SSO with Authentik
Connect your managed Nextcloud at server.camp to Authentik so your team can sign in with their central Authentik account.
Prerequisites:
- Managed Authentik at server.camp
- Managed Nextcloud at server.camp
- Admin access to both services
- In Authentik, open Applications → Providers
- Click “Create” → Type: OAuth2/OpenID Connect
- Fill in the fields:
- Name:
Nextcloud - Client Type:
Confidential - Redirect URIs:
https://your-nextcloud.srv.camp/apps/user_oidc/code - Signing Key: Select the default key (already available)
- Name:
- Save — Authentik automatically generates a Client ID and Client Secret. You’ll need both in the next step.
Copy Client ID and Secret nowOpen the provider you just created and copy Client ID and Client Secret into a text editor. You’ll need them shortly in Nextcloud.
- Go to Applications → Applications → “Create”
- Fill in the fields:
- Name:
Nextcloud - Slug:
nextcloud - Provider: select the
Nextcloudprovider you just created
- Name:
- Optional: Under UI Settings, upload a Nextcloud logo and set the launch URL to
https://your-nextcloud.srv.camp - Save
Restrict access by group (recommended):
Open the application → Policy / Group / User Bindings tab → “Create” → Group → select the group that should have access to Nextcloud (e.g. all-employees). Only members of that group will be able to sign in via Authentik.
You’ll need this URL in Nextcloud:
https://your-authentik.srv.camp/application/o/nextcloud/.well-known/openid-configuration
Replace your-authentik.srv.camp with your actual Authentik address and nextcloud with the slug you set in Step 2.
Open the URL in a browser — if a JSON response appears, the URL is correct.
- Sign in to Nextcloud as an admin
- Open Apps (the grid icon in the top right)
- Search for “OpenID Connect user backend” and install the app
- Navigate to Settings → Administration → OpenID Connect
- Click “Add provider” and fill in:
- Identifier:
authentik(any name, for display only) - Client ID: from Step 1
- Client Secret: from Step 1
- Discovery URL: from Step 3
- Identifier:
- Save
User attribute mappingNextcloud uses thesubclaim as the unique user ID by default. For a readable username, enable mapping topreferred_usernamein the provider settings. Authentik sends this value automatically.
- Sign out of Nextcloud
- The login page now shows a “Sign in with Authentik” button (or similar)
- Click it — you’ll be redirected to Authentik
- After authentication (and 2FA if enabled), the user lands back in Nextcloud
Test before switching overKeep the standard Nextcloud login active while testing SSO. This lets you sign in with your admin account if the SSO configuration needs adjusting. Once everything works, disable local login under Settings → Administration → OpenID Connect.
“Redirect URI mismatch” — The redirect URI in Authentik doesn’t match what Nextcloud sends. Verify the URL matches exactly (including https:// and path): https://your-nextcloud.srv.camp/apps/user_oidc/code.
User signs in but lands in an empty account — This is expected on first login: Nextcloud creates a new account. Existing Nextcloud accounts are not automatically linked to Authentik accounts. Use the account migration feature in the user_oidc app under Settings → Administration → OpenID Connect → Link users to connect existing accounts.
SSO button not appearing — Check that the user_oidc app is enabled and that the Discovery URL is reachable in a browser.
If you run into issues with SSO, reach out at support@server.camp.