ADFS SSO configuration with ownCloud

Knowledge Base
1

Configuration on ADFS Side

Before configuring Shibboleth as Relying Party in ADFS side basic ADFS setup should be complete and validated. In terms of network connectivity the user browser (end users of OwnCloud) should have network connectivity of ADFS on port 443 (the login page) so firewall rules should be in place.

  1. Download the Shibboleth metadata / owncloud SAML SP from the url - https:///Shibboleth.sso/Metadata
  2. In our case this is https://saml-test.owncloud.works/Shibboleth.sso/Metadata and place into a local directory into ADFS system.
  3. Open the ADFS Management

image
image1496×842 170 KB

  1. Navigate to Relying Party Trust [on left side panel]

image
image1480×1012 92.2 KB

  1. Click [Add Relying Party Trust on right side panel]

image
image1491×1014 143 KB

  1. Select [Claims Aware] application

image
image1492×1069 204 KB

  1. Import the metadata from file [downloaded from SAML SP in step 1/ 2 above].

  2. Give display name of the application, we gave owncloud as shown below.

image
image1492×925 134 KB

  1. Click Next and proceed to below screen.

image
image1493×1036 131 KB

  1. Configure claims as below

image
image1452×1070 113 KB

  1. Give Claim Rule name as UPN (or any name of your choice].

image
image1256×950 133 KB

Configuration on Shibboleth Side

Before configuring the ADFS as SAML Claims Provider ( SAML IDP) in Shibboleth, the shibboleth should be installed on OwnCloud system and basic validation should be completed. Below steps explains the steps required specific for Owncloud integration with Shibboleth (and ADFS).

  1. Download the ADFS metadata from ADFS url
https://AD2019.oc.local/FederationMetadata/2007-06/FederationMetadata.xml

  1. On Shibboleth system navigate to shibboleth2.xml file and edit the SPConfig section [/etc/shibboleth/shibboleth2.xml]

  2. Add the following entry inside the SPConfig tag

<SSO entityID="http://AD2019.oc.local/adfs/services/trust" discoveryProtocol="SAMLDS" discoveryURL="https://saml-test.owncloud.works/Shibboleth.sso/Metadata">
                SAML2
</SSO>

As shown in below screenshot

image
image3769×720 174 KB

  1. Add the MetadataProvider configuration entry as below in SPConfig tag
<MetadataProvider type="XML" validate="true" path="/etc/shibboleth/filtered-metadata.xml"/>

image
image2615×768 136 KB

  1. Where filtered-metadata.xml is the ADFS metadata file obtained from ADFS in step 12

  2. Open the attribute-map.xml from shibboleth /etc/shibboleth2/attribute-map.xml and edit the section to add the claims mapping from ADFS claim to shibboleth claim as below

<Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" id="upn"/>

image
image2831×996 190 KB

  1. Navigate to /etc/apache2/conf-enabled

  2. Edit the shibd.conf file with following configuration entries

#
# Turn this on to support "require valid-user" rules from other
# mod_authn_* modules, and use "require shib-session" for anonymous
# session-based authorization in mod_shib.
#
ShibCompatValidUser Off

#
# Ensures handler will be accessible.
#

#<Location /Shibboleth.sso>
#  AuthType None
#  Require all granted
#</Location>



<Location /Shibboleth.sso>
  AuthType None
  Require all granted
</Location>



# always fill env with shib variable for logout url
<Location />
    AuthType shibboleth
    ShibRequestSetting requireSession false
    Require shibboleth
</Location>

# authenticate only on the login page
<Location ~ "^(/index.php)?/login">
    # force internal users to use the IdP
    <If "-R '192.168.1.0/24'">
        AuthType shibboleth
        ShibRequestSetting requireSession true
        require valid-user
    </If>
    # allow basic auth for eg. guest accounts
    <Else>
        AuthType shibboleth
        ShibRequestSetting requireSession true
        require shibboleth
    </Else>
</Location>


#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>

If you want to enable both normal users as well the SSO users to login then make following highlighted entry ShibRequestSetting requireSession true to false.

  1. Enable the SSO from ownCloud administration settings as shown below.

image
image1695×1264 142 KB

  1. Create a test user test@oc.local on both ADFS and owncloud system, also restart the apache2 and shibboleth services on owncloud system with below commands.
sudo systemctl restart shibd.service 	
sudo systemctl restart apache2
  1. Login to ownCloud by typing the ownCloud host into browser, this should trigger the SSO send user browser to ADFS login page. Once user logs in successfully into ADFS login page he should be able to login / SSO into ownCloud.

Configuration of Desktop SSO / Windows Integrated SSO

Windows integrated SSO works when user logs into domain joined system and access any website / system that is integrated with ADFS. Below are the steps for configuring the ADFS with desktop / Windows integrated SSO.

  1. Login to ADFS management console and enable forms Auth for Extranet and Forms Auth + Windows Authentication for intranet as below

image
image2787×1571 394 KB

image
image2902×1704 560 KB

  1. Save the settings.
  2. Open the PowerShell on ADFS system with administrator privileges and execute below command
Set-AdfsProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0; Windows NT", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0; Windows NT 6", "Windows NT 6.3; Trident/7.0", "Windows NT 6.3; Win64; x64; Trident/7.0", "Windows NT 6.3; WOW64; Trident/7.0", "Windows NT 6.2; Trident/7.0", "Windows NT 6.2; Win64; x64; Trident/7.0", "Windows NT 6.2; WOW64; Trident/7.0", "Windows NT 6.1; Trident/7.0", "Windows NT 6.1; Win64; x64; Trident/7.0", "Windows NT 6.1; WOW64; Trident/7.0", "MSIPC", "Windows Rights Management Client", "Edg/*","Chrome","Mozilla/5.0"]
  1. Above command will enable the browsers (chrome / Edge and Internet explorer for Windows integrated SSO).
  2. On ADFS server press (windows button + r), type services.msc there to open services.
  3. Locate the ADFS services as below

image
image1771×986 241 KB

  1. Double click Active Directory Federation Services, navigate to [Log on] tab and find out the account used by ADFS service as below.

image
image1229×1328 137 KB

  1. Locate that service account in [Users and Computers] as below

image
image1611×1565 349 KB

  1. Click on Attribute Editor tab as below

image
image1396×1657 254 KB

  1. And identify the [servicePrincipalName] attribute and double click it.
  2. If HTTP/AD2019.oc.local (the dns name of ADFS) is not there add it as below.

image
image977×1169 89 KB

  1. Save it and restart the ADFS service as below

image
image2717×520 222 KB

Browser Configuration

  1. On System (domain joined system) open the control panel -> Internet options

image
image1453×1576 302 KB

image
image1122×1570 176 KB

  1. Click on [Custom Level]

image
image1066×1403 126 KB

  1. Ensure [Automatic logon only in intranet Zone] is enabled.

  2. Click on Local Intranet [Sites]

image
image1196×1363 141 KB

  1. Advanced

image
image1053×623 84.9 KB

  1. Add the site there.

image
image985×1031 76.4 KB

  1. Save settings and restart the chrome / firefox browsers.

Troubleshooting

  1. If you observe the following page onto Owncloud system in browser, ensure that system clocks are not skewed between two systems [ADFS and owncloud]

image
image1300×679 95.8 KB

  1. Else edit the clockskew parameter value into shibboleth2.xml file and restart the shibboleth & apache2 services and try again.
  2. With SSO mechanism ensure that same userid exists in both the ADFS and owncloud. Only then users will be able to login into owncloud.
  3. ADFS Troubleshooting section - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-iwa
1 Like