Microsoft Office Online / WOPI Integration

Introduction

The WOPI (Web Application Open Platform Interface) app, which is bundled with ownCloud Enterprise Edition, is the connector between ownCloud server and Microsoft Office Online Server or Office 365 (cloud).

It allows Microsoft Office users to collaboratively work with Office documents in ownCloud in the browser, by connecting ownCloud with your Microsoft Office Online Server or Office 365 (cloud) via the WOPI protocol.

  • Microsoft Office Online Server: To use it, you need to have a running Microsoft Office Online Server in your data center.

  • Office 365 (cloud): To use it, you need an active Microsoft 365 subscription.

Please bear in mind:

  • WOPI is only available for ownCloud enterprise. It is not available in the community version.

  • Out-of-the box only the on-premise version of Microsoft Office Online Server is supported.

  • If you want to integrate the Office 365 (cloud) version of Microsoft Office Online, you need to get in touch with us.

  • This app requires at minimum ownCloud Version 10.5 and php 7.1.

Procedure using Microsoft 365

Apart from licensing, when using Microsoft 365, the following procedure applies, contact ownCloud Support for more details:

  • Customers provide ownCloud with:

    • a written statement about their Microsoft 365 entitlement.

    • the URL of their ownCloud instance. Only users coming from this URL will be able to use Microsoft 365.

  • ownCloud provides customers with a required proxy URL to be used in the settings, see below.

    • Among other things, the proxy checks if users originate from the given ownCloud Instance URL.

  • When users open an office document via the ownCloud instance and Office 365 for the web is loaded, Microsoft checks if these users are already signed in via a Microsoft 365 business account. If users are not yet signed in, they will be prompted to sign in.

Preparing the Environment

To use Microsoft Office for the web, you need:

All involved servers (Office Online Server and the ownCloud server) need to be accessible by HTTPS with valid certificates.

Configuring the WOPI App in ownCloud

To configure the WOPI app in your ownCloud installation, add the following configuration to config/config.php, and adjust it based on the details of your setup:

# ownCloud Support URL: https://owncloud.com/support

# WOPI token:
# For Office Online Server: Replace the token with your own random string
# For Office 365 (cloud): Request the string from us
# (this has to match the `O365_PROXY_SHARED_KEY`
# configuration of the O365 proxy)
'wopi.token.key' => 'REPLACE_WITH_WOPI_TOKEN_KEY'

# Office server URL
# For Office Online Server: Enter your https://your.office.online.server.tld
# For Office 365 (cloud): Upstream url to Microsoft O365.
# Microsoft will only accept connections from registered ownCloud domains.
# For Office 365 quality assurance upstream URL:
#   https://ffc-onenote.officeapps.live.com/hosting/discovery
# For Office 365 production upstream URL:
#   https://onenote.officeapps.live.com/hosting/discovery
'wopi.office-online.server' => 'https://THE_OFFICE_SERVER_URL',

# Proxy URL
# Only for Office 365 (cloud), not needed for Office Online Server
# URL of the O365 proxy instance.
# Note that you will get a working URL from ownCloud Support
# post a written declaration that your company has an eligable
# Microsoft Business contract.
'wopi.proxy.url' => 'https://o365.example.com',

# Enable Business Flow
# Only for Office 365 (cloud), not needed for Office Online Server
# Necessary for the O365 proxy key above.
'wopi.business-flow.enabled' => 'yes',

# Samesite Cookie
# Only for Office 365 (cloud), not needed for Office Online Server
# Necessary to allow e.g. opening ownCloud sharing from O365.
# Use `None` if you are using OpenID Connect.
'http.cookie.samesite' => 'Lax',

Restrict Usage to Users in a Specific Group

Microsoft Office Online access can be restricted to users in a specific group, by use of the wopi_group configuration key (in config/config.php), as in the following example.

'wopi_group' => 'admin'

In the example above, only users in the admin group would be able to access Microsoft Office Online.

If the key is not defined, then all users have access to this Microsoft Office Online service connected via WOPI.

Locking the Document

If you open a document with Microsoft Office Online in ownCloud, it makes use of the WebDAV file locking functionality available in ownCloud server. The idea is to lock the file so other users with access can’t make changes to the document while you’re editing it.

In other words, the feature ensures that you are the "master editor". Your changes will always be the "master state". Other users can make changes, e.g., with the desktop client, but those will create conflict files for them, which can be resolved afterward. When you close the document, Microsoft Office Online unlocks the file so others can edit it.

You can always click on the lock icon next to your file name and unlock it manually using the button in the sidebar.

Lock Timeout

If a user is editing a file and loses their internet connection, the lock will timeout, freeing the lock after 30 minutes. Refer to the WOPI documentation for further information.

Known Issues

Document Locks Are Not Released When Using Google Chrome

When editing a document with Google Chrome (and Chromium) via ownCloud in Microsoft Office Online, the document lock is not released when the document is closed. The document lock is only released after the 30-minute timeout or a manual lock release. To mitigate the issue, try to remember to manually unlock the document before closing it.

More information about this issue is available in the following links:

Troubleshooting

Checklist if something is not working:

  1. Client can reach the ownCloud Server (browse to web page and log in)

  2. Client can reach the Office Online Server (via hosting/discovery url with https)

  3. ownCloud Server can reach the Office Online Server (via hosting/discovery url with https)

  4. Office Online Server can reach ownCloud Server (browse to web page and log in)

Make sure TLS 1.2 is being used: