version: 1
metadata:
  name: nextcloud-saml-setup
entries:
  # 1. Create the SAML Provider
  - model: authentik_providers_saml.samlprovider
    identifiers:
      name: Nextcloud SAML
    attrs:
      authorization_flow:
        !Find [
          authentik_flows.flow,
          [slug, default-provider-authorization-explicit-consent],
        ]
      invalidation_flow:
        !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]

      # Adjust these URLs to match your Nextcloud domain
      acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
      audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
      issuer: https://@AUTHENTIK_DOMAIN@
      sp_binding: post
      # Map the attributes for Name, Email, and Groups
      property_mappings:
        - !Find [
            authentik_core.propertymapping,
            [managed, goauthentik.io/providers/saml/ms-name],
          ]
        - !Find [
            authentik_core.propertymapping,
            [managed, goauthentik.io/providers/saml/ms-email],
          ]
        - !Find [
            authentik_core.propertymapping,
            [managed, goauthentik.io/providers/saml/ms-groups],
          ]
      # Select your signing certificate (default is usually self-signed)
      signing_kp:
        !Find [
          authentik_crypto.certificatekeypair,
          [name, "authentik Self-signed Certificate"],
        ]

  # 2. Create the Application
  - model: authentik_core.application
    identifiers:
      slug: nextcloud
    attrs:
      name: Nextcloud
      provider:
        !Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
      group: "Cloud Services"