Use Azure Credentials to log in your Owncloud (How to Configure Owncloud and Integrate it with Azure AD)

Dear Colleagues. Today I am going to describe the Owncloud Configuration and Integration with Azure AD. It will make it possible to log in with Azure AD Credentials to our Owncloud Web/Client Application.

Owncloud is an open-source cloud storage solution that allows you to store and access files and folders from anywhere, at any time. With Owncloud, you can securely access and share your data with others. In this article, we will discuss how to configure Owncloud and integrate it with Azure AD so that your users can use their own credentials to log in to Owncloud. (Azure AD P1 required)

Prerequisites

Before we get started, there are a few prerequisites that need to be met:

• Owncloud must be installed and running on an Ubuntu Linux VM in Azure.
• You must have access to your Azure AD tenant and be able to register an application.
• You must have an SSL certificate installed on your Owncloud server. Self-signed Certificate in my Case. (It is not secure)

This Guide will help you to Install Owncloud on your Ubuntu.

Install ownCloud on Ubuntu 20.04 :: ownCloud Documentation

Another Guide what can help to install Owncloud.

How to Install and Configure ownCloud on Ubuntu 20.04 | Linode

But my key point to write this article is to integrate my Azure AD Users into my Owncloud, so my users can use their own credentials to log in to OwnCloud.

To register an application, follow these steps:

1. Log in to the Azure portal.
2. Click on "Azure Active Directory" in the left-hand menu.
3. Click on "App registrations" in the "Manage" section.
4. Click on the "+ New registration" button.
5. Enter a name for your application and select "Web" as the application type.
6. Enter the redirect URI for your Owncloud server. This should be in the format "https://<owncloud-server>/index.php/apps/openidconnect/redirect".
7. Click on "Register" to create the application.
8. I am using the Public Ip address of my VM as an OwnCloud IP Address. You can use Network Security Group to make sure that only your trusted IPs can access your Owncloud. Of course, It can not be enough for the Production environment.

Configure API Permissions

Once you have registered the application in Azure AD, you must configure the API permissions. This will allow the application to access the necessary resources in Azure AD.

To configure the API permissions, follow these steps:

1. Click on the "API permissions" tab.
2. Click on "Add permission".
3. Select "Microsoft Graph" as the API.
4. Select "Application permissions".
5. Check the "User.Read.All" permission.
6. Click on "Add permissions" to save the changes.

Configure Owncloud

Now that you have registered the application in Azure AD and configured the API permissions, you must configure Owncloud to use Azure AD for authentication.

To configure Owncloud, follow these steps:

1. Log in to your Owncloud server as an administrator.
2. Install the OpenID Connect extension from the Owncloud Marketplace.
3. After Installing Config.php should be configured

?The location for me "cd /var/www/owncloud//config/config.php"

In the given code snippet, 'passwordsalt' and 'secret' are security-related configurations used by Owncloud.

'passwordsalt' is a random string that is added to user passwords before hashing them. This makes it harder for attackers to use precomputed rainbow tables to crack passwords. By adding a random salt, it ensures that even if two users have the same password, their hashed passwords will be different.

'secret' is a string used to generate and verify cryptographic signatures. It is used to ensure that data exchanged between the server and clients are not tampered with by third parties. The 'secret' value is used to sign and verify OAuth 2.0 authorization requests and responses.

Trusted domains are the Addresses that have access to my Owncloud

The other Important Infos you can get from Azure AD Registered Application.

<?php

$CONFIG = array (

?'instanceid' => 'ocupdzbvdmmu',

?'passwordsalt' => 'randomgenerated',

?'secret' => 'randomgenerated',

?'trusted_domains' =>

?array (

??0 => 'localhost',

??1 => 'IPs who have access',

??2 => 'IPs who have access',

??3 => 'IPs who have access',

?),

?'datadirectory' => '/var/www/owncloud/data',

?'overwrite.cli.url' => 'https://localhost/owncloud',

?'dbtype' => 'mysql',

?'version' => '10.11.0.6',

?'dbname' => 'ownclouddb',

?'dbhost' => 'localhost',

?'dbtableprefix' => 'oc_',

?'mysql.utf8mb4' => true,

?'dbuser' => 'ownclouduser',

?'dbpassword' => 'OwnCloundPwd',

?'allow_user_to_change_mail_address' => '',

?'logtimezone' => 'UTC',

?'apps_paths' =>

?array (

??0 =>

??array (

???'path' => '/var/www/owncloud/apps',

???'url' => '/apps',

???'writable' => false,

??),

??1 =>

??array (

???'path' => '/var/www/owncloud/apps-external',

???'url' => '/apps-external',

???'writable' => true,

??),

?),

?'installed' => true,

?'memcache.local' => '\\OC\\Memcache\\APCu',

?'memcache.distributed' => '\\OC\\Memcache\\APCu',

?'ldapIgnoreNamingRules' => false,

?'http.cookie.samesite' => 'None',

?'openid-connect' => [

??'auto-provision' => ['enabled' => false],

??'provider-url' => 'https://login.microsoftonline.com/Directory (tenant) ID/v2.0/',

??'client-id' => 'Application (client) ID',

??'client-secret' => 'Client Secret',

??'loginButtonName' => 'Azure AD',

??'autoRedirectOnLoginPage' => false,

??'redirect-uri' => 'https:// Ip or domain /owncloud/index.php/apps/openidconnect/redirect',

??'scopes' => [

????'openid',

????'api://Application ID URI/OwnCLoudOpenID',

????'profile',

????'email',

????'offline_access',

??],

??'mode' => 'email',

??'search-attribute' => 'preferred_username',

??'use-access-token-payload-for-user-info' => true,

?],

);

________________________________________________________________

After Config file Configuration there will appear Azure AD Button as an Additional Credentials.

Now that you have configured both Azure AD and Owncloud, you can test the integration by logging in to Owncloud using your Azure AD credentials.

To test the integration, follow these steps:

1. Open a web browser and navigate to your Owncloud server.
2. Click on the "Log in" button.
3. Click on the "Azure AD" button.
4. Enter your Azure AD username and password.

As next I am going to write my Azure AD Username and password to login my OwnCloud Account.

As the next, I am going to connect my Owncloud Instance to my Microsoft Defender for Cloud App to control the access. (I have my demo Tenant "Microsoft 365 E5 License")

Please make sure you have already created a Conditional Access Policy.

Access Control Policy in Microsoft Defender for Cloud Apps will allow Users only from Intune-compliant, Hybrid AD Joined devices to access the Owncloud.

As a result, it will block users who are not meet the policy requirements.

In conclusion, integrating Owncloud with Azure AD allows users to use their existing credentials to access Owncloud, reducing the need to manage additional usernames and passwords. To integrate Azure AD with Owncloud, the OpenID extension must be installed and configured with the correct Redirect URIs, Secret, and API permissions. Additionally, it is essential to prioritize security by using secure passwords and secrets, configuring trusted domains, and limiting access to Owncloud only to authorized IP addresses.

Microsoft Defender for Cloud App will improve your Control of the App and gives you a wide range of possibilities to create different use case scenarios.

By the way, do you have an Idea of how to make it possible to inspect the files in Owncloud and create DLP Policies in Microsoft Defender for Cloud App?