Implicit Login Flow, SSO with RocketChat and Nextcloud

sibeeshvenu · May 21, 2019, 9:47am

Hi Team,

Greetings!. I am working with UCS server 4.4 and I have NextCloud and RocketChat installed there. I am planning to use SSO so that the user has to login only once and the same authentication tokens can be used for all of my applications. I read that by default the SSO is been enabled in the UCS.

Do I need to do any additional configurations to work with SSO?
Does UCS supports Implicit Login? I mean something like “Login with Facebook, GMAIL”? If yes, how can I implement the same in my Angular application?
To login from my application (Angular), is this the API I need to use?

But when I use the mentioned API I get the response as below.

2019-05-21_13-59-16

{"status": 200, "result": {"username": "Administrator"}, "message": null, "options": null}

How can I get authentication token and other details?

I am really looking forward to hearing from you.

Kindest Regards
Sibeesh Venu

fbartels · May 22, 2019, 12:21pm

Hi @sibeeshvenu,

it seems https://www.univention.com/products/univention-app-center/app-catalog/openid-connect-provider/ is what you are looking for. Nextcloud supports login via OpenID Connect through the following plugin https://apps.nextcloud.com/apps/sociallogin

Rocketchat on the other hand does not directly support OpenID Connect, but only OAuth 2.0. Since OpenID Connect is based on OAuth 2.0 there is a chance this still could work, but I have not tested this myself.

sibeeshvenu · May 22, 2019, 2:59pm

@fbartels Thanks a lot for your response. I am afraid that is not I am looking for. Do you know whether UCS has this feature by default? If I install the openid-connector-provider, how can I use this in my login UI in my application? Any help is really appreciated.

fbartels · May 22, 2019, 5:21pm

Well openid has an “implicit flow”.

The only built-in SSO functionality (for the web) would be saml. Apart from that UCS also offers Kerberos.

Just like any other OpenID Provider.

sibeeshvenu · May 23, 2019, 8:36am

Hi @fbartels,

Thanks a lot for your response. I have started implementing the OpenID connect provider. But I am getting the error as .well-known/openid-configuration not found, do you have any idea how can I set in my UCS server? Any help is really appreciated. Thank you.

Kindest Regards
Sibeesh Venu

fbartels · May 23, 2019, 9:07am

Have you installed the app I linked to?

sibeeshvenu · May 23, 2019, 9:10am

Yes I have installed and set the client id and other details using command line. Once after that if we navigate to https://<FQDN of the server>/.well-known/openid-configuration, I should get something right, instead I am getting 404.

2019-05-23_11-18-49

fbartels · May 23, 2019, 9:38am

strange. this works out of the box with me. That its a 404 indicates that the webserver has maybe not restarted after the app has been installed (it should do so automatically, though). Only other reasons for the 404 is if you had used the wrong fqdn. Did you try to get to the discovery document from within the app?

sibeeshvenu · May 23, 2019, 9:50am

This FQDN is the same url where we access the UCS server right, for example if I am able to access the portal here https://mysite.northeurope.cloudapp.azure.com/univention/portal/ and this https://mysite.northeurope.cloudapp.azure.com/ is my FQDN right? I am not sure how to get the discovery document from the app, can you please say me how? Thanks in advance.

fbartels · May 23, 2019, 10:03am

I’ve circled it for you

But yes, the fqdn is the domainer you also use to access the ucs portal with. But actually the .well-known/openid-configuration url should work with any domain/ip pointing to the system.

sibeeshvenu · May 23, 2019, 10:06am

Thanks, I was following the same and when I click there I am getting 404

2019-05-23_12-05-10

fbartels · May 23, 2019, 10:08am

Have you tried what I wrote before?

sibeeshvenu · May 23, 2019, 10:15am

Yes I had restarted my server multiple times.

fbartels · May 23, 2019, 10:38am

Then I am unfortunately out of ideas why you system is behaving differently.

sibeeshvenu · May 23, 2019, 1:18pm

After the installation, when I run univention-app logs openid-connect-provider I am getting the message as time="2019-05-23T12:07:59Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777" this means that the application is installed properly right? I also logged in via SSH and checked this port, but the result was the same

root@ucs-8280:~# curl http://localhost:8777
404 page not found

And also the container status is unhealthy.

5ae9e86879b5 docker-test.software-univention.de/openid-connect-provider:latest "docker-entrypoint..." About an hour ago Up About an hour (unhealthy) 0.0.0.0:8777->8777/tcp

2019-05-23_15-27-57

This is really stopping my development.

damrose · May 23, 2019, 1:45pm

From your last post i can see that you are using an app version from the test app center (docker image url has docker-test.software-univention.de in its URI).

We are actively developing this app version and cannot support any app from the test app center - they are by definition in development status. You should use an officially released app version. Try installing the openid-connect-provider app version 0.7-beta, e.g. univention-app install openid-connect-provider=0.7-beta

edit In addition, openid connect is only one way to realize single sign-on with UCS, SAML is the other. Configuring additional service providers for the simplesamlphp Identity Provider is covered in our documentation.

sibeeshvenu · May 23, 2019, 1:56pm

Thanks a lot for the response. I just tried the version you had mentioned. But I am still getting the error 404 when I visit /.well-known/openid-configuration/ and the docker container status is unhealthy.

790ab149e731 docker.software-univention.de/openid-connect-provider:0.7 "docker-entrypoint..." 2 minutes ago Up About a minute (unhealthy)

damrose · May 23, 2019, 2:11pm

You had the development version installed, so it may well be that there are remains from additional features planned in the next release, e.g. modified apache2 configs, cleanup may not be thorough when uninstalling the development version.

Maybe something already installed or configured on your system or a setting in your cloud environment is causing the problem. I guess the other apps installed on your system are from the test app center as well?
I just installed the app on a testsystem and can get the metadata via browser or by executing either

curl -k http://localhost/.well-known/openid-configuration
curl -k https://localhost/.well-known/openid-configuration

sibeeshvenu · May 23, 2019, 2:18pm

Thanks a lot. Surprisingly I am getting response when I do curl http://localhost/.well-known/openid-configuration but I get 404 when I do https://samplesite.northeurope.cloudapp.azure.com/.well-known/openid-configuration/. Can you please help me figure out the reason? Thanks in advance.

Note: Yes, we are using test app center as we our applications are still in testing phase.

sibeeshvenu · May 23, 2019, 2:29pm

Finally I was able to get it working. Restarting the web service after installing the 0.7-beta version fixed the issue it seems.

univention-app install openid-connect-provider=0.7-beta
systemctl restart apache2