Example Setup Using Microsoft Azure

Introduction

Microsoft Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. This document describes how to integrate Microsoft Azure Active Directory (Azure AD) as an identity provider (IdP) by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD.

Setup and Configuration

The sections below will explain these areas and provide configuration examples using Microsoft Azure Active Directory (Azure AD) as the external Identity Provider.

Configure Microsoft Azure AD

Follow these steps to configure Microsoft Azure AD for use with OpenID Connect (OIDC):

  1. Login to Azure.

    login with ms azure

  2. Go to Manage Azure Active Directory.

    select manag azure ad

  3. Then go to Properties  Tenant ID and note your tenant ID for later use.

    portal tenant id ms azure ad

  4. Then go to App registrations  New registration.

    new registration ms azure ad

  5. Provide all required information.

    provide required information ms azure ad

  6. Go to Authentication  Add a platform and select Web in Configure Platforms.

    setup web application ms azure ad

  7. Go to Authentication  Configure Web  Redirect URI and setup your Redirect URI.

    setup redirect url ms azure ad

  8. Go to Certificates & secrets  Add a client secret and setup the client secret for your app.

    setup client secret ms azure ad

  9. Go to Token configuration  Add optional claim and setup the claims.

    setup claims ms azure ad

  10. Go to API permissions  Configured permissions  Add a permission and add delegated permissions.

    graph permission ms azure ad

  11. On the same page, do not forget to set Grant admin consent to all permissions.

    admin consent ms azure ad

  12. Go to Expose an API  Set the App ID URI and set the Application ID URI.

    app id uri ms azure ad

  13. Then on the same page:

    1. Add a scope  Scope name give the scope a meaningful name like owncloud and

    2. Add a scope  Who can consent allow Admins and users to consent. You will see the full api scope name below your entered scope name.

      scope consent ms azure ad

  14. You get the CLIENT-ID after you have completed the Microsoft Azure setup process. On the following screen, you find an overview of most settings made. You can get there by clicking on Overview.

    overview screen ms azure

Microsoft Azure AD and RedirectURI

When it comes to use 127.0.0.1 instead of localhost as Redirect URI, the task is not straight forward. Microsoft has an own documentation for this describing a workaround, see Prefer 127.0.0.1 over localhost. In summary, you have to select in your app Manifest  Manage, then search for replyUrlsWithType and either add a new entry with 127.0.0.1 or modify an existing one.

ms azure manifest

Configure ownCloud Server

To set up ownCloud Server to work with OpenID Connect, you have to:

  1. Install the OpenID Connect App.

  2. Configure config.php.

  3. Set up service discovery.

It is recommended to first figure out all configurations on a test system and to bring it to the production system once it’s proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients.

List of OpenID Connect config.php Parameters

Follow this link to read more about the OIDC config.php parameters available to configure OpenID Connect on ownCloud Server.

Example config.php Setup

An example snippet that can be added to config.php is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud.

Use these links to see the corresponding configuration section for:

'http.cookie.samesite' => 'None',

'openid-connect' => [
    'auto-provision' => ['enabled' => false],
    'provider-url' => 'https://login.microsoftonline.com/YOUR-DIRECTORY-TENANT-ID/v2.0/',
    'client-id' => 'YOUR-CLIENT-ID',
    'client-secret' => 'YOUR-CLIENT-SECRET',
    'loginButtonName' => 'Azure AD',
    'autoRedirectOnLoginPage' => false,
    'scopes' => [
        'openid',
        'api://YOUR-APPLICATION-ID-SCOPE-URI/owncloud',
        'profile', 'email', 'offline_access',
    ],
    'mode' => 'email',
    'search-attribute' => 'unique_name',
    'use-access-token-payload-for-user-info' => true,
],

If you want to let ownCloud create users which are not present during a OIDC authentication, replace
'auto-provision' ⇒ ['enabled' ⇒ false], with:

    'auto-provision' => [
        'enabled' => true,
        'email-claim' => 'email',
        'display-name-claim' => 'name',
    ],

Use oAuth2 authentication for ownCloud Desktop and Mobile Clients

To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact with the ownCloud Server, you have to install and enable the oAuth2 app. Please see the Open Authentication (OAuth2) for more details. In this setup, your ownCloud Clients will work without extra hassles, but please be advised that the ownCloud Server is acting as identity provider for the clients and you will not be able to delete those clients directly from your identity management solution.

Register ownCloud Desktop and Mobile Clients with Azure AD

To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact directly with the identity provider, you have to register them as clients.

Only branded ownCloud desktop and mobile clients can be registered with Azure AD, because they need to be built with customized scope and prompt parameters. As prerequisite, an ownCloud full branding subscription is needed. For more details get in touch with ownCloud Support.