityid="https://sso.${DOMAIN}/auth/realms/master" idp_sso_url="https://sso.${DOMAIN}/auth/realms/master/protocol/saml" ## This one has no PEM headers or newlines idp_x509cert="$(curl -s -k "${idp_entityid_port}/protocol/openid-connect/certs" | sed -E 's!.*RS256[^}]*x5c":\["([^"]+)".*!\1!')" ## PEM format sp_x509cert="$(cat /saml/public.crt)" ## PEM format sp_privatekey="$(cat /saml/private.key)" # Actually set up Nextcloud "${occ}" saml:config:set --no-interaction --no-ansi \ --general-idp0_display_name="SAML Login" \ --general-uid_mapping=username \ --idp-entityId="${idp_entityid}" \ --idp-singleLogoutService.url="${idp_sso_url}" \ --idp-singleSignOnService.url="${idp_sso_url}" \ --idp-x509cert="${idp_x509cert}" \ --security-authnRequestsSigned=1 \ --security-logoutRequestSigned=1 \ --security-logoutResponseSigned=1 \ --security-wantAssertionsSigned=1 \ --security-wantMessagesSigned=1 \ --saml-attribute-mapping-displayName_mapping=displayname \ --saml-attribute-mapping-email_mapping=email \ --saml-attribute-mapping-group_mapping=member \ --saml-attribute-mapping-quota_mapping=quota \ --sp-x509cert="${sp_x509cert}" \ --sp-privateKey="${sp_privatekey}" \ "${prov_id}" # And set type, else it won't be active "${occ}" config:app:set user_saml type --value saml