36 Comments

  1. Awesome guide, almost got it working.
    It unfortunately keeps saying “Account not provisioned. Your account is not provisioned, access to this service is thus not possible.”

    Care to share your complete page of the SSO & SAML authentication (including the security settings)? ADFS has been set up exactly as you describe.

  2. Maybe good to know is that I have LDAP auth also setup (and working)

  3. Turned out I had set certificate keys under ‘Service Provider Data’. Clearing these out and setting the iDP identifier to http instead of https fixed it. I can now use ADFS.

    You’re the hero of the day!

  4. Thanks for sharing this is awesome! Couldn’t make it work though because Nextcloud’s metadata points to the assertion thingy with an http:// scheme and ADFS refuses non-https:// assertion…um..points? I forgot the name. The farthest I got was to the “you don’t have an account here” or something like that. I really helped me understand better what does what about federation so thank you!

  5. Hi all of you.

    I spent a day trying to configure it for my corp. But i always receive a message ” account not provisioned”.

    Ive set up ADFS and Nextcloud as mentioned below. Please need your help.

    Nextcloud redirect properly to ADFS but when i enter my creds nextcloud return the message ” Account not provisionned, acces to this service is thus not possible”

  6. Hey Marcelin,

    have a look at the above comment from Délano from 8. Mai 2018:

    ——– quote ——–
    Turned out I had set certificate keys under ‚Service Provider Data‘. Clearing these out and setting the iDP identifier to http instead of https fixed it. I can now use ADFS.
    ——– end quote ——-

    maybe that is also the case in your setup?

  7. HI ALL,

    Everthing run perfectly, the mistake was due to WS 2012r2. Run ADFS on WS2016

  8. Works great! Still trying to figure out how to get the new groups attribute to work with ADFS.
    Any idea?

  9. Hi Guys,
    i have the same problem
    +++
    It unfortunately keeps saying „Account not provisioned. Your account is not provisioned, access to this service is thus not possible.“
    +++
    Already i check my settings for Service Provider Data.

    +++
    Everthing run perfectly, the mistake was due to WS 2012r2. Run ADFS on WS2016
    +++
    Can you explan what was your fault?

  10. > Everthing run perfectly, the mistake was due to WS 2012r2. Run ADFS on WS2016

    –> i think he was just trying again with ADFS on Windows Server 2016 instead of Windows Server 2012 R2.

    I also tested with 2016 and would strongly recommend you use WIndows Server 2016 exclusively.

  11. Thank you very much for this Tutorial! Thinked about 1 Month on the Concept to hooku up AD, Azure AD and LDAP together with NextCloud and Office365 to habe Enterprise and Standard User Usecases for building a Plattform to work together all over Europe.

    Also your style to write this fu** Manual, which is very technically… great!

    Thanks for helping me with my solution design!

    Greets from Austria 😉

  12. Hallo Florian,

    das ist echt eine super tolle Anleitung !!!!! Tausenddank !!!!

    Ich habe das ganze gerade unter Windows Server 2019 gemacht und einer Nextcloud von einem Cloud-Provider. Läuft noch nicht so ganz, aber klärt sich vielleicht morgen noch…..

    Das musste ich noch fixen, damit die SSO-Login Seite hoch kam;
    Fehler MSIS7012
    Lösung gefunden unter
    https://social.technet.microsoft.com/Forums/en-US/7370b5c9-6195-427a-99a8-
    c605a8b21b48/what-are-potential-reasons-causing-msis7012-error?forum=ADFS
    […]
    You can solve the error executing from powershell logged in the primary ADFS server the below command:

    Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

    Eine Sache hätte ich noch….könntest du bitte nochmal erklären, wie ich nur eine einzelne AD-Sicherheitsgruppe für die Berechtigung der Anmeldung an der Nextcloud konfiguriere ?

  13. Nice writeup.

    This triggerd me to put the Microsoft part (ADFS) into a powershell script.
    I probably couldn’t remember all the steps,once i have configured it first time.
    The script should make it possibel to transferthe job to / on new servers.

    I have uploaded an initial version at

    https://github.com/rzerres/SAML-SSO-ADFS

    comments and updates are quite welcome.

    Ralf

  14. Hi. Thanks for the step-by-step instructions. Very appreciated. However, I was wondering if this tutorial was for version 14? Running version 15 seems to have issues. Do you have any ideas?

  15. Sorry, I did not have to implement this with v15. Maybe I (or somebody else) can help if you specify what issues you are having. This article is read by quite a lot of people 😉

  16. I followed the steps in this article and could setup the integration successfully with ADFS 2016 (on NC 16).
    However, the attribute mappings seem to be not working. I could not see the information from AD like Full Name, email address updated when NC user was created.

    Has someone faced the same situation?

  17. Was the External Storage with SMB working with Kerberos with this solution?

  18. But TBH i’d just mount the storage in the nextcloud server transparently and set the data dir to somewhere in the mount point.
    No reason to involve Kerberos/nextcloud auth.
    Or even better: use NFS.

  19. Excellent blog you have got here… It’s difficult to find
    quality writing like yours these days. I seriously appreciate people like you!
    Take care!!

  20. the desktop sync client always gives an error: “Access forbidden. Your login token is invalid or has expired”. In the Browser ADFS login works fine. Any idea how to get the desktop sync client running with ADFS SAML Auth?

  21. Hi ,
    first of All, this is really awesome portal where we can get the handy information.
    i was also struggling with error ” Account is not provision” and finally after seeing the post, this worked.

    ——– quote ——–
    Turned out I had set certificate keys under ‚Service Provider Data‘. Clearing these out and setting the iDP identifier to http instead of https fixed it. I can now use ADFS.
    ——– end quote ——-

    i only have one Question, do we need to open port 80 on ADFS from outside as this goes on http but not https..
    this will be big issue if we need to open port 80

    please suggest .

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.