I’m trying to setup owncloud with single sign on using Authentik. I have it working for normal users. There is a feature that allows automatic role assignment to users so that admin users from authentik become admin users for owncloud.
This is described here: https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html#automatic-role-assignments.
In this document, they describe having attributes like
- role_name: admin
claim_value: ocisAdmin
The problem I have is I don’t know how to input this information into an Authentik user. As a result, owncloud is giving me this error:
ERR Error mapping role names to role ids error="no roles in user claims" line=github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/oidcroles.go:84 request-id=5a6d0e69-ad1b-4479-b2d9-30d4b4afb8f2 service=proxy userid=05b283cd-606c-424f-ae67-5d0016f2152c
Any authentik experts out there?
I tried putting this under the attributes section of the user profile in authentik:
role_name: admin
claim_value: ocisAdmin
It doesn’t work and it won’t let me format YAML like the documentation where the claim_value is a child of the role_name.
Roles in authentik are for permissions in authentik. You want a group instead. Group memberships are send via OIDC.
not an authentik user, but after skimming their docs i think you have to:
- create a role “ocisAdmin” via authentiks admin interface
- give this role to a group in the admin interface or create one.
- assign a user thats supposed to be an owncloud admin to the group
it might be that you also have to define somekind of mapper to include this in the informations owncloud receives from authentik, but as i said i only skimmed the docs and would personally just try it without the mapper.
Reminds me of the group limit attribute in nextcloud. You could try looking at the ‘Custom profile scope’ section of https://docs.goauthentik.io/integrations/services/nextcloud/ to see if it helps to work out what to do
