{"id":12788,"date":"2017-11-10T09:41:17","date_gmt":"2017-11-10T08:41:17","guid":{"rendered":"https:\/\/www.univention.de\/?p=32418"},"modified":"2017-11-10T09:41:17","modified_gmt":"2017-11-10T08:41:17","slug":"integrate-sso-owncloud","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/integrate-sso-owncloud\/","title":{"rendered":"How to Integrate SAML Single Sign-On in ownCloud App"},"content":{"rendered":"<p>If you need to use various services online, which is by the way the norm, there\u2019s nothing more conventient than using single sign-on (SSO). SSO allows you to log in to all available services in a domain with one password only. UCS provides this feature via the\u00a0<a href=\"https:\/\/www.univention.com\/2015\/11\/single-sign-on-for-ucs-4-1\/\" target=\"_blank\" rel=\"noopener\">SAML Identity Provider since UCS 4.1<\/a>.<\/p>\n<p>We chose to implement SAML as the first single sign-on technology in UCS, because of its popularity in the enterprise sector, the high degree of security, and the positive experiences that we ourselves had made with SAML in the years before. Since then, a<span style=\"line-height: inherit;\">\u00a0lot of services and Univention Apps already provide a SAML service provider. Now, we are working on integrating these into the UCS Identity Provider.<\/span><span id=\"more-32418\"><\/span><\/p>\n<p>Today, we like to describe the configuration of the SAML integration that is required for the ownCloud Univention App. If you are absolutely new to SAML single sign-on, we suggest to read our article <a href=\"https:\/\/www.univention.com\/2016\/12\/brief-introduction-single-sign-on\/\" target=\"_blank\" rel=\"noopener\">Brief Introduction to Single Sign-On<\/a>\u00a0first. It will give you a general understanding of the SSO concept.<\/p>\n<p>This SAML integration for ownCloud was realized during one of our internal <a title=\"\" href=\"https:\/\/twitter.com\/univention\/status\/873164574756929536\" rel=\"noopener\" target=\"_blank\">Univention Hackathons<\/a> where some of us meet regularly to give exciting ideas and projects around UCS and UCS@school a go. By the way, during these hackathons many valuable apps, concepts and product features already have emerged.<\/p>\n<p>So, how does the SAML integration for ownCloud work and what do I have to do?<\/p>\n<h3>Configuration of the SAML integration for ownCloud<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-33360 size-large\" title=\"Graphic about the SAML integration of services to UCS\" src=\"https:\/\/www.univention.de\/wp-content\/uploads\/2017\/11\/saml-591x444.png\" sizes=\"(max-width: 591px) 100vw, 591px\" srcset=\"https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/saml-591x444.png 591w, https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/saml-300x225.png 300w, https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/saml-150x113.png 150w, https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/saml.png 640w\" alt=\"Graphic about the SAML integration of services to UCS\" width=\"591\" height=\"444\" \/><\/h3>\n<p>For the integration we prepared a Debian package, which does all the required configuration steps when it gets installed. Basically, you only need a UCS server, which has the ownCloud app installed from the Univention App Center.<\/p>\n<p>The configuration of the ownCloud SAML service provider we provide is based on the <a href=\"https:\/\/doc.owncloud.org\/server\/10.0\/admin_manual\/enterprise\/user_management\/user_auth_shibboleth.html?highlight=saml\" target=\"_blank\" rel=\"noopener\">official ownCloud instructions<\/a> which are using the Mod Shibboleth (mod_shib) module of the Apache HTTP server.<\/p>\n<p>After the package is installed, another link is added to the portal which provides the login via SAML. Note, the regular login, which uses LDAP authentication, is still usable as a fallback solution and alternative.<\/p>\n<h3>Preconditions to observe<\/h3>\n<h1><a href=\"https:\/\/www.univention.de\/wp-content\/uploads\/2017\/11\/sso-en.gif\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-33703\" src=\"https:\/\/www.univention.de\/wp-content\/uploads\/2017\/11\/sso-en-591x504.gif\" sizes=\"(max-width: 500px) 100vw, 500px\" srcset=\"https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/sso-en-591x504.gif 591w, https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/sso-en-300x256.gif 300w, https:\/\/www.univention.com\/wp-content\/uploads\/2017\/11\/sso-en-150x128.gif 150w\" alt=\"\" width=\"500\" height=\"426\" \/><\/a><\/h1>\n<p>Please observe was is needed before the package can be installed:<\/p>\n<ul>\n<li>The <a href=\"https:\/\/www.univention.com\/products\/univention-app-center\/app-catalog\/owncloud\/\" target=\"_blank\" rel=\"noopener\">ownCloud-App<\/a> is installed on the UCS system.<\/li>\n<li>Either ownCloud Enterprise or a <a title=\"\" href=\"https:\/\/marketplace.owncloud.com\/enterprise-trial\" rel=\"noopener\">30 days evaluation copy of ownCloud<\/a> is activated. The activation happens in two steps:\n<ul>\n<li>Enter your key: Login \u2192 Start menu \u2192 Market (directlink: \/owncloud\/index.php\/apps\/market\/) \u2192 Add API Key \u2192 Save \u2192 Close<\/li>\n<li>Installation of the enterprise Apps: [START ENTERPRISE TRIAL] \u2192 START TRIAL \u2192 INSTALL ENTERPRISE APPS NOW<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>What happens during installation?<\/h3>\n<p>On installation of the Debian package, the following steps are executed:<\/p>\n<ul>\n<li>Installation of the ownCloud SAML-App.<\/li>\n<li>Activation and configuration of the ownCloud SAML-App.<\/li>\n<li>Set up the Apache configuration for mod_shib in the Docker container of ownCloud.<\/li>\n<li>Set up of an Apache reverse proxy rule for single sign-on on the host system(s).<\/li>\n<li>Set up of a portal entry for the single sign-on to ownCloud.<\/li>\n<\/ul>\n<h4>Needed steps for operation<\/h4>\n<p>To put the whole into operation, the following steps are necessary:<\/p>\n<ul>\n<li>If applicable, set the UCR variable <em>owncloud\/saml\/path<\/em> (default: <em>\/oc-shib<\/em>) which defines where ownCloud is available via SAML.<\/li>\n<li>For the installation of the Debian package there are two possibilities:\n<ol>\n<li>Either download and install the package\n<ul>\n<li>Download the package from <a title=\"\" href=\"https:\/\/github.com\/univention\/\" rel=\"noopener\" target=\"_blank\">github<\/a><br \/>\n<blockquote><p>root@ucs# wget<br \/>\nhttps:\/\/raw.githubusercontent.com\/univention\/univention-owncloud-saml\/master\/univention-owncloud-saml_1.0-0.deb<\/p><\/blockquote>\n<\/li>\n<li>Install the package via dpkg<br \/>\n<blockquote><p>root@ucs# dpkg -i univention-owncloud-saml_1.0-0.deb<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<\/li>\n<li>Or clone the git repository, build and install the package\n<ul>\n<li>Clone the git from <a title=\"\" href=\"https:\/\/github.com\/univention\/\" rel=\"noopener\" target=\"_blank\">github<\/a>:<br \/>\n<blockquote><p>root@ucs# univention-install git dpkg-dev debhelper univention-config-dev ucslint-univention root@ucs# git clone https:\/\/github.com\/univention\/univention-owncloud-saml.git<\/p><\/blockquote>\n<\/li>\n<li>Build the package:<br \/>\n<blockquote><p>root@ucs# cd univention-owncloud-saml\/; dpkg-buildpackage<\/p><\/blockquote>\n<\/li>\n<li>Install the package via dpkg<br \/>\n<blockquote><p>root@ucs# cd ..; dpkg -i univention-owncloud-saml_1.0-0.deb<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<li>Ensure that the joinscript was successfully executed via univention-check-join-status<\/li>\n<li>Create an ownCloud user via UMC<\/li>\n<li>Activate the ownCloud user for the SAML service provider via [Account] \u2192 [SAML settings]<\/li>\n<li>Navigate to the portal site and log in using the new user<\/li>\n<\/ul>\n<h2>Notes<\/h2>\n<ul>\n<li>The changes for the file \/root\/owncloud\/subpath.conf in the Docker container of the ownCloud app aren\u2019t yet kept on an update of the App. Therefore the join script (40univention-owncloud-saml.inst) must be exectued again after each update of the ownCloud App.<\/li>\n<li>The SAML Service Provider metadata are available via https:\/\/$fqdn\/\/Shibboleth.sso\/Metadata. For some debugging purpose there is also https:\/\/$fqdn\/\/Shibboleth.sso\/Session which shows information about the currently logged in user.<\/li>\n<\/ul>\n<p>If you have further questions, please let us know. Either <a href=\"https:\/\/www.univention.com\/2017\/11\/how-to-integrate-saml-single-sign-on-in-owncloud-app\/#reply-title\" target=\"_blank\" rel=\"noopener\">comment below<\/a> or ask us via the <a title=\"\" href=\"https:\/\/help.univention.com\/\" rel=\"noopener\" target=\"_blank\">Univention forum<\/a>.<\/p>\n<p>We are looking forward to your feedback!<\/p>\n<p>&nbsp;<\/p>\n<p>The Post\u00a0<a href=\"https:\/\/www.univention.com\/2017\/11\/how-to-integrate-saml-single-sign-on-in-owncloud-app\/\" rel=\"nofollow noopener\" target=\"_blank\">How to Integrate SAML Single Sign-On in ownCloud App<\/a> was first published on\u00a0<a href=\"https:\/\/www.univention.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Univention<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to integrate single sign on with ownCloud SAML SSO: Make your users happy by providing single sign on for your ownCloud instance.<\/p>\n","protected":false},"author":7,"featured_media":13399,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[345],"tags":[227,421,439,220,440],"class_list":["post-12788","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-planetowncloud","tag-appliance","tag-foss","tag-saml","tag-security","tag-univention"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/12788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=12788"}],"version-history":[{"count":0,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/12788\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/13399"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=12788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=12788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=12788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}