Single sign-on with ownCloud

June 3, 2014

alt text

OwnCloud is at the forefront of open source file sharing and cloud storage. It is sometimes introduced as the open source alternative to Dropbox, but that comparison misses a ton of cool features that ownCloud has and Dropbox lacks. As well as file synchronisation, ownCloud offers things like groupware functionality (e.g. calendar, task scheduler, address book), music streaming, and its developers are right now working on office suite integration.

With features that are so useful to organisations, ownCloud’s uptake has naturally spread to places like businesses and universities. Of course, users like these often have requirements that most John Doe users don’t. One of these is security. Big business and public sector organisations take IT security very seriously and like to insist on full control of it. Whereas most of us make do a simple username and password approach, big users will deploy the big guns when it comes to controlling access to their systems.

Shibboleth

One such ‘big gun’ is Shibboleth, a single sign-on (SSO) system that eliminates the need for passwords. In a Shibboleth system, there is one central point (or maybe several of them) called an IdP (Identity Provider) where a user signs in and authenticates themselves. Once this is done, the user can then access any of the secured content under the organisation’s control. The content could be in one domain or spread across several of them, it really doesn’t matter – what’s important is that the provider is trusted by the IdP and knows how to authenticate with it. If an IdP tells the content provider that the user checks out, they are granted access.

Integrating Shibboleth into ownCloud

OwnCloud came to us to help them integrate Shibboleth authentication into their flagship product. They already provided alternative login systems, like LDAP authentication, but this was the first SSO-based access control system to be coded into ownCloud’s core.

This necessitated that we ‘shibbolise’ ownCloud, shibbolising being the term for giving an application the ability to authenticate using Shibboleth. This becomes a core capability of ownCloud, meaning we not only had to produce a new Shibboleth module, but also adapt the existing authentication code. After all, it is no longer ownCloud that decides whether to authenticate a user under a Shibboleth setup – ownCloud delegates that task to the hosting service provider.

We also had to adapt the desktop synchronisation client. The client is installed on a desktop computer where it keeps the files on the machine and the server synchronised. Normally, the client stores your username and password to authenticate with the server, but we adapted it so it can be made to work with a shibbolised ownCloud too. As the client is built using the Qt Framework, one of Endocode’s core skills, this was no sweat.

How does it work?

alt text

Firstly, ownCloud is deployed on a service provider (SP), a server that is configured to authenticate with the organisation’s IdP. The SP is set up so that when someone requests access to ownCloud it verifies with the IdP that the person making the request is currently signed on and allowed access to the service.

Then, assuming the IdP has responded positively, the request is passed onto ownCloud itself. At this point, a server session is established, allowing ownCloud to check at will with the SP that the user is authenticated. This way, the organisation’s users can work with their ownCloud service without having to create and remember yet another set of credentials.

The synchronisation client meanwhile can now automatically determine whether it’s communicating with a shibbolised ownCloud Server or not, and takes whichever steps are necessary to authorise.

Conclusion

For organisations who use Shibboleth to secure their services, ownCloud can be deployed and used out of the box with minimal configuration necessary. They can keep control of authentication and thus centrally control access to their ownCloud service.

For their users, it means they can use ownCloud with their existing credentials and work collaboratively, taking advantage of all the features ownCloud offers.