Configuring ONLYOFFICE SP and ADFS IdP

Introduction

Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.

SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (also called as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the Active Directory Federation Services (AD FS) implementation.

Preparing AD FS for the SSO setup

1. Install the latest AD DS (Active Directory Domain Service) version with all official updates and patches.
2. Install the latest AD FS version with all official updates and patches.
   To deploy AD FS from scratch you can use the following instructions.
3. Verify that the link to the AD FS metadata is publicly available. To do that,
   1. In the Server Manager, open Tools -> AD FS Management,
   2. Go to AD FS \ Service \ Endpoints,
   3. Find the row with the Federation Metadata type in the table. The link to the IdP metadata is constructed under the following scheme:

      https://{ad-fs-domain}/{path-to-FederationMetadata.xml}

      Alternatively, you can use the following PowerShell command:

      PS C:\Users\Administrator> (Get-ADFSEndpoint | Where {$_.Protocol -eq "FederationMetadata" -or $_.Protocol -eq "Federation Metadata"}).FullUrl.ToString()

      As a result you should get a link that looks like this:

      https://myportal-address.com/FederationMetadata/2007-06/FederationMetadata.xml

   4. To verify that AD FS has been started correctly, open the received link in a web browser. The xml should be displayed or downloaded.
      

      Copy the link to the metadata xml: it will be required at the next step. Make sure that you are signed in as an Administrator to your ONLYOFFICE DocSpace. Open the Settings -> Integration -> Single Sign-On page.

Configuring ONLYOFFICE SP

1. 
   Enable SSO using the Enable Single Sign-on Authentication switcher and paste the link copied from the AD FS into the URL to Idp Metadata XML field.
   
2. Press the button with the upward arrow to load the IdP metadata. The ONLYOFFICE SP Settings form will be automatically filled in with your data from the AD FS IdP.
   
3. In the NameID Format selector, choose the following value: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
   
4. In the IdP Public Certificates \ Advanced settings section, uncheck the Verify Logout Response Signature option, as AD FS does not require that by default.
   
5. Now you need to add certificates to the SP Certificates section. You can generate self-signed certificates or add any other certificates.
   Importantin the New Certificate window, switch the Use for selector to the signing and encrypt option, as AD FS IdP is automatically configured to verify digital signatures and encrypt data.
   
6. In the SP Certificates \ Advanced settings, uncheck the Sign Logout Responses, as AD FS does not require that by default.
   
7. It is not necessary to adjust the Attribute Mapping form, as we will set these parameters in the AD FS IdP later.
8. Click the Save button.
9. The ONLYOFFICE SP Metadata section should be opened.
   
10. Verify that our settings are publicly available by clicking the Download SP Metadata XML button. The XML file contents should be displayed.
    
11. Copy the link to the ONLYOFFICE SP metadata from the SP Entity ID (link to metadata XML) field and go to the machine where AD FS is installed.
    

Configuring AD FS IdP

1. In the Server Manager, open Tools -> AD FS Management,
   
2. In the AD FS Management panel, select the Trust Relationships > Relying Party Trusts. Click the Add Relying Party Trust... option on the right. The Add Relying Party Trust Wizard opens,
   
3. In the wizard window, select the Import data about the relying party published online or on a local network radio button, paste the previously copied link to the ONLYOFFICE SP metadata into the Federation metadata address (host name or URL) field and click the Next button,
   
4. In the Display name field, specify any name and click the Next button,
   
5. Select the Permit everyone option and click the Next button,
   
6. Check the resulting settings and click the Next button,
   
7. Leave the default option unchanged and click the Close button,
   
8. A new window opens. At the Edit Claim Issuance Policy tab, click the Add Rule... button,
   
9. Select the Send LDAP Attributes as Claims option from the Claim rule template list and click the Next button,
   
10. Type in any name in the Claim rule name field. Select the Active Directory option from the Attribute store list and fill in the Mapping of LDAP attributes to outgoing claim types form according to the table below. When ready, click Finish.

    LDAP Attribute (Select or type to add more)	Outgoing Claim Type (Select or type to add more)
    Given-Name	GivenName
    Surname	sn
    E-Mail-Addresses	mail

    
11. In the Edit Claim Rules window, click the Add Rule... button once again, select the Transform an Incoming Claim option from the Claim rule template list and click the Next button,
    
12. Type in any name in the Claim rule name field and select the following options from the lists:
    • Incoming claim type: mail,
    • Outgoing claim type: Name ID,
    • Outgoing name ID format: Email
    

    When ready, click the Finish button.

13. If logout from AD FS does not work, it's recommended to add a Custom Claim Rule replacing {portal-domain} with your SP domain and changing {ad-fs-domain} to your IdP domain:

    c:[Type == "mail"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://{ad-fs-domain}/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://{portal-domain}/sso/metadata");

    
14. Click the OK button,
15. Open the properties of the created relying party trust and switch to the Advanced tab,

    Select the SHA-1 option in the Secure hash algorithm list.