Cerrar

Centro de ayuda

Control Panel

Ajustes Updating ONLYOFFICE Groups for Windows to the latest version Connecting ONLYOFFICE Docs to ONLYOFFICE Groups

Cómo configurar ONLYOFFICE SP y OneLogin IdP

Control Panel v3.5 ONLYOFFICE Control Panel changelog

Open in new window

Version 3.5.2

Release date: 02/29/2024

General

Added the ability to restrict access rights to the application files for the Others group.
Fixed issue with redirect to the portal main page when opening Control Panel after a day on Ubuntu 22.10.
Fixed retrieving data error when opening the backup page.
Fixed issue when backup with Mail is not performed after disabling and enabling encryption (added text about stopping services and the instruction to the Help Center).
Fixed issue when features are not saved to the new tariff when setting a quota for the portal.
Edited sources build.

Version 3.5

Release date: 03/14/2023

General

Changed API methods for migration, implemented progressQueue.
Changed settings for connecting third-party storages. Added tooltips for fields. Added the 'Server Side Encryption Method' block for Amazon AWS S3.
Added logos for dark theme in the Branding section. Logos for the About page are now separate fields in the Advanced tab.
Added the ability to set the portal memory quota.

Version 3.1.1

Release date: 08/08/2022

General

Fixed issue with file indexing.
Fixed elasticsearch container errors when updating ONLYOFFICE Groups.
Fixed issue with brand logos after updating in the Docker installation.
Fixed texts and layout for the Migration feature.

Version 3.1

Release date: 05/25/2022

General

Added the Data Import page that allows to import data from Nextcloud, ownCloud and GoogleWorkspace to ONLYOFFICE Workspace.
Moved Elasticsearch to a separate container.
Fixed bugs.

Version 3.0

Release date: 06/07/2021

Update

License agreement dialog when installing docker components added.
The inactive button with an action for uninstalled components (downloading and installing the available version) fixed.

Indexing progress display added.

LoginHistory and AuditTrail

New empty screens added.

Restore

New checks when restoring data from a local or a 3rd party storage.

SSO

SSOAuth was removed from Control Panel. It's now available as a portal setting in Community Server.

General improvements and bug fixes

Bugs 47721, 49101, 49187, 49273, 49272, 49324, 46386, 49585 from the internal bugtracker fixed.
3rd party licenses and copyright updated.

Version 2.9.1

Release date: 12/10/2020

Bug fixes

Bug Fixes & Performance Improvements.

Version 2.9

Release date: 10/14/2020

General

Control Panel is available in the free Community version with all settings excepting the editors logo replacement;
Added the vsyscall check to the installation scripts when installing Mail Server on Debian with kernel 4.18.0 and later;
Redesign of the navigation menu: added Common and Portal settings sections, added icons to menu items;
Added the advanced rebranding page in the Common Settings;
Added the possibility to reindex the full-text search;
Updated node.js, updated packages (transition to samlify for SSO);
Added the Encryption at rest block in the Storage section;
Added the Private Room section for the server version only;
Added the upgrade page with a proposal to upgrade to Enterprise Edition;
Added the activate page with a possibility to upload a license file;
Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

LDAP

Added the Sign in to domain option on the authorization page.

Single Sign-on

Transition to the new samlify library;
Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

Version 2.7

Release date: 04/25/2019

LDAP

Added more fields mapped for the users loaded via LDAP: user photo, birthday, contacts, primary phone number;
Added the setting to autosync LDAP on schedule;
Added the possibility to give administrator rights to the user group at the portal via LDAP;
Updated the rules for LDAP users.

Version 2.5.1

Release date: 04/07/2018

LDAP

Fixed the Server internal error error when using the groups enclosed inside each other in the AD (bug #37414).

Single Sign-on

Fixed the issue when the user data between the Service Provider and the portal was transferred via HTTP only, even when HTTPS was enabled.

Version 2.4.0

Release date: 01/13/2018

Single Sign-on

Fixed the Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.: IdP Single Sign-On Endpoint URL: https://accounts.google.com/o/saml2/idp?idpid=777777;
Fixed the Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the + or - characters were present when sending the encrypted data.

Version 2.3.0

Release date: 12/15/2017

General

Added the changelog for Control Panel and link to it;
Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
Fixed the bug when Audit Trail heading was present at the login history page (bug #36026);
The current machine is now checked for being linked with the domain name for multiple portals.

LDAP

Fixed the bug with the LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the unknown value or the ldap.domain value from the web.appsettings.config configuration file;
Fixed the bug with the Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
Increased the login speed with the Group Membership setting enabled;
Added additional logging;
Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
Fixed the bug with the error when trying to login using the email address entered in the fields different from the Mail Attribute;
Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.

Version 2.2.0

Release date: 10/31/2017

General

Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
Login and email are now split into two separate fields;
Added the support for big data;
Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
Fixed the user re-creation issue;
Fixed the duplicate username issue;
Fixed the already existing email issue;
Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
Instead of re-creating a user with an unknown SID but an existing email the data is updated;
Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

Added the AD FS support;
Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

Added the new sso.auth service;
Added the new SSO settings page;
Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
Changed email formation for LDAP users;
Fixed the problem of creation of users with invalid emails;
Fixed the problem of duplicate users;
Added icons and hints to the users in the list for the admin;
Blocked for editing the user profile fields imported using LDAP;
Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
Added new API Settings method - Sync LDAP;
Added new translations;
Bug fixes.

Version for Windows

Made changes at the Update page for the Control Panel for Windows;
Updates are performed using the downloaded installation packages for each module.
The current installed component version numbers are obtained via API request to the Community Server.
The new versions available for download are obtained via the request to the https://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

Introducción

Single Sign-on (SSO) es una tecnología que permite a los usuarios ingresar sólo una vez y luego obtener acceso a múltiples aplicaciones/servicios sin re-autenticación.

Si un portal web incluye varias secciones amplias e independientes (foros, chat, blogs etc.), un usuario puede someterse a un procedimiento de autenticación en uno de los servicios y automáticamente obtener acceso a todos los demás servicios sin tener que ingresar las credenciales vaias veces.

SSO es siempre una operación conjunta de dos aplicaciones: un Proveedor de Identidad y un Proveedor de Servicios (en lo sucesivo denominados "IdP" y "SP"). ONLYOFFICE SSO aplica sólo SP. Diferentes proveedores pueden actuar como IdP, pero este artículo considera la implementación de OneLogin.

If you want to use SSO when connecting ONLYOFFICE Desktop Editors to your ONLYOFFICE Workspace, disable Private Rooms in the Control Panel.

Preparación de ONLYOFFICE Workspace para configurar SSO

Instale ONLYOFFICE Workspace v. 11.0.0 para Docker o cualquier versión posterior con el soporte de SSO.
Añada un nombre del dominio, por ejemplo, myportal-address.com.
En su portal vaya al Panel de Control -> HTTPS, cree y aplique el certificado letsencrypt para la encriptación del tráfico (para activar HTTPS en su portal).

Creación de un IdP en OneLogin

Regístrese en OneLogin, si aún no ha registrado.
Ingrese en OneLogin como administrador.
Go to the Administration section.
Click the Applications menu. Click the Add App button.
En el campo de búsqueda Find Application escriba el siguiente texto: SAML Custom Connector (Advanced):
Seleccione la opción encontrada.
En la nueva ventana abierta introduzca cualquier nombre en el campo Display Name para distinguir esta aplicación de las otras, reemplace iconos por los suyos propios y pulse el botón Guardar.

Vaya al submenú Configuración y complete los campos de acuerdo a la tabla siguiente:

Por favor, especifique su propio nombre de dominio o dirección IP pública donde su ONLYOFFICE SP está alojado en lugar de myportal-address.com.

How to configure ONLYOFFICE SP and OneLogin IdP

Application Details
RelayState	https://myportal-address.com
Audience (EntityID)	https://myportal-address.com/sso/
Recipient	https://myportal-address.com/sso/acs
ACS (Consumer) URL Validator*	^https:\/\/myportal-address\.com\/sso\/acs\/$
ACS (Consumer) URL*	https://myportal-address.com/sso/acs
Single Logout URL	https://myportal-address.com/sso/slo/callback
SAML initiator	Service Provider
SAML nameID format	Email
SAML issuer type	Specific
SAML signature element	Assertion
Encrypt assertion	(check this box)
SAML encryption method	AES-128-CBC
Sign SLO Request	(check this box)
Sign SLO Response	(check this box)

Haga clic en el botón Save y vaya al submenú Parameters.
Use el botón + para crear 5 parámetros (givenName, sn, mail, title, mobile). Check the Include in SAML assertion option and specify a value from the Value list, suitable for issuing from the field catalog of the LDAP directory, for all of them:
Una vez que se completan todos los campos necesarios para atributos en confirmaciones SAML en el IdP, Usted debe lograr casi el mismo resultado como se muestra en la imagen debajo. Pulse el botón Save.
Vaya al submenú SSO. Choose a valid certificate from the certificate list by clicking the Change link, if you have several certificates. In the SAML Signature Algorithm field, leave the SHA-1 option and click the Save button:
Copie el enlace del campo Issuer URL (por ejemplo, https://app.onelogin.com/saml/metadata/4d87973f-629d-4a52-812e-bde45eff92b8) y vaya al portal ONLYOFFICE ingresando como un administrador. Abra la página Panel de Control -> SSO.

Configuración de ONLYOFFICE SP

Asegúrese de que se ha registrado como Administrador en el Panel de Control de ONLYOFFICE y haga clic en la pestaña SSO.
Usted puede registrar sólo un proveedor de identidad corporativo para su organización en el portal ONLYOFFICE.
Active SSO usando el conmutador Activar Autenticación Single Sign-on y pegue el enlace copiado del Issuer URL de OneLogin en el campo URL al XML Metadatos Idp.

Pulse el botón con la flecha hacia arriba para cargar los metadatos IdP. El formulario Ajustes de ONLYOFFICE SP se llenará automáticamente con sus datos del OneLogin IdP.
En el campo Texto personalizado para botón de acceso Usted puede introducir cualquier texto en vez del estándar (Single Sign-on). Este texto se mostrará en el botón usado para acceso al portal con el servicio Single Sign-on en la página de autenticación de ONLYOFFICE.
Ahora Usted necesita crear un certificado a la sección Certificados de SP. To do that, click the Add certificate button in the corresponding section.
In the opened modal window, click the Generate New Self-Signed Certificate link, choose the signing and encrypt option in the Use for list. Before you save the certificate, copy the Public Certificate text to the clipboard (it will be necessary for OneLogin), then click the OK button.
Usted debe lograr casi el mismo resultado:

No es necesario ajustar el formulario Mapeo de atributos, es que hemos especificado los mismos parámetros al crear OneLogin IdP. The following values are used:

First Name	givenName
Last Name	sn
Email	mail
Location	l
Title	title
Phone	mobile

In the Advanced Settings section, you can check the Hide auth page option to hide default authentication page and automatically redirect to SSO service.

Pulse el botón Guardar. Se abrirá la sección Metadatos de ONLYOFFICE SP. Verifique que nuestros ajustes están disponibles al público pulsando el botón Descargar XML de Metadatos de SP. El contenido del archivo XML debe ser mostrado.
Return to OneLogin to set up encryption, open your application and go to the Configuration setting. Scroll down the page - the new SAML Encryption field for entering an encryption key should appear. Paste the copied Public Certificate text from the step 4 of this instruction into this field and click the Save button:

Creación de usuarios en OneLogin y prestación acceso al ONLYOFFICE

Para crear usuarios en OneLogin y proporcionar acceso a nuestro ONLYOFFICE SP realice los pasos siguientes:

vaya a la página All Users en OneLogin ingresando como un administrador,
cree un usuario nuevo o edite uno ya existente,
vaya al submenú Applications, haga clic en el botón +,
seleccione nuestra aplicación recientemente creada de la lista y pulse el botón CONTINUE,
en la nueva ventana abierta añada los datos que faltan, haga clic en el botón SAVE,
ahora el usuario puede trabajar en ONLYOFFICE SP.

Verificación del funcionamiento de ONLYOFFICE SP con OneLogin IdP

Acceso al ONLYOFFICE en el lado de SP

Vaya a la página de Autenticación de ONLYOFFICE (por ejemplo, https://myportal-address.com/Auth.aspx).
Pulse el botón Single sign-on (el nombre del botón puede variar si Usted ha especificado su propio texto al configurar ONLYOFFICE SP). Si el botón está desaparecido, esto significa que SSO no está activado.
Si todos los parámetros de SP y IdP están correctamente configurados, nos redirigirá al formulario de acceso en OneLogin IdP:
Introduzca el login y la contraseña del usuario que se ha concedido acceso al ONLYOFFICE SP y haga clic en el botón LOG IN.
Si las credenciales son correctas, nos redirigirá a la página principal del portal (si no hay tal usuario en el portal, él se creará automáticamente, o si los datos han sido modificados en el IDP, ellos se actualizarán).

Cierre de la sesión del ONLYOFFICE SP

Cierre de la sesión se puede realizar desde el portal usando el menú Salir. También el usuario debe desconectarse automáticamente del OneLogin IdP si él/ella ha salido de todas las otras aplicaciones a las que él/ella se ha concedido acceso en OneLogin y en las que él/ella ha ingresado antes.
Después de cerrar la sesión con éxito, se le redirigirá a la página de autenticación del portal.
If you click the Single Sign-on button once again, you will be redirected to the OneLogin login page again (this means that you successfully logged out from the portal):

Perfiles de usuarios añadidos con autenticación SSO

La posibilidad de editar perfiles de usuarios creados usando la autenticación SSO está restringida. Los campos del perfil de usuario recibidos del IdP están desactivados para edición (como Nombre, Apellido, Correo, Posición y Ubicación). Usted puede editar estos campos sólo en su cuenta IdP.

La imagen debajo muestra el menú "Acciones" para un usuario SSO: