Articles with the tag:
Close
Changelog
Close
Try in the cloud
Try in the cloud
Help Center
Control Panel

Configuring ONLYOFFICE SP and AD FS IdP

Control Panel v3.5 ONLYOFFICE Control Panel changelog

Version 3.5.2

Release date: 02/29/2024

General

  • Added the ability to restrict access rights to the application files for the Others group.
  • Fixed issue with redirect to the portal main page when opening Control Panel after a day on Ubuntu 22.10.
  • Fixed retrieving data error when opening the backup page.
  • Fixed issue when backup with Mail is not performed after disabling and enabling encryption (added text about stopping services and the instruction to the Help Center).
  • Fixed issue when features are not saved to the new tariff when setting a quota for the portal.
  • Edited sources build.

Version 3.5

Release date: 03/14/2023

General

  • Changed API methods for migration, implemented progressQueue.
  • Changed settings for connecting third-party storages. Added tooltips for fields. Added the 'Server Side Encryption Method' block for Amazon AWS S3.
  • Added logos for dark theme in the Branding section. Logos for the About page are now separate fields in the Advanced tab.
  • Added the ability to set the portal memory quota.

Version 3.1.1

Release date: 08/08/2022

General

  • Fixed issue with file indexing.
  • Fixed elasticsearch container errors when updating ONLYOFFICE Groups.
  • Fixed issue with brand logos after updating in the Docker installation.
  • Fixed texts and layout for the Migration feature.

Version 3.1

Release date: 05/25/2022

General

  • Added the Data Import page that allows to import data from Nextcloud, ownCloud and GoogleWorkspace to ONLYOFFICE Workspace.
  • Moved Elasticsearch to a separate container.
  • Fixed bugs.

Version 3.0

Release date: 06/07/2021

Update

  • License agreement dialog when installing docker components added.
  • The inactive button with an action for uninstalled components (downloading and installing the available version) fixed.

Search

  • Indexing progress display added.

LoginHistory and AuditTrail

  • New empty screens added.

Restore

  • New checks when restoring data from a local or a 3rd party storage.

SSO

  • SSOAuth was removed from Control Panel. It's now available as a portal setting in Community Server.

General improvements and bug fixes

  • Bugs 47721, 49101, 49187, 49273, 49272, 49324, 46386, 49585 from the internal bugtracker fixed.
  • 3rd party licenses and copyright updated.

Version 2.9.1

Release date: 12/10/2020

Bug fixes

  • Bug Fixes & Performance Improvements.

Version 2.9

Release date: 10/14/2020

General

  • Control Panel is available in the free Community version with all settings excepting the editors logo replacement;
  • Added the vsyscall check to the installation scripts when installing Mail Server on Debian with kernel 4.18.0 and later;
  • Redesign of the navigation menu: added Common and Portal settings sections, added icons to menu items;
  • Added the advanced rebranding page in the Common Settings;
  • Added the possibility to reindex the full-text search;
  • Updated node.js, updated packages (transition to samlify for SSO);
  • Added the Encryption at rest block in the Storage section;
  • Added the Private Room section for the server version only;
  • Added the upgrade page with a proposal to upgrade to Enterprise Edition;
  • Added the activate page with a possibility to upload a license file;
  • Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

LDAP

  • Added the Sign in to domain option on the authorization page.

Single Sign-on

  • Transition to the new samlify library;
  • Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

Version 2.7

Release date: 04/25/2019

LDAP

  • Added more fields mapped for the users loaded via LDAP: user photo, birthday, contacts, primary phone number;
  • Added the setting to autosync LDAP on schedule;
  • Added the possibility to give administrator rights to the user group at the portal via LDAP;
  • Updated the rules for LDAP users.

Version 2.5.1

Release date: 04/07/2018

LDAP

  • Fixed the Server internal error error when using the groups enclosed inside each other in the AD (bug #37414).

Single Sign-on

  • Fixed the issue when the user data between the Service Provider and the portal was transferred via HTTP only, even when HTTPS was enabled.

Version 2.4.0

Release date: 01/13/2018

Single Sign-on

  • Fixed the Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.: IdP Single Sign-On Endpoint URL: https://accounts.google.com/o/saml2/idp?idpid=777777;
  • Fixed the Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the + or - characters were present when sending the encrypted data.

Version 2.3.0

Release date: 12/15/2017

General

  • Added the changelog for Control Panel and link to it;
  • Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
  • Fixed the bug when Audit Trail heading was present at the login history page (bug #36026);
  • The current machine is now checked for being linked with the domain name for multiple portals.

LDAP

  • Fixed the bug with the LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the unknown value or the ldap.domain value from the web.appsettings.config configuration file;
  • Fixed the bug with the Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
  • Increased the login speed with the Group Membership setting enabled;
  • Added additional logging;
  • Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
  • Fixed the bug with the error when trying to login using the email address entered in the fields different from the Mail Attribute;
  • Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.

Version 2.2.0

Release date: 10/31/2017

General

  • Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

  • Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
  • Login and email are now split into two separate fields;
  • Added the support for big data;
  • Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
  • Fixed the user re-creation issue;
  • Fixed the duplicate username issue;
  • Fixed the already existing email issue;
  • Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
  • Instead of re-creating a user with an unknown SID but an existing email the data is updated;
  • Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

  • Added the AD FS support;
  • Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

  • Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

  • Added the new sso.auth service;
  • Added the new SSO settings page;
  • Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

  • The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

  • Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
  • Changed email formation for LDAP users;
  • Fixed the problem of creation of users with invalid emails;
  • Fixed the problem of duplicate users;
  • Added icons and hints to the users in the list for the admin;
  • Blocked for editing the user profile fields imported using LDAP;
  • Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
  • Added new API Settings method - Sync LDAP;
  • Added new translations;
  • Bug fixes.

Version for Windows

  • Made changes at the Update page for the Control Panel for Windows;
  • Updates are performed using the downloaded installation packages for each module.
  • The current installed component version numbers are obtained via API request to the Community Server.
  • The new versions available for download are obtained via the request to the https://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

Introduction

Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.

If a web portal includes several large independent sections (forum, chat, blogs etc.), a user can undergo the authentication procedure within one of the services and automatically get access to all other services without entering credentials several times.

SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (also called as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the Active Directory Federation Services (AD FS) implementation.

If you want to use SSO when connecting ONLYOFFICE Desktop Editors to your ONLYOFFICE Workspace, disable Private Rooms in the Control Panel.

System requirements

The system requirements include the following software which has been tested and proved to be working correctly with ONLYOFFICE SSO:

  • Windows Server 2008 R2, Windows Server 2016;
  • AD FS version 3.0 or later.

Preparing ONLYOFFICE Workspace for the SSO setup

  1. Install ONLYOFFICE Workspace for Docker or any later version with the SSO support (AD FS is supported starting from Community Server v9.5).
  2. Add a domain name, e.g., myportal-address.com.
  3. On your portal, go to the Control Panel -> HTTPS, create and apply the letsencrypt certificate for the traffic encryption (to enable HTTPS on your portal).

Preparing AD FS for the SSO setup

  1. Install the latest AD DS (Active Directory Domain Service) version with all official updates and patches.
  2. Install the latest AD FS version with all official updates and patches.
    To deploy AD FS from scratch you can use the following instructions.
  3. Verify that the link to the AD FS metadata is publicly available. To do that,
    1. In the Server Manager, open Tools -> AD FS Management,
    2. Go to AD FS \ Service \ Endpoints,
    3. Find the row with the Federation Metadata type in the table. The link to the IdP metadata is constructed under the following scheme:
      https://{ad-fs-domain}/{path-to-FederationMetadata.xml}
      How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

      Alternatively, you can use the following PowerShell command:

      PS C:\Users\Administrator> (Get-ADFSEndpoint | Where {$_.Protocol -eq "FederationMetadata" -or $_.Protocol -eq "Federation Metadata"}).FullUrl.ToString()

      As a result you should get a link that looks like this:

      https://myportal-address.com/FederationMetadata/2007-06/FederationMetadata.xml
    4. To verify that AD FS has been started correctly, open the received link in a web browser. The xml should be displayed or downloaded. Copy the link to the metadata xml: it will be required at the next step.

Configuring ONLYOFFICE SP

  1. Make sure that you are signed in as an Administrator to your ONLYOFFICE Control Panel and click the SSO tab in the PORTAL SETTINGS section on the left sidebar.
    You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  2. Enable SSO using the Enable Single Sign-on Authentication switcher and paste the link copied from the AD FS into the URL to Idp Metadata XML field.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    Press the button with the upward arrow to load the IdP metadata. The ONLYOFFICE SP Settings form will be automatically filled in with your data from the AD FS IdP.

  3. In the Custom login button caption field, you can enter any text instead of the default one (Single Sign-on). This text will be displayed on the button used to login to the portal with the Single Sign-on service at the ONLYOFFICE authentication page.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  4. In the NameID Format selector, choose the following value: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  5. In the IdP Public Certificates \ Advanced settings section, uncheck the Verify Logout Response Signature option, as AD FS does not require that by default.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  6. Now you need to add certificates to the SP Certificates section. You can generate self-signed certificates or add any other certificates.
    in the New Certificate window, switch the Use for selector to the signing and encrypt option, as AD FS IdP is automatically configured to verify digital signatures and encrypt data.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    You should get nearly the same result:

    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  7. In the SP Certificates \ Advanced settings, uncheck the Sign Logout Responses, as AD FS does not require that by default.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
    It is not necessary to adjust the Attribute Mapping form, as we will set these parameters in the AD FS IdP later. In the Advanced Settings section, you can check the Hide auth page option to hide the default authentication page and automatically redirect to the SSO service.
    ImportantIf you need to restore the default authentication page (to be able to access the portal if you your IDP server fails), you can add the /Auth.aspx?skipssoredirect=true key after the domain name of your portal in the browser address bar.
  8. Click the Save button. The ONLYOFFICE SP Metadata section should be opened.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    Verify that our settings are publicly available by clicking the Download SP Metadata XML button. The XML file contents should be displayed.

  9. Copy the link to the ONLYOFFICE SP metadata from the SP Entity ID (link to metadata XML) field and go to the machine where AD FS is installed.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

Configuring AD FS IdP

  1. Enable strong authentication for .NET applications.

    The .NET Framework 3.5/4.0/4.5.x applications can switch the default protocol to TLS 1.2 by enabling the SchUseStrongCrypto registry key. This registry key will force .NET applications to use TLS 1.2.

    For AD FS on Windows Server 2016 and Windows Server 2012 R2 you need to use the .NET Framework 4.0/4.5.x key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

    For the .NET Framework 3.5 use the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SchUseStrongCrypto"=dword:00000001

    For the .NET Framework 4.0/4.5.x use the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 "SchUseStrongCrypto"=dword:00000001
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    Alternatively, you can use the following PowerShell command:

    New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

    For more details, please refer to this article.

  2. In the Server Manager, open Tools -> AD FS Management,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  3. In the AD FS Management panel, select the Trust Relationships > Relying Party Trusts. Click the Add Relying Party Trust... option on the right. The Add Relying Party Trust Wizard opens,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  4. In the wizard window, select the Import data about the relying party published online or on a local network radio button, paste the previously copied link to the ONLYOFFICE SP metadata into the Federation metadata address (host name or URL) field and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  5. In the Display name field, specify any name and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  6. Select the I do not want to configure multi-factor authentication settings for this relying party trust at this time option and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  7. Select the Permit all users to access this relying party option and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  8. Check the resulting settings and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  9. Leave the default option unchanged and click the Close button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  10. A new window opens. At the Issuance Transform Rules tab, click the Add Rule... button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  11. Select the Send LDAP Attributes as Claims option from the Claim rule template list and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  12. Type in any name in the Claim rule name field. Select the Active Directory option from the Attribute store list and fill in the Mapping of LDAP attributes to outgoing claim types form according to the table below. When ready, click Finish.
    LDAP Attribute (Select or type to add more) Outgoing Claim Type (Select or type to add more)
    Given-Name givenName
    Surname sn
    E-Mail-Addresses mail
    Telephone-Number mobile
    Title title
    physicalDeliveryOfficeName l
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  13. In the Edit Claim Rules window, click the Add Rule... button once again, select the Transform an Incoming Claim option from the Claim rule template list and click the Next button,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  14. Type in any name in the Claim rule name field and select the following options from the lists:
    • Incoming claim type: mail,
    • Outgoing claim type: Name ID,
    • Outgoing name ID format: Email
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    When ready, click the Finish button.

    You should get nearly the same result:

    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    If logout from AD FS does not work, it's recommended to add a Custom Claim Rule replacing {portal-domain} with your SP domain and changing {ad-fs-domain} to your IdP domain:

    c:[Type == "mail"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://{ad-fs-domain}/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://{portal-domain}/sso/metadata");
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  15. Click the OK button,
  16. So that SSO can work from the intranet you need to enable the Forms Authentication option in the Edit Global Authentication Policy (contextual menu AD FS / Authentication Policies),
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  17. Open the properties of the created relying party trust and switch to the Advanced tab,
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

    Select the SHA-1 option in the Secure hash algorithm list.

    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

Checking the work of the ONLYOFFICE SP with the AD FS IdP

Logging in to ONLYOFFICE on the SP side
  1. Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/auth.aspx).
  2. Click the Single sign-on button (the caption may differ if you have specified your own text when configuring ONLYOFFICE SP). If the button is missing, this means that SSO is not enabled.
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  3. If all the SP and IdP parameters are set correctly, we will be redirected to the AD FS IdP login form:
    How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
  4. Enter the login and password of the AD FS IdP account and click the Sign in button.
  5. If the credentials are correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).
Profiles for users added with SSO authentication

The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e. First Name, Last Name, Email, Title and Location). You can edit these fields from your IdP account only.

The figure below shows the Actions menu for an SSO user:

How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

The following figure shows an SSO user profile opened for editing:

How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP

The users created using the SSO authentication are marked with the SSO icon in the user list for the portal administrators:

How to configure ONLYOFFICE SP and AD FS IdP How to configure ONLYOFFICE SP and AD FS IdP
Download Host on your own server Available for
Docker, Windows and Linux
You Might Also Like This:
Close