ownCloud Single Sign On with OpenID Connect atop OAuth2
Feature

OpenID Connect

Delegate user authentication and client authorization to an Identity Provider. OpenID Connect is the open standard for single sign-on, identity and access management.

N
Community Edition
N
Standard Edition
N
Enterprise Edition
M
ownCloud.online Edition

Digital Identity and Access Management is of utmost importance for any organization’s security. In managing the identities of people, it defines who makes up that organization. By governing who can access what data in which way, and by authenticating them, it both reflects and creates the outline of an organization. It deals with the roles and capabilities people have in regards to an organization.

Delegating Identity and Authentication
Identity and authentication is also a field in which organizations tend to have custom requirements and particular needs. This is why ownCloud does not try to hustle organizations towards a certain solution but rather provides an open standard interface for full flexibility.

Organizations that want to use ownCloud have virtually free choice among the range of Identity Providers that support the OpenID Connect authentication standard.

Whether organizations prefer a conventional LDAP-based Identity Management or Microsoft’s cloud-based Azure AD, Keycloak or Ping Federate, an Identity-as-a-Service like cidaas or an on-premises open source Identity Provider like Kopano Konnect – ownCloud is up for it.

Leveraging OpenID Connect for authentication also brings Single Sign-on capabilities – one set of credentials can be used for all other compatible applications, too.

How it works
To log in with any client like for example the ownCloud App, users authenticate in their browser against the Identity Provider. If successful, the Identity Provider issues the client with a token to allow access. This way, the ownCloud Client or App never even encounters a user’s credentials, reducing attack surface.

What exactly a user needs to present to an Identity Provider to gain access is strictly the Identity Providers’ business. Whether this is just a password, an additional factor like a one-time code or a fingerprint or even a hardware authentication key. This opens up a lot of possibilities for organizations.

Also, those client tokens can be revoked or expired, even programmatically, e.g. on leaving the company network or when encountering suspicious behaviour.

All of this gives organizations plenty of flexibility to define and execute security according to their needs. They can, for instance, restrict access to their ownCloud to office networks, except for management, except when travelling in certain countries. That same Identity Provider may still allow staff to access other services like email from outside the office, but restrict this access to workdays and a certain time window.

open id connect owncloud extension

Ready to get started?

Resources about OpenID Connect

i

Admin Docs

i

Technical Introduction Blogpost

ownCloud Marketplace

Github