Example Setup Using Microsoft Azure

Introduction

Microsoft Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service. This document describes how to integrate Microsoft Azure Active Directory (Azure AD) as an identity provider (IdP) by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD.

Setup and Configuration

The sections below will explain these areas and provide configuration examples using Microsoft Azure Active Directory (Azure AD) as the external Identity Provider.

Configure Microsoft Azure AD

Follow these steps to configure Microsoft Azure AD for use with OpenID Connect (OIDC):

  1. Login to Azure.

    login with ms azure

  2. Go to Manage Azure Active Directory.

    select manag azure ad

  3. Then go to Properties  Tenant ID and note your tenant ID for later use.

    portal tenant id ms azure ad

  4. Then go to App registrations  New registration.

    new registration ms azure ad

  5. Provide all required information.

    provide required information ms azure ad

  6. Go to Authentication  Configure Web  Redirect URI and setup your Redirect URI.

    setup redirect url ms azure ad

  7. Go to Certificates & secrets  Add a client secret and setup the client secret for your app.

    setup client secret ms azure ad

  8. Go to Token configuration  Add optional claim and setup the claims.

    setup claims ms azure ad

  9. Go to API permissions  Configured permissions  Add a permission and add delegated permissions.

    graph permission ms azure ad

  10. On the same page, do not forget to set Grant admin consent to all permissions.

    admin consent ms azure ad

  11. Go to Expose an API  Set the App ID URI and set the Application ID URI.

    app id uri ms azure ad

  12. Then on the same page Add a scope  Scope name give the scope a meaningful name like owncloud and Add a scope  Who can consent allow Admins and users to consent. You will see the full api scope name below your entered scope name.

    scope consent ms azure ad

  13. You get the CLIENT-ID after you have completed the Microsoft Azure setup process. On the following screen, you find an overview of most settings made. You can get there by clicking on Overview.

    overview screen ms azure

Configure ownCloud Server

To set up ownCloud Server to work with OpenID Connect, you have to:

  1. Install the OpenID Connect App.

  2. Configure config.php.

  3. Set up service discovery.

It is recommended to first figure out all configurations on a test system and to bring it to the production system once it’s proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients.

List of OpenID Connect config.php Parameters

Follow this link to read more about the OIDC config.php parameters available to configure OpenID Connect on ownCloud Server.

Example config.php setup

An example snippet that can be added to config.php is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud.

Use these links to see the corresponding configuration section for:

'http.cookie.samesite' => 'None',

'openid-connect' => [
    'auto-provision' => ['enabled' => false],
    'provider-url' => 'https://login.microsoftonline.com/YOUR-DIRECTORY-TENANT-ID/v2.0/',
    'client-id' => 'YOUR-CLIENT-ID',
    'client-secret' => 'YOUR-CLIENT-SECRET',
    'loginButtonName' => 'Azure AD',
    'autoRedirectOnLoginPage' => false,
    'scopes' => [
        'openid',
        'api://YOUR-APPLICATION-ID-SCOPE-URI/owncloud',
        'profile', 'email', 'offline_access',
    ],
    'mode' => 'email',
    'search-attribute' => 'unique_name',
    'use-access-token-payload-for-user-info' => true,
],

If you want to let ownCloud create users which are not present during a OIDC authentication, replace
'auto-provision' ⇒ ['enabled' ⇒ false], with:

    'auto-provision' => [
        'enabled' => true,
        'email-claim' => 'email',
        'display-name-claim' => 'name',
    ],