“Hybrid” Settings in User Management
ownCloud customers that integrate their own user management into ownCloud with a backend like LDAP or Open ID can now use only certain fields from the central identity management, fields that are ownCloud-specific can be managed in the ownCloud user management. Admins can define fields that are not changeable through the admin frontend (i.e. the information in these fields will always come from the backend.)
Even though an LDAP/OID provider may provide all necessary information for ownCloud user management, some fields may be “overridden” by local settings; others are necessary, but may not exist in the external authentication backend – like the ownCloud user’s or group’s quota or settings that are individual for Spaces. Check the administration documentation for further details on Open ID Connect (OIDC), the connector used by ownCloud.
Figure 1: Administrators can now permit local user management settings to override the configuration retrieved from the identity provider.
In ownCloud, a tiny “lock” symbol in the panel on the right indicates fields whose content cannot be changed by the local administrator, since they are acquired from the authentication backend (e.g. LDAP or OIDC). Figure 1 shows this for user management.
Batch Mode
Apart from that, the developers added many other features, including extended batch mode in ownCloud’s user and group administration (Figure 2) and an “Edit Login” button on top that allows easy access to the new features – like removing permission to log in from a user’s account. Especially when combining the new filter interface with batch mode and the new per-user-settings, administrators may save a lot of time in daily work.
Figure 2: Administrators of ownCloud can now edit many user settings through batch mode – they can set the quota for several users in one go.
Those new filter options make it easier to find users and edit several accounts at the same time. Figure 2 shows the suggestions an administrator is given after he has used filters to find two particular users because he wants to deactivate their accounts. Thanks to batch mode, he can do that with a few mouse clicks.
New side panel for group members
Answering a wish often voiced by customers and users, ownCloud developers added a new side panel that shows all members of a group (Figure 3). Administrators can now more easily access a list of group members and batch edit it.
Figure 3: On the right, there now is a handy group tab that shows all members of a selected group.
Backchannel logout
Administrators using Identity providers like Open ID Connect will know a logout on the client has to be followed by a logout of the user account on all connected servers and services. Because Open ID servers are accomplishing this transparently in the backend, the technical term is “OpenID backchannel logout“. ownCloud developers integrated that in ownCloud; Figure 4 shows how it works.
Figure 4: As a part of oidc, the OiD server logs users out of all services in the backend when the client requests a logout and then reports successful logouts to the client app.
Administrators can configure Backchannel logout in ownCloud with the GUI of Keycloak (Figure 5)
Figure 5: With ownCloud, back channel logout can be configured in Keycloak
A logout on a client like ownCloud that is connected through Single-Sign-On (SSO) will now also log the user out of all other sessions that the client is connected to.
