MFA and electronic Signature for Nextcloud
  Download PDF

1. Overview

  • First, you must have a WebADM/OpenOTP server installed and configured. Please refer to the installation documentation for instructions on this.
  • You must have a valid license for OpenOTP and the Secure Transaction Approval feature.
  • For an online approval transaction, you need to configure a Push login infrastructure. Refer to push documentation for more details.

Need to download the following Plugins:

  • OpenOTP Authentication Plugin for Nextcloud
  • OpenOTP Signature Plugin for Nextcloud

1.1 Authentication Plugin

The OpenOTP Authentication Plugin for Nextcloud enables two-factor authentication to log in to Nextcloud Admin/User Panel.
Username/Email and Password are validated locally, and next step the plugin handle the Second Factor, i.e. the Challenge, as a “Two-Factor Vendor”. OpenOTP plugin manage several Login Mode including:

  • NextCloud Password (NCP) + OTP (either fill in the input text, or easier by Pressing OK when receiving the Push Notification on mobile).
  • NCP + FidoU2F (U2F Fido authentication method, see https://fidoalliance.org/ for more details.)
  • NCP + OTP or FidoU2F

User must exist in both Local Database and OpenOTP server (LDAP integration). Nextcloud User Name must be the same as OTP Server (LDAP) Login Name (or email in NC and UPN/Alias in OpenOTP) but password could be different (simple passwords are not sent to OTP server). The reason is the way how Nextcloud designs TwoFactor vendor integration, most of the time all the login steps could be validated to a single User backend (e.g. Authentication Server) avoiding duplicate accounts.

The new plugin is compatible with the user_ldap core application. So, with just a little attribute to configure in the LDAP app, it’s possible to have all the user account in one place, your LDAP Directory. (Nextcloud need local accounts to work properly but they are auto-generated with the LDAP integration app.)

No more contextual auth, account auto-creation while first Login on OpenOTP, Local OR Remote password validation (avoiding user blocking during configuration), remote password management (handle now by core), Global or per user permission.

When using a Desktop client, you have to generate an Application password in your Dashboard, the OpenOTP server is not contacted to authenticate.

On the other hand, for Mobile application, OpenOTP Plugin handle login requests in the same way as for Applications in your Web Browser, e.g. if you have configured Push notifications on OpenOTP Authentication Server, you don’t have to leave your Mobile, click on the notification and Confirm login.

1.2 Signature Plugin

The OpenOTP Signature Plugin for Nextcloud enables Electronic Signature Click & Sign with your Mobile with the OpenOTP Authentication Server which validates your identity and generates secure communication with your mobile, your signature is secure and compliant with the eIDAS regulation.

  • Strong Authentication
  • Advanced Signature
  • Qualified Electronic Signature with our YumiSign Card Reader for IOS & Android
  • Sealing by YumiSign HSMs

2. Authentication Plugin

2.1 Installation

2.1.1 NextCloud Store

Download the OpenOTP Authentication Plugin for Nextcloud from the NextCloud Store.

2.1.2 Manually

Download the OpenOTP Authentication Plugin for Nextcloud from the RCDevs Integration Plugin download page.

Compatible Nextcloud 14.x to 22.X (Tested on 22.1.1) Version 1.1.0

  1. If your PHP installation does not have the soap extension, install the php-soap package for your Linux distribution. With RedHat, do it with yum install php-soap.
  2. Upload twofactor_rcdevsopenotp directory under the apps directory of your ownCloud.
  3. The RCDevsOpenOTP Application folder should have read write permission for the web server user (under debian/ubuntu : chown -R www-data:www-data twofactor_rcdevsopenotp)
  4. Navigate to the Apps page in Admin. Click on OpenOTP Two Factor Authentication in the application list. Then click the Enable button.

2.2 Configuration

  • Navigate to the Admin page / Additional settings, or go directly to the configuration via the Admin button in the header.

  • Set at least the OpenOTP server URL #1 and the OpenOTP client id, click Save.

  • Allow users to administer Two-factor on their profile settings page or not. When activated, the user goes to the Personal section to enable or not Two-Factor on his account.
  • It’s possible to use LDAP/AD Integration (user_ldap) application with RCDevs OpenOTP (twofactor_rcdevsopenotp) application. Be sure to configure the LDAP plugin to create your local user with the uid/samaccountname. Otherwise, a randomly generated string is used for username when accounts are auto-created during the import process. To do this, click on the Expert tab, and fill in “Override UUID detection” with the correct login name based on your LDAP directory (uid/samaccountname…)

Next, you can adapt the search query to get the right users from the LDAP.

Finally, configure the login attribute used to get the right username of users.

  • Contextual authentication: Change the LoginMode to LDAP-only for requests coming from trusted devices on trusted IPs. One user device gets trusted for a specific IP address after successful two-factor authentication. Contextual Authentication needs a persistent cookie after logging out to work properly. Nextcloud implements Clear-Site-Data HTTP response header (https://www.w3.org/TR/clear-site-data/#grammardef-cookies), this mechanism clears all cache, cookie and storage from the browser, including OpenOTP context cookie. To enable this feature, you need to MANUALLY edit this file: core/Controller/LoginController.php and comments this line 123 in public function logout(): //$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); or delete ["cookies",] from the same line.

Warning

Keep an admin user working without OTP in case of a problem. If not you can:

  • Use occ command line to disable/enable two-factor authentication for a user: (sudo -u www-data) ./occ twofactorauth:enable username
  • Switch authentication method to Standard (Owncloud password): “UPDATE PREFIXappconfig SET configvalue = 0 WHERE appid = ’twofactor_rcdevsopenotp’ AND configkey = ‘rcdevsopenotp_authentication_method’
  • Disable openOTP authentication for one (admin?) user: “DELETE FROM PREFIXappconfig WHERE userid = ‘%yourusername%’ AND appid = ’twofactor_rcdevsopenotp’ AND configkey = ’enable_openotp’ Replace PREFIX by owncloud table prefix ‘oc_’ by default.

2.3 Client Policy

A policy can be configured per application. First, create a client policy. You can name it Nextcloud. Put the client ID provided by Nextcloud, this can be found in the webadm.log file, in the Client Name Aliases setting.

First, log in on the WebADM Graphical Unit Interface. Click on the Admin tab and you will find a box named Client Policies.

Click on it and on the next page, click on Add Client. Enter a Common Name, if you want a description and click on Proceed. On the next screen, click on the Create Object button. A client Policy object has now been created. We are now able to configure this client policy.

Put the client ID provided by Nextcloud, this can be found in the webadm.log file, in the Client Name Aliases setting.

2.4 Login

Log into the NextCloud portal.

Approve or deny the recieved push authentication.

3. Signature Plugin

3.1 Installation

3.1.1 NextCloud Store

Download the OpenOTP Signature Plugin for NextCloud from the NextCloud Store.

3.1.2 Manually

Download the OpenOTP Signature Plugin for NextCloud from the RCDevs Integration Plugin download page.

Place the OpenOTP Signature Plugin for NextCloud app in nextcloud/apps/

Building the app

The app can be built by using the provided Makefile by running: make

This requires the following things to be present:

  • make
  • which
  • tar: for building the archive
  • curl: used if phpunit and composer are not installed to fetch them from the web
  • npm: for building and testing everything JS, only required if a package.json is placed inside the js/ folder

The make command will install or update Composer dependencies if a composer.json is present and also npm run build if a package.json is present in the js/ folder. The npm build script should use local paths for build systems and package managers, so people that simply want to build the app won’t need to install npm libraries globally, e.g.:

package.json:

"scripts": {
    "test": "node node_modules/gulp-cli/bin/gulp.js karma",
    "prebuild": "npm install && node_modules/bower/bin/bower install && node_modules/bower/bin/bower update",
    "build": "node node_modules/gulp-cli/bin/gulp.js"
}

Publish to App Store

First get an account for the App Store then run:

make && make appstore

The archive is located in build/artifacts/appstore and can then be uploaded to the App Store.

Running tests

You can use the provided Makefile to run all tests by using:

make test

This will run the PHP unit and integration tests and if a package.json is present in the js/ folder will execute npm run test.

Of course you can also install PHPUnit and use the configurations directly:

phpunit -c phpunit.xml

or

phpunit -c phpunit.integration.xml

for integration tests.

3.2 Configuration

  • Navigate to the Admin page / Additional settings, or go directly to the configuration via Admin button in the header.

  • Set at least the OpenOTP server URL #1 and the OpenOTP client id, click Save.

3.3 Client Policy

A policy can be configured per-application. First create a client policy. You can name it Nextcloud. Put the client ID provided by Nextcloud, this can be found in the webadm.log file, in the Client Name Aliases setting.

First, log in on the WebADM Graphical Unit Interface. Click on the Admin tab and you will find a box named Client Policies.

Click on it and on the next page, click on Add Client. Enter a Common Name, if you want a description and click on Proceed. On the next screen, click on the Create Object button. A client Policy object has now been created. We are now able to configure this client policy.

Put the client ID provided by Nextcloud, this can be found in the webadm.log file, in the Client Name Aliases setting.

3.4 Signature Sign

In the following example, a request for signing a document between two persons.

3.4.1 Request

Log into the NextCloud and choose the document to be signed. Select it with a right click and request to sign the document.

The digital signature of the file can be a self-signature, signature by a Nextcloud or YumiSign user.



In the header, click on the Sign button to get an overview of the pending/completed/failed signature requests.

3.4.2 Accept/Decline

The 2nd person receives a signature request from the 1st person for the document.

Signs in the YumiSign portal. Choose the login method.

Go to Pending tasks to get quick access to all the signature or review requests assigned to you.

Choose to accept or decline the request to sign that document.

Sign the document with a mobile push notification, a QR code sent by email or print the QR code.

3.4.3 Sign with PUSH

Sign the document with a mobile push notification.

  1. Receive a Signature Request from YumiSign
  2. Reject/Continue the Signature Request
  3. Review the document and reject or sign it
  4. Draw your signature and confirm it

A confirmation of the signed document was also received via email.

3.4.4 View Signature

Go to Projects to view and manage the documents in your YumiSign Portal.

Choose the document and click on Details summary.

To get an overview of the workflow, click on Timeline.

The 1st person logs into the NextCloud portal. In the header, click on the Sign button to get an overview of the pending/completed/failed signature requests.

The signed document xyz-signed.pdf is available.

The digital signature is at the end of the document.

3.5 Signature Seal

Log into NextCloud and choose the document to be sealed. Select it with a right-click and seal the document.





Now there is a new sealed document xyz-sealed.pdf available.