Configuring ONLYOFFICE SP and Okta IdP

Introduction

Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.

SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (also called as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the Okta implementation.

Creating an IdP in Okta

1. Sign up for Okta.
2. Go to the Applications -> Applications menu.
   
3. Click the Create App Integration button:
   
4. Select the SAML 2.0 option and click the Next button.
   
5. In the App name field, enter any name, for example, "IDP Okta DocSpace", to distinguish this application from others, and click the Next button.
   
6. Fill in the fields according to the table below:
   Please specify your own domain name or public IP where your ONLYOFFICE SP is hosted instead of myportal-address.com.

   Application Details
   Single sign-on URL	https://myportal-address.com/sso/acs
   Audience URI (SP Entity ID)	https://myportal-address.com/sso/
   Default RelayState	https://myportal-address.com
   Name ID format	EmailAddress
   Application username	Email
   Update application username on	Create and Update
   Response	Signed
   Assertion Signature	Signed
   Signature Algorithm	RSA-SHA256
   Digest Algorithm	SHA256
   Assertion Encryption	Encrypted
   Encryption Algorithm	AES128-CBC
   Key Transport Algorithm	RSA-OAEP
   Authentication context class	X.509 Certificate

   
   
   
7. In the Attribute Statements form, click Add Another and create 3 parameters (givenName, sn, mail) specifying a value from the Value list, suitable for issuing from the field catalog of the LDAP directory.
   
8. Go to the ONLYOFFICE portal signing in as an administrator. Open the Settings -> Integration -> Single Sign-On page.
9. Enable SSO using the Enable Single Sign-on Authentication switcher.
10. Now you need to create a certificate in the SP Certificates section. To do that, click the Add certificate button in the corresponding section.
    
11. In the opened modal window, click the Generate New Self-Signed Certificate link, choose the signing and encrypt option in the Use for list. Before you save the certificate, copy the Public Certificate text to the clipboard (it will be necessary for Okta), then click the OK button.
    
12. Open any editor, paste the copied text and save the file with the .pem extension.
    
13. Return to the Okta application creation form. In the Encryption Certificate field, select the newly created public key.
    
14. Click the Next button at the end of the form.
    
15. Click the Finish button.
    
16. In the application description that opens, copy the link from the Metadata URL field.
    
17. Return to the Single Sign-On page on the ONLYOFFICE portal. Paste the copied link to the field for uploading metadata XML.
    

    Specify the login button caption.

    
18. Click the Save button.
19. The ONLYOFFICE SP Metadata section should be opened with the Donwnload SP Metadata XML button.
    
20. To configure logout, return to the Okta settings. In the Signature Certificate field, specify a certificate, for example, from step 12. Fill out the Single Logout URL and SP Issuer fields according to th example below.
    
21. To create users in Okta and provide them access to our ONLYOFFICE SP, perform the following steps:
    1. go to the Okta Directory -> People submenu,
       
    2. click the Add person button,
       
    3. fill in the form and click Save,
       
    4. go to the Applications -> Applications menu and click the created application,
       
    5. click Assign -> Assign to People. In the opened window, select the necessary users and click Assign. Close the window by clicking Done.
       

Checking the work of the ONLYOFFICE SP with the Okta IdP

Logging in to ONLYOFFICE on the SP side

1. Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/Auth.aspx).
2. Click the Single sign-on button. If the button is missing, this means that SSO is not enabled.
   
3. If all the SP and IdP parameters are set correctly, we will be redirected to the Okta IdP login form:
   
4. Enter the login and password of the user who has been granted access to the ONLYOFFICE SP and click the LOG IN button.
5. If the credentials are correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).