Become Part of our Team and Push Digital Sovereignty
- Teamleader IT / Project Manager (m/f/x)
- IT Consultant (m/f/x)
- Outbound Sales Represantative (m/f/x)
If you need to use various services online, which is by the way the norm, there’s nothing more conventient than using single sign-on (SSO). SSO allows you to log in to all available services in a domain with one password only. UCS provides this feature via the SAML Identity Provider since UCS 4.1.
We chose to implement SAML as the first single sign-on technology in UCS, because of its popularity in the enterprise sector, the high degree of security, and the positive experiences that we ourselves had made with SAML in the years before. Since then, a lot of services and Univention Apps already provide a SAML service provider. Now, we are working on integrating these into the UCS Identity Provider.
Today, we like to describe the configuration of the SAML integration that is required for the ownCloud Univention App. If you are absolutely new to SAML single sign-on, we suggest to read our article Brief Introduction to Single Sign-On first. It will give you a general understanding of the SSO concept.
This SAML integration for ownCloud was realized during one of our internal Univention Hackathons where some of us meet regularly to give exciting ideas and projects around UCS and UCS@school a go. By the way, during these hackathons many valuable apps, concepts and product features already have emerged.
So, how does the SAML integration for ownCloud work and what do I have to do?
For the integration we prepared a Debian package, which does all the required configuration steps when it gets installed. Basically, you only need a UCS server, which has the ownCloud app installed from the Univention App Center.
The configuration of the ownCloud SAML service provider we provide is based on the official ownCloud instructions which are using the Mod Shibboleth (mod_shib) module of the Apache HTTP server.
After the package is installed, another link is added to the portal which provides the login via SAML. Note, the regular login, which uses LDAP authentication, is still usable as a fallback solution and alternative.
Please observe was is needed before the package can be installed:
On installation of the Debian package, the following steps are executed:
To put the whole into operation, the following steps are necessary:
root@ucs# dpkg -i univention-owncloud-saml_1.0.0-1_all.deb
root@ucs# univention-install git dpkg-dev debhelper univention-config-dev ucslint-univention root@ucs# git clone https://github.com/univention/univention-owncloud-saml.git
root@ucs# cd univention-owncloud-saml/; dpkg-buildpackage
root@ucs# cd ..; dpkg -i univention-owncloud-saml_1.0.0-1_all.deb
If you have further questions, please let us know. Either comment below or ask us via the Univention forum.
We are looking forward to your feedback!
Florian Best is Open Source Software Engineer at Univention and mainly works in the development of UMC and UCS@school. His personal interests are in the areas of HTTP, REST, security technology and Python.