ownCloud with Azure AD Integration?

scottalanmiller

@coliver said:

When I said local authentication I meant Linux users being authenticated to use the ownCloud application. Then you could use SAML on the local Linux system to authenticate against Azure AD. Probably too convoluted and sensitive to be used in production though.

I'm not aware of ownCloud using, nor would you want to, the local UNIX user store.

coliver

@scottalanmiller said:

@coliver said:

When I said local authentication I meant Linux users being authenticated to use the ownCloud application. Then you could use SAML on the local Linux system to authenticate against Azure AD. Probably too convoluted and sensitive to be used in production though.

I'm not aware of ownCloud using, nor would you want to, the local UNIX user store.

Ok... good. I wasn't advocating that just wondering if it was possible. That would be a workaround for SAML not being supported.

scottalanmiller

@coliver said:

@scottalanmiller said:

@coliver said:

@scottalanmiller said:

@coliver said:

@scottalanmiller I'm not following. I've had it running for at least 3 major releases and have never had it attached to AD nor have I created users on the local system. I have always needed a username and password to get into the application.

So if you did not create the users... where did you think that they were coming from

Are we talking about the same application? For ownCloud, in the past I had to remote into the database to change the admin password that I had forgotten. Hence why I said that the username and password were stored in the ownCloud database.

We started talking about how SW was the sole application that lacked local users.

Odd. I was never talking about SW. Sorry I must have missed something.

Ah, I was responding to you asking about local authentication saying that of course it does that. But you responding saying that it used a database. A local database is called local authentication in apps. Using the UNIX system is not considered local but system. That's where we disconnected. Your response only made sense to me in the context of responding to the SW comment.

scottalanmiller

@coliver said:

Ok... good. I wasn't advocating that just wondering if it was possible. That would be a workaround for SAML not being supported.

How would that help? How would authenticating against the /etc/passwd file get me access to Azure AD?

coliver

@scottalanmiller said:

@coliver said:

Ok... good. I wasn't advocating that just wondering if it was possible. That would be a workaround for SAML not being supported.

How would that help? How would authenticating against the /etc/passwd file get me access to Azure AD?

Now that I think about it, probably wouldn't. I was thinking if you could change the authentication authority to be a federated source then you could use that as a backend for ownCloud. But that wouldn't work for system authentication.

scottalanmiller

@coliver said:

Now that I think about it, probably wouldn't. I was thinking if you could change the authentication authority to be a federated source then you could use that as a backend for ownCloud. But that wouldn't work for system authentication.

Right, because OC would see a "blank" local user list, not the SAML federation.

coliver

@scottalanmiller said:

@coliver said:

Now that I think about it, probably wouldn't. I was thinking if you could change the authentication authority to be a federated source then you could use that as a backend for ownCloud. But that wouldn't work for system authentication.

Right, because OC would see a "blank" local user list, not the SAML federation.

Yep, that's the conclusion I made. Sorry to derail the thread. Just had to think my way through it a bit more.

jospoortvliet

SAML is supported in the Enterprise Edition - so that part would work. Besides that, I don't know if there is specifically Azure AD Integration...

scottalanmiller

@jospoortvliet said:

SAML is supported in the Enterprise Edition - so that part would work. Besides that, I don't know if there is specifically Azure AD Integration...

That's sad that the big enterprise AD integration is included in the free version but the SMB Azure AD federation is limited to the enterprise versions

Dashrender

@scottalanmiller said:

Has anyone looked into authentication ownCloud using Azure AD? Is this something that ownCloud themselves is looking into? That would be an awesome addition to ownCloud, IMHO. Especially in the SMB space. As companies start to move to lots of Office 365 and Windows 10 and now that Linux Mint will authenticate to Azure AD, it would be awesome to have ownCloud able to authenticate there rather than only to LDAP or traditional on premises AD.

I was thinking this very thing when someone posted about federated authentication with ownCloud yesterday!

jospoortvliet

@scottalanmiller said:

@jospoortvliet said:

SAML is supported in the Enterprise Edition - so that part would work. Besides that, I don't know if there is specifically Azure AD Integration...

That's sad that the big enterprise AD integration is included in the free version but the SMB Azure AD federation is limited to the enterprise versions

well, as I said, not sure if Azure works - I do know that SAML is, in general, a huge-business thing, not a SMB thing... Didn't know Azure uses it, that's odd as it forces SMB to take on quite some costs.

coliver

@jospoortvliet said:

@scottalanmiller said:

@jospoortvliet said:

SAML is supported in the Enterprise Edition - so that part would work. Besides that, I don't know if there is specifically Azure AD Integration...

That's sad that the big enterprise AD integration is included in the free version but the SMB Azure AD federation is limited to the enterprise versions

well, as I said, not sure if Azure works - I do know that SAML is, in general, a huge-business thing, not a SMB thing... Didn't know Azure uses it, that's odd as it forces SMB to take on quite some costs.

Other then the costs of certificates where do you see costs coming from? Azure AD provides SAML for free, so there would be no additional expense of standing up another server.

scottalanmiller

@jospoortvliet said:

well, as I said, not sure if Azure works - I do know that SAML is, in general, a huge-business thing, not a SMB thing... Didn't know Azure uses it, that's odd as it forces SMB to take on quite some costs.

It's the new SMB thing because it is how Windows 10 comes out of the box. It's the new "small business" system from Microsoft. I think your concept of it being big business is at least two years out of date. Now it is very much the SMB thing. Microsoft even extends it to Linux desktops, for example.

This is what any shop that doesn't run their own AD servers will be doing going forward.

scottalanmiller

@jospoortvliet said:

Didn't know Azure uses it, that's odd as it forces SMB to take on quite some costs.

Opposite, it removes the big costs that many just skipped before. It's totally included with other things for us, so it is basically free. Like Google Apps, every business needs email. If you have email from Microsoft, which is the leader in the business space, you get Azure AD for free. So it is pretty huge, especially in smaller businesses.

It's not weird at all that the SMB uses it as they see it as free and requires nothing from them.

scottalanmiller

If you are an O365 customer...

Running AD requires...

• Running your own Windows server ($700 starter)
• Managing your own Windows Server (requires a Windows Admin)
• User CALs
• License Management
• You need to consider if you are going to have a second server, another $700 not including hardware.
• Either IAAS ($100/mo) or a physical server or two to run AD on. That's big cost.
• VPN to extend AD out to your end nodes out of the LAN

Running Azure AD requires...

• Nothing

See why Azure AD is considered the SMB way to go?

jospoortvliet

ok, got it. Well - this is a business thing, if .com decides to open it (they've done it for other features before) that'd be nice. But it won't be for 9.0

scottalanmiller

@jospoortvliet said:

ok, got it. Well - this is a business thing, if .com decides to open it (they've done it for other features before) that'd be nice. But it won't be for 9.0

that's too bad, major setback for SMB users You should point out to them that that drives the SMBs to ODfB because that's integrated with what they already have and once paying similar amounts, why bring in another vendor and manage on their own?

You want SMBs in your pocket so that as they grow they stay with you. You don't want to send the five person shops into your competitors arms because no one is keeping up with the times.

scottalanmiller

For comparison for a five person business per year...

ODFB with all hosting and storage and backups included in the cost: $960
ownCloud and needing you to manage your own: $3600

Um... what's for big business vs. SMB?

scottalanmiller

ownCloud Commercial is really only for 100+ users and realistically only for much larger than that. They don't even pretend to have SMB offerings or pricing. Which is fine, but it is super important that OC understand that they are making themselves an enterprise only player commercially but leaving out key features that the SMB would expect and keeping them in the enterprise space where people are likely to have AD.

scottalanmiller

This is really a spot where SAML isn't needed, if .com wanted to hold that back. SAML is more enterprise, more of the time. What is needed is only Azure AD. A connector just for that would allow the SMB market to have access to basic SMB authentication while not exposing an enterprise only feature to the .org.