version: 1
metadata:
  name: nextcloud-saml-setup
entries:
  # 1. Create the SAML Provider
  - model: authentik_providers_saml.samlprovider
    identifiers:
      name: Nextcloud SAML
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-explicit-consent],
        ]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]

      # Adjust these URLs to match your Nextcloud domain
      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
      issuer: https://@AUTHENTIK_DOMAIN@
      sp_binding: post
      # Map the attributes for Name, Email, and Groups
      property_mappings:
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Name"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Email"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Groups"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: Username"],
          ]
        - !Find [
            authentik_core.propertymapping,
            [name, "authentik default SAML Mapping: User ID"],
          ]

        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-name"],
        #   ]
        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-email"],
        #   ]
        # - !Find [
        #     authentik_providers_saml.samlpropertymapping,
        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
        #   ]

        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-name],
        #   ]
        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-email],
        #   ]
        # - !Find [
        #     authentik_core.propertymapping,
        #     [managed, goauthentik.io/providers/saml/ms-groups],
        #   ]
      # Select your signing certificate (default is usually self-signed)
      signing_kp:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]
      sign_assertion: true
      sign_response: false

  # 2. Create the Application
  - model: authentik_core.application
    identifiers:
      slug: nextcloud
    attrs:
      name: Nextcloud
      provider:
        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
      launch_url: "@NEXTCLOUD_DOMAIN@"