ownCloud Archive - NetKnights: IT-Security ~ Two Factor Authentication ~ Encryption

More flexibility at the two-factor authentication in ownCloud

Today we released the privacyIDEA ownCloud App in version 2.4. Apart from improvements in the configuration we added a new important feature, which makes it possible to exclude some users from the two-factor authentication.

With or without two-factor authentication?

The privacyIDEA ownCloud App activates the two-factor authentication for all users in a company. The authentication will be proceed by the privacyIDEA server.

In some cases it could be interesting to give users access to ownCloud without a second factor. If these users exist local in ownCloud, this wasn’t possible yet. But in version 2.4 the administrator can define user groups, who do not need a second factor to login. This could be useful for guest users who do not have access to sensitive files. This will minimize the workflow, because it is not necessary to enroll a second factor for a simple and temporary guest user.

Configuration

In version 2.4 we revised the configuration for the privacyIDEA ownCloud App as well. The setup and connection to the own privacyIDEA system should be much more easier for the administrator. We added for example test buttons, so the administrator can check the configuration, before it will be activated.

Apart from this we expand the configuration dialog to different languages.

About the privacyIDEA ownCloud App

The privacyIDEA ownCloud App expands a two factor authentication to an existing ownCloud installation. The privacyIDEA plugin forwards the second step of own Cloud’s user login to the authentication system privacyIDEA. In this system the administrator can manage the second factors of the users and can regulate which user needs to login in which way. Because of privacyIDEA the users are able to use many methods to authenticate like key fob token, smartphones, apps, SMS, mail, yubikey, or U2F-devices.

You can find a complete changelog for the privacyIDEA ownCloud App here.

If you have more questions feel free to contact us.

4. May 2018/by Cornelius Kölbel

Multi Factor Authentication with privacyIDEA at ownCloud X Event

Events, News

On May 23rd ownCloud introduces ownCloud X to their customers. ownCloud invites you to their release event in Cologne. NetKnights will be there, too and preset how you can easily add two factor authentication with privacyIDEA via the new ownCloud Marketplace. This is a great way to protect your data with a centrally managed multi factor authentication system.

Cornelius Kölbel will give a talk to give some first impressions on the possibilities of such a central multi factor solution for your companies employees. In the meeting area we will have a demo point with such a two factor authentication at ownCloud X against privacyIDEA. You can come, ask and try it yourself. Several different devices like Yubikey, U2F, OTP-Token, Smartphones or Smartdisplayer-Cards can be used for authentication.

We are looking forward to your visit.

Register now!

4. May 2017/by Cornelius Kölbel

Simple enterprise ready 2FA for ownCloud X

How-to, Integration Guide

A few days ago ownCloud introduced the new market place. Using the market place ownCloud adminsitrators can easily and quickly install ownCloud apps. The privacyIDEA ownCloud App by NetKnights is one of the first available apps in the market place. Using the privacyIDEA ownCloud App companies and organizations can secure the login to ownCloud with a centrally managed multi factor authentication. The authentication devices of the users are managed within privacyIDEA authentication system.

Installing the privacyIDEA ownCloud App

Within ownCloud X the administrator can enter the market place via the top left menu.

He needs to filter the categories for “security”. There are several advantages of a centrally managed 2FA system in contrast to the integrated TOTP app. The administrator can define which user has to use a second factor and the users can use this very second factor, this authentication device for any other application like VPN or desktop login.

Clicking on the privacyIDEA ownCloud App or “privacyIDEA Two Factor Authentication” will display all the details of the app in the market place.

Now the administrator can install the app by clicking the blue “install” button. The installation is rather quick. After successful installation the blue button turns grey.

Configuring privacyIDEA ownCloud App

Now the administrator needs to configure the privacyIDEA ownCloud app.

To do this, he needs to enter the top right menu via Settings->Additional and can now see the section privacyIDEA 2FA. There he needs to configure the URL of the privacyIDEA server. Usually this is something like https://myserver/validate/check.

Warning: You maybe need to remove the checkbox “Verify SSL certificate” for your tests. We very much recommend the have this checkbox checked for productive use!

That’s all. Now the administrator is done configuring the privacyIDEA ownCloud app.

Configuration of privacyIDEA

We assume that privacyIDEA is already installed following one of the many possible installation scenarios. Now the administrator needs to configure the user store in privacyIDEA, so that privacyIDEA knows the ownCloud users and the administrator or the users can enroll tokens.

Define user store

The administrator first needs to configure the user store. In this example we are using the ownCloud database as user source. The administrator needs to go to Configuration -> Users.

Create user realm

The the configured user store needs to be joined to a realm. Under Configuration->Realm the administrator can create a realm with this user store. In this example the realm is called “oc”.

When entering the user-tab, the administrator will now see all the ownCloud users within privacyIDEA.

Enroll Token

Now the administrator or the user himself can enroll a token. This could be a TOTP/Smartphone-App or any other of the many supported token types within privacyIDEA.

The administrator can select a user object and enroll a token to this user. Alternatively users can login to the privacyIDEA WebUI and enroll a token for themselves.

Thus the administrator or IT department can manage, which user has which token (second factor). If any authentication device gets lost, privacyIDEA provides means to centrally allow temporary access for such a user or to enroll a new (temporary) token.

Login

When logging in to ownCloud, in the first step the user needs to enter his username and his ownCloud password. In a second dialog the user is asked for his second factor which is verified against privacyIDEA.

Please note, that you need a subscription file for the privacyIDEA ownCloud App for productive use.

Have a successful authentication!

2. May 2017/by Cornelius Kölbel

Two-Factor-Authentication for ownCloud

How-to, Integration Guide

Here we will show you, how you can add enterprise ready two factor authentication to your ownCloud installation.

You need an ownCloud installation with a version equal or greater than 9.1. Then you need a privacyIDEA installation. For a guide of how to install these components, please refer to other documentations. There are different ways to install privacyIDEA.

Finally you need the privacyIDEA ownCloud App, which is available via subscription and SLA.

Connect your userstore

privacyIDEA can connect to many different user stores. You probably will connect to your company’s LDAP or Active Directory. In case you run a single ownCloud installation or a lab setup, you may also want to connect to ownClouds own user store.

Create an ownCloud resolver.

In privacyIDEA you first you need to set up the connection to ownCloud database. This will fetch the users from the ownCloud database.

This userstore is now added to a new realm.

Add users to the “owncloud” realm.

Now privacyIDEA knows all your ownCloud users and you can start to enroll tokens to these users. Enrolling tokens is not covered here.

For enrolling tokens, please see some youtube videos or the online documentation.

Install privacyIDEA ownCloud App

Please get your privacyIDEA ownCloud App with your subscription and support agreement. You need to copy the privacyIDEA App to the ownCloud directory apps/twofactor_privacyidea/.

After this, the privacyIDEA App is available and can be activated.

You need to configure the privacyIDEA App.

Configure where the privacyIDEA server is located.

The most important part is to configure the URL, where the privacyIDEA system can be reached. Here you need to specify the complete path, including possible subpaths. The default configuration would be https://your.privacyidea.server/validate/check.

Log in

After enrolling tokens to the users and activating the privacyIDEA ownCloud app users are now required to authenticate with a second factor, which is verified against privacyIDEA.

Login to ownCloud with a second factor managed by privacyIDEA.

Using privacyIDEA you can authenticate to ownCloud with many more tokens – others than smartphone TOTP. You can use any hardware device and also special devices like the Yubikey.

Thanks to the sophisticated policy framework of privacyIDEA you can setup any workflow or user combination. Users may need a 2nd factor or not. Some users may authenticate only with a secure hardware device like the Yubikey, others may use a smartphone app.

Using the privacyIDEA ownCloud App you lift two factor authentication with ownCloud to the next level.

26. September 2016/by Cornelius Kölbel

Two Factor Authentication for ownCloud

Events, News

NetKnights provides an enterprise ready two factor authentication for ownCloud via its own App. Authentication is performed against the centrally installed privcyIDEA authentication system.

Talk at Contributor Conference

Cornelius Kölbel will give a talk about the flexible two factor authentication for ownCloud using privacyIDEA at this years ownCloud Contributor Conference in Berlin from September 9th-15th, 2016.

Advantages by central management

One of the big advantages is, that employees only need on single second factor (possession). Using this centrally managed factor, the users not only can login to ownCloud. But they can also use this factor at more login scenarios. The 2nd factor can be used to login to Linux Desktops using PAM, to servers via SSH or to Windows Desktops using the privacyIDEA Credential Provider.

15. August 2016/by Cornelius Kölbel

Posts