SSO - KeyCLIC

The SSO (or Single-Sign On) is handled by a Keycloak instance hosted on the server. The admin panel is available at https://clic.epfl.ch/keyclic and users can manage their profile at https://clic.epfl.ch/me.

For now, each user has a nextcloud_id attribute, to remain compatible with accounts that were created directly on Nextcloud. New users should have their username as nextcloud_id, with the format {name}.{surname}. When there will be no remaining users with the nextcloud_id different than their username, you can update Nextcloud to use the username (preferred_username) and get rid of the nextcloud_id field.

Adding new users

Go to the KeyCLIC admin console here: KeyCLIC Users

Click add user and fill in the following information:

• Required user actions: Update Password, Verify Email
• Email verified: leave this OFF
• Username: name.surname
• Email: EPFL email address if available (may be non EPFL user address for a user who is not at EPFL)
• First Name & Last Name: you can fill in the user's name, or leave it for them to fill in later
• Nextcloud ID: name.surname, same as username
• Groups: select only the relevant groups for the user, for example members of a commission should only be in their commission group.

Optionally, once the user is created, you can set their password to a temporary value (such as their email address). Leave the "Temporary" option on when creating the password, and ensure the options requiring them to verify their email and update their password are active. Otherwise, they can set their password by selecting the "Forgot password" option on the KeyCLIC login page.