Adding OIDC

[mhegreberg]

I'm testing to see if OCIS can work for our users.

I'm attempting to configure the chart to point to our Azure AD tenant for Identity. I've registered an application in the IdP, and I made the following changes to the values file:

  externalUserManagement:
    # -- Enables external user management (and disables internal user management).
    # Needs an external OpenID Connect Identity Provider and an external LDAP server.
    enabled: true
    # -- UUID of the inital admin user.
    # If the given value matches a user's value from `features.externalUserManagement.oidc.userIDClaim`, the admin role will be assigned.
    # Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.
    # Note: Enabling `roleAssignment` will disable `adminUUID`.
    adminUUID: "My@email.com"
    # -- Enables account auto provisioning.
    # It will create missing users on the LDAP server from OIDC information.
    # Needs `features.externalUserManagement.ldap.writeable` to be be set to `true`.
    autoprovisionAccounts: false
    # OpenID Connect Identity provider related settings.
    oidc:
      # -- Issuer URI of the OpenID Connect Identity Provider.
      # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option.
      # The issuerURI will be automatically be added to http.csp.directives.connectSrc
      issuerURI: "https://login.microsoftonline.com/Tenant-ID-Here/v2.0/.well-known/openid-configuration"
      # -- Link to the OIDC provider's user accessible session management. This will be shown to the user on the personal account page.
      # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
      sessionManagementLink: ""
      # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page.
      # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
      editAccountLink: ""
      # -- Specify the client ID which the web frontend will use
      webClientID: Azure-AD-Client-Guid
      # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
      userIDClaim: ocis.user.uuid
      # -- Attribute mapping of for the userIDClaim.
      # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
      # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in  `...ldap.user.schema.mail`.
      # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`.
      userIDClaimAttributeMapping: mail

      # -- OIDC Acces Token Verify Method
      # Set to "jwt" or "none"
      accessTokenVerifyMethod: "jwt"

what am I missing? I'm hoping to just hook this into oidc in Azure Ad, and not need to use LDAP against an on-prem DC.

[wkloucek]

The oCIS chart allows to start the buildin IDP (OIDC Provider) and IDM (LDAP server). But this is not supported as a production deployment. For a production deployment of the oCIS chart you always must replace both the IDP and IDM service.

In your case, you're using AzureAD as a IDP and need do provide a external LDAP server, too. For an example, see also https://github.com/owncloud/ocis-charts/blob/main/deployments/external-user-management/helmfile.yaml

[mhegreberg]

I see. thank you for your help!

I ended up implementing another solution at this time that could use OIDC as the sole external Identity provider.