App Suite Cloud

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Jöran Kuschel

Saved on

compared with

New Version 2

changes.mady.by.user Wolfgang Rosenauer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some standards like SAML or OpenID Connect require efforts from the Operations coordination with OX to be enabled but are still viable options to authenticate the users.

...

If the following assumptions about your system are correct, there is no need to get in contact with someone from operations at Open-Xchange to test the authentication.

...

Terminology in this document

uidThe username of the user used in provisioning
aliasAn alias of the user, this also includes the main mail address
samlSecurity Assertion Markup Language - A way to authenticate users only via the browser.
oidcOpenID Connect - A way to authenticate users via the browser. Has a backchannel to fetch more user data.
webmailWeb Access is the user reaching the website with a browser
imapExternal imap access handled in the OX Cloud environment
other clientsOther clients may include OX Mail App or a
dav
DAV client that
reaches the
connects to OX Cloud.
Anything that reaches the external imap
Native IMAP, POP3 or SMTP access is not
included
in scope.

Default Authentication

Without any change to the configuration it is expected that only an one Authentication Service is enabled. The default identifier used is the uid of the user, which has been set in provisioning. The password used has also been set as part of the provisioning.

A list of clients that would use the password saved in ldap OX Cloud would be:

  • OX Mail
  • CaldavCalDAV/CarddavCardDAV
  • Webmail, if neither SAML or OIDC is enabled
  • external IMAP/POP/SMTP

...

If access for any of the above mentioned clients is expected or if no SAML or OIDC is enabled, you should sync the users passwords with the OX Cloud ldapuser database.

IMAP Authentication

The external imap access has its own authentication flow but will also use uid and password by default. The same options as above are available but can be configured on an independent property.

Configurable options for the user lookup in Authentication (these options are only relevant for the OX Cloud Flex variant!)

It is possible to configure the lookup of the user identifiers to other keys than uid. The list below shows the different  different options available.

  • uid
    • LDAP search queries will be performed to match the login string with the uid 
  • email
    •  LDAP search queries will be performed to match the login string with the alias  (which also contains the primary email)
  • uid-or-email
    • LDAP search queries will be performed to match the login string with the alias  (which also contains the primary email) or uid (hence matching either of them)
  • auto
    • LDAP search queries will be performed to match the login string with the
      • alias  if the login string contains the character @,
      • or uid if the login string doesn't contain the character

...

(warning) While it is possible to have different lookups available, those must be configured by Operations and should not be switched once a System is running. If e.g. the username (uid) should be an internal identifier, the lookup most must be changed to e.g. mail instead. 

...

It is possible to offer SAML or OpenID connectConnect to the webmail access. Neither the imap IMAP access nor the other clients can use this approach.
If it is expected to have e.g. dav DAV access enabled, a normal Authentication flow as mentioned above must still be enabled and passwords must be provisioned, otherwise the users are not able to login.
You need to have your own URL registered in the OX Cloud environment as it is not possible to differentiate access to the OX Cloud System before users have logged in.
It is possible to enable SSO login for webmail users. The SSO stack does not disable the normal Authentication, which is then only used for other clients like dav DAV or OX Mail.
Please note that it is not possible to have SSO login and normal Authentication enabled for webmail access at the same time on the same URL.

(warning)  It requires efforts from operations to enable SSO authentication.SSO integration needs alignment with Open-Xchange

SAML 

The following minimal data has to be provided to register a client for SAML. 

...

The following list contains IDP software that is known to work with the OX Cloud Authentication stack without any custom development. You will still need to make the configuration changes.

  • Keycloak
    • SAML and OIDC
  • Pingfederate
    • OIDC
  • Shibboleth
    • SAML

...