Conceptual: OCIS IDP to Authentik migration / in parallel?

Infinite Scale
1

Hi

I have an OCIS instance running with internal IDP and some users already there actively using it. OCIS runs in docker (currently on version 7.1.3, but no problem to update).

Now I would like to enable OAUTH2 with Authentik that I already use for other services. Now I wonder how to achieve this.

Question 1: Ideally, I would migrate users from internal IDP to Authentik. Is there a path (e.g. LDAP access from Authentik into OCIS)?

Question 2: If not, if I enable the external IDP, can I still configure OCIS to have the internal IDP enabled?

Question 3: Has anybody achieved having Authentik working with OCIS? Could you share docker-compose.yml and settings? (I read different stories about Authelia)

Any help is appreciated, thanks. rmkl.

2

At least queistion two would be very interesting: Can the internal IDP be configured to be active in parallel to the external? Nobody?

3

I’m not entirely sure, but I don’t think it’s possible to connect to multiple IDPs from oCIS. You can only connect to one.

Now, your external IDP might be able to handle some kind of federation and might connect to other multiple IDPs. However, that completely depends on the IDP capabilities.

I think your easiest option is to setup a new server connected to Authentik and then notify your users to move their stuff to the new server before taking down the old one.

4

I moved them all (requiring them a new password and moving data) from OC10 to OCIS a year ago. The acceptance will be very low for another move, I believe :frowning:

Thanks for your reply anyhow!

5

I mean, it might be possible for Authentik to use the oCIS’ internal LDAP as a data source, but the problem will be maintaining the LDAP. There is no tool to add or remove users unless it’s from oCIS, and that won’t be possible if you’re using Authentik. You’ll have to connect to the internal LDAP manually to perform operations, which will be a pain.

In addition, the internal LDAP is intended to be used exclusively by oCIS. Even if we consider a read-only access from Authentik, that would imply that you won’t be able to add or remove users, limiting the usability.

Finally, I don’t think the setup is considered, much less tested. There is a high risk of failure and it could potentially break the authentication. This is why I don’t recommend to go that way.

If you’re already using an external LDAP server with the internal IDP (I didn’t test it but it should be possible), replacing the IDP should be possible, but this isn’t the default setup.

In any case, whatever you do, make sure it works before attempting it in a real server.

6

Interesting. Good to hear that I can potentially connect to the internal IDP, for migration this could be a path then.

Thanks for your answer, this helps!

7

You can check the deployment example we have in ocis/deployments/examples/ocis_ldap at master · owncloud/ocis · GitHub . I haven’t tested it, but I assume it works.

8

Hello,

I actually got OCIS to work with Authentik as my IDP and my OIDC provider on my Kubernetes cluster a few days ago. It is possible but it requires some tweaks both on the Authentik- and OCIS-side.

First of all, Authentik is an Identity Provider with LDAP capabilities. So, it comes with a few limitations:

  • Adding a custom LDAP schema is not possible. So, having custom ObjectClass is out of the question. But you can customize the LDAP responses from Authentik using LDAP specific property mapping.
  • Groups in Authentik don’t have mail addresses. Hence, the mail attribute in the LDAP response will be empty. However that attribute can be customized as well. I haven’t tested that but according to the Authentik docs, that attribute can overwritten.
  • Changes through LDAP is not supported. Any modification, like a password reset, must be done directly through Authentik. Again, I haven’t tested this but the Authentik docs don’t mention it and I didn’t look further into it because, in my setup, I want everything related to accounts to be managed by Authentik. So, my OCIS setup assumes the used IDP is read-only.
  • GDPR reports are not implemented for Authentik.

To begin, you’ll need to create an LDAP provider in Authentik. For that, the instructions in the Authentik docs did the job for me. To use LDAPS, take in account that the LDAP communication happens through an LDAP Outpost created by Authentik. On Kubernetes, LDAP queries must be sent to a dedicated pod, created by Authentik, named ak-outpost-ldap. If OCIS and Authentik run on the same cluster, your certificate should at least have ak-outpost-ldap.<authentik-namespace>.svc.<cluster-domain> listed as SAN.

Next, let’s make sure that any required custom attribute is returned in the LDAP response. In my setup, these are ownCloudUserType and ownCloudUserEnabled. It can be hard-coded for each user through the attribute section or LDAP.

Finally, I created four groups: OwnCloud Admins, OwnCloud Space Admins, OwnCloud Users and OwnCloud Guests. I used these groups for role provisioning but I’ll go later into that.

Eventually, you’ll want your LDAPsearch query response to look as follow:

Summary

~/$ ldapsearch -xLLL -H ldaps:// -D ‘cn=nathan,ou=users,DC=ldap,DC=goauthentik,DC=io’ -W -b ‘ou=users,DC=ldap,DC=goauthentik,DC=io’ “(&(objectclass=user)(memberOf=cn=owncloud*))”
Enter LDAP Password:
dn: cn=nathan,ou=users,dc=ldap,dc=goauthentik,dc=io
ownCloudUserType: Member
ownCloudUserEnabled: true
ak-active: TRUE
sAMAccountName: nathan
mail:
uidNumber: 2005
createTimestamp: 20250708080458Z
name: Nathan
gidNumber: 2005
homeDirectory: /home/nathan
sn: Nathan
pwdChangedTime: 20250708080506Z
modifyTimestamp: 20251005170627Z
ak-superuser: TRUE
uid:
memberOf: cn=OwnCloud Admins,ou=groups,dc=ldap,dc=goauthentik,dc=io
cn: nathan
displayName: Nathan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: user
objectClass: posixAccount
objectClass: goauthentik io ldap user

That LDAP response brings me to the next thing to do: mapping the schema to OCIS. For this, here is an excerpt of my Helm file:

Summary

features:
externalUserManagement:
enabled: true
ldap:
bindDN: cn=ldap-authenticator,ou=users,dc=ldap,dc=goauthentik,dc=io
disableUsers:
disableMechanism: none
disabledUsersGroupDN: cn=DisabledUsersGroup,ou=groups,dc=ldap,dc=goauthentik,dc=io
userEnabledAttribute: ownCloudUserEnabled
group:
baseDN: ou=groups,dc=ldap,dc=goauthentik,dc=io
filter: (&(objectclass=group)(memberOf=cn=owncloud*))
objectClass: groupOfNames
schema:
displayName: displayName
groupName: cn
id: uid
mail: mail
member: member
insecure: false
uri: ldaps://ak-outpost-ldap.authentik.svc.k8s.internal.atclios.com:636
user:
baseDN: ou=users,dc=ldap,dc=goauthentik,dc=io
filter: (&(objectclass=user)(memberOf=cn=owncloud*))
objectClass: inetOrgPerson
schema:
displayName: displayName
id: uid
mail: mail
userName: cn
userType: ownCloudUserType
writeable: false

A few things to note from that excerpt:

  • The default base domain is dc=ldap,dc=goauthentik,dc=io but this can be changed in the LDAP provider settings.
  • I changed the filter so that only users and groups who are members of the four OwnCloud groups I created earlier are listed. That way, I can control who get an OCIS account and who doesn’t from directly Authentik.
  • The disableMechanism is still set to none because I haven’t figured out which one of the two mechanism I want to use (Still, if you are going for the Group mechanism, make sure that the corresponding group exists as well).
  • The Graph is configured to view to the LDAP server as read-only.

Now, we’ve come the OIDC. If you are familiar with the Helm value file, you’ll have noticed that no adminUUID value is set. This is because I rely on an OIDC claim to define the roles in OCIS. As stated earlier, I created four groups in Authentik. To define which role will be assigned according to the users group membership, I created a new property mapping of type Scope Mapping that I called owncloud_usage in Authentik. For that entry, I used the following expression:

Summary

if ak_is_group_member(request.user, name=“OwnCloud Admins”):
return {
“ocis_role”: “ocisAdmin”
}
elif ak_is_group_member(request.user, name=“OwnCloud Space Admins”):
return {
“ocis_role”: “ocisSpaceAdmin”
}
elif ak_is_group_member(request.user, name=“OwnCloud Users”):
return {
“ocis_role”: “ocisUser”
}
elif ak_is_group_member(request.user, name=“OwnCloud Guests”):
return {
“ocis_role”: “ocisGuest”
}
return None

This allowed me to perform the role provisioning through OIDC using the following settings in Helm:

Summary

features:
oidc:
accessTokenVerifyMethod: jwt
issuerURI:
roleAssignment:
claim: ocis_role
enabled: true
mapping:
* claim_value: ocisAdmin
role_name: admin
* claim_value: ocisSpaceAdmin
role_name: spaceadmin
* claim_value: ocisUser
role_name: user
* claim_value: ocisGuest
role_name: guest
userIDClaim: sub
userIDClaimAttributeMapping: userid

At that point, you’ll want to create the OwnCloud Application along with the OIDC provider in Authentik. The authentik: Configure OpenID Connect IdP section from Helge Klein’s blogpost did Make sure to select Public client type and to add the owncloud_usage scope as Selected Scopes. Depending on the Subject Mode you’ve chosen in Authentik, you’ll need to change the userIDClaim and the userIDClaimAttributeMapping values. If you use the same values as I document here, you should be fine.

Here is an example of the JWT you’ll get from Authentik:

Summary

{
“iss”: “”,
“sub”: “”,
“aud”: “”,
“exp”: 1761401541,
“iat”: 1761399741,
“auth_time”: 1761399741,
“acr”: “goauthentik io/providers/oauth2/default”,
“email”: “”,
“email_verified”: true,
“ocis_role”: “ocisAdmin”,
“name”: “Nathan”,
“given_name”: “Nathan”,
“preferred_username”: “nathan”,
“nickname”: “nathan”,
“groups”: [
“OwnCloud Admins”
]
}

The very last component to configure is the Web service. Here are the values I used in Helm:

Summary

services:
web:
config:
oidc:
webClientID:
webClientScope: openid profile email offline_access owncloud_usage

To ensure that the ocis_role attribute is included in the OIDC token, I added owncloud_usage as an additional webClientScope.

The Helm values file still needed additional CORS and CSP values to be added. But atfer that, all that must to be done was to install the Helm charts using these values. And that is how I go OCIS to work with Authentik on Kubernetes. I leave it to you at to how to translate all of this into Docker Compose. In general, I’m sure there are a few thing that needs some polishing. But kudos to the OwnCloud team! Without their work and their documentation, I wouldn’t have gone for so far!

Now, for your remaining two questions: Authentik has the capability to connect to an external user directory such as an LDAP-based IDP. With that in mind, what I’m gonna say is all speculation:

  • It should be possible to map the LDAP attributes from the IDP service to Authentik through LDAP Source Property Mapping. That opens up the possibilty for Authentik to use the IDP service as an LDAP source and to get into a scenario where Authentik can take care to Authentication and where OCIS accounts can be managed through OCIS.
  • Authentik should be able to connect multiple sources to one LDAP provider… If true, it should be possible to get Authentik to authenticate an user that is registered in either the IDP service or in its own database (or another IDP). That could pave the way for a migration path.
1 Like
9

Wow, thanks a lot for your detailed response!

I probably need much more time than expected for this. We’ll see when I’ll come to that.