Graphic about SAML integration for ownCloud

If you need to use various services online, which is by the way the norm, there’s nothing more conventient than using single sign-on (SSO). SSO allows you to log in to all available services in a domain with one password only. UCS provides this feature via the SAML Identity Provider since UCS 4.1.

We chose to implement SAML as the first single sign-on technology in UCS, because of its popularity in the enterprise sector, the high degree of security, and the positive experiences that we ourselves had made with SAML in the years before. Since then, a lot of services and Univention Apps already provide a SAML service provider. Now, we are working on integrating these into the UCS Identity Provider.

Today, we like to describe the configuration of the SAML integration that is required for the ownCloud Univention App. If you are absolutely new to SAML single sign-on, we suggest to read our article Brief Introduction to Single Sign-On first. It will give you a general understanding of the SSO concept.

This SAML integration for ownCloud was realized during one of our internal Univention Hackathons where some of us meet regularly to give exciting ideas and projects around UCS and UCS@school a go. By the way, during these hackathons many valuable apps, concepts and product features already have emerged.

So, how does the SAML integration for ownCloud work and what do I have to do?

Configuration of the SAML integration for ownCloudGraphic about the SAML integration of services to UCS

For the integration we prepared a Debian package, which does all the required configuration steps when it gets installed. Basically, you only need a UCS server, which has the ownCloud app installed from the Univention App Center.

The configuration of the ownCloud SAML service provider we provide is based on the official ownCloud instructions which are using the Mod Shibboleth (mod_shib) module of the Apache HTTP server.

After the package is installed, another link is added to the portal which provides the login via SAML. Note, the regular login, which uses LDAP authentication, is still usable as a fallback solution and alternative.

Preconditions to observe

Please observe was is needed before the package can be installed:

  • The ownCloud-App is installed on the UCS system.
  • Either ownCloud Enterprise or a 30 days evaluation copy of ownCloud is activated. The activation happens in two steps:
    • Enter your key: Login → Start menu → Market (directlink: /owncloud/index.php/apps/market/) → Add API Key → Save → Close
    • Installation of the enterprise Apps: [START ENTERPRISE TRIAL] → START TRIAL → INSTALL ENTERPRISE APPS NOW

What happens during installation?

On installation of the Debian package, the following steps are executed:

  • Installation of the ownCloud SAML-App.
  • Activation and configuration of the ownCloud SAML-App.
  • Set up the Apache configuration for mod_shib in the Docker container of ownCloud.
  • Set up of an Apache reverse proxy rule for single sign-on on the host system(s).
  • Set up of a portal entry for the single sign-on to ownCloud.

Needed steps for operation

To put the whole into operation, the following steps are necessary:

  • If applicable, set the UCR variable owncloud/saml/path (default: /oc-shib) which defines where ownCloud is available via SAML.
  • For the installation of the Debian package there are two possibilities:
    1. Either download and install the package
      • Download the package from github

        root@ucs# wget
        https://raw.githubusercontent.com/univention/univention-owncloud-saml/master/univention-owncloud-saml_1.0-0.deb

      • Install the package via dpkg

        root@ucs# dpkg -i univention-owncloud-saml_1.0-0.deb

    2. Or clone the git repository, build and install the package
      • Clone the git from github:

        root@ucs# univention-install git dpkg-dev debhelper univention-config-dev ucslint-univention root@ucs# git clone https://github.com/univention/univention-owncloud-saml.git

      • Build the package:

        root@ucs# cd univention-owncloud-saml/; dpkg-buildpackage

      • Install the package via dpkg

        root@ucs# cd ..; dpkg -i univention-owncloud-saml_1.0-0.deb

  • Ensure that the joinscript was successfully executed via univention-check-join-status
  • Create an ownCloud user via UMC
  • Activate the ownCloud user for the SAML service provider via [Account] → [SAML settings]
  • Navigate to the portal site and log in using the new user

Notes

  • The changes for the file /root/owncloud/subpath.conf in the Docker container of the ownCloud app aren’t yet kept on an update of the App. Therefore the join script (40univention-owncloud-saml.inst) must be exectued again after each update of the ownCloud App.
  • The SAML Service Provider metadata are available via https://$fqdn//Shibboleth.sso/Metadata. For some debugging purpose there is also https://$fqdn//Shibboleth.sso/Session which shows information about the currently logged in user.

If you have further questions, please let us know. Either comment below or ask us via the Univention forum.

We are looking forward to your feedback!

 

Florian Best is Open Source Software Engineer at Univention and mainly works in the development of UMC and UCS@school. His personal interests are in the areas of HTTP, REST, security technology and Python.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *