Implicit Login Flow, SSO with RocketChat and Nextcloud

Hi Team,

Greetings!. I am working with UCS server 4.4 and I have NextCloud and RocketChat installed there. I am planning to use SSO so that the user has to login only once and the same authentication tokens can be used for all of my applications. I read that by default the SSO is been enabled in the UCS.

  • Do I need to do any additional configurations to work with SSO?
  • Does UCS supports Implicit Login? I mean something like “Login with Facebook, GMAIL”? If yes, how can I implement the same in my Angular application?
  • To login from my application (Angular), is this the API I need to use?

But when I use the mentioned API I get the response as below.


{"status": 200, "result": {"username": "Administrator"}, "message": null, "options": null}

How can I get authentication token and other details?

I am really looking forward to hearing from you.

Kindest Regards
Sibeesh Venu

Hi @sibeeshvenu,

it seems is what you are looking for. Nextcloud supports login via OpenID Connect through the following plugin

Rocketchat on the other hand does not directly support OpenID Connect, but only OAuth 2.0. Since OpenID Connect is based on OAuth 2.0 there is a chance this still could work, but I have not tested this myself.

@fbartels Thanks a lot for your response. I am afraid that is not I am looking for. Do you know whether UCS has this feature by default? If I install the openid-connector-provider, how can I use this in my login UI in my application? Any help is really appreciated.

Well openid has an “implicit flow”.

The only built-in SSO functionality (for the web) would be saml. Apart from that UCS also offers Kerberos.

Just like any other OpenID Provider.

Hi @fbartels,

Thanks a lot for your response. I have started implementing the OpenID connect provider. But I am getting the error as .well-known/openid-configuration not found, do you have any idea how can I set in my UCS server? Any help is really appreciated. Thank you.

Kindest Regards
Sibeesh Venu

Have you installed the app I linked to?

Yes I have installed and set the client id and other details using command line. Once after that if we navigate to https://<FQDN of the server>/.well-known/openid-configuration, I should get something right, instead I am getting 404.


strange. this works out of the box with me. That its a 404 indicates that the webserver has maybe not restarted after the app has been installed (it should do so automatically, though). Only other reasons for the 404 is if you had used the wrong fqdn. Did you try to get to the discovery document from within the app?

This FQDN is the same url where we access the UCS server right, for example if I am able to access the portal here and this is my FQDN right? I am not sure how to get the discovery document from the app, can you please say me how? Thanks in advance.

I’ve circled it for you


But yes, the fqdn is the domainer you also use to access the ucs portal with. But actually the .well-known/openid-configuration url should work with any domain/ip pointing to the system.

Thanks, I was following the same and when I click there I am getting 404 :frowning:


Have you tried what I wrote before?

Yes I had restarted my server multiple times.

Then I am unfortunately out of ideas why you system is behaving differently.

After the installation, when I run univention-app logs openid-connect-provider I am getting the message as time="2019-05-23T12:07:59Z" level=info msg="starting http listener" listenAddr="" this means that the application is installed properly right? I also logged in via SSH and checked this port, but the result was the same :frowning:

root@ucs-8280:~# curl http://localhost:8777
404 page not found

And also the container status is unhealthy.

5ae9e86879b5 "docker-entrypoint..." About an hour ago Up About an hour (unhealthy)>8777/tcp


This is really stopping my development.

From your last post i can see that you are using an app version from the test app center (docker image url has in its URI).

We are actively developing this app version and cannot support any app from the test app center - they are by definition in development status. You should use an officially released app version. Try installing the openid-connect-provider app version 0.7-beta, e.g. univention-app install openid-connect-provider=0.7-beta

edit In addition, openid connect is only one way to realize single sign-on with UCS, SAML is the other. Configuring additional service providers for the simplesamlphp Identity Provider is covered in our documentation.

Thanks a lot for the response. I just tried the version you had mentioned. But I am still getting the error 404 when I visit /.well-known/openid-configuration/ and the docker container status is unhealthy.

790ab149e731 "docker-entrypoint..." 2 minutes ago Up About a minute (unhealthy)

You had the development version installed, so it may well be that there are remains from additional features planned in the next release, e.g. modified apache2 configs, cleanup may not be thorough when uninstalling the development version.

Maybe something already installed or configured on your system or a setting in your cloud environment is causing the problem. I guess the other apps installed on your system are from the test app center as well?
I just installed the app on a testsystem and can get the metadata via browser or by executing either

curl -k http://localhost/.well-known/openid-configuration
curl -k https://localhost/.well-known/openid-configuration

Thanks a lot. Surprisingly I am getting response when I do curl http://localhost/.well-known/openid-configuration but I get 404 when I do Can you please help me figure out the reason? Thanks in advance.

Note: Yes, we are using test app center as we our applications are still in testing phase.

Finally I was able to get it working. Restarting the web service after installing the 0.7-beta version fixed the issue it seems.

univention-app install openid-connect-provider=0.7-beta
systemctl restart apache2