Artículos con :
Cerrar
Changelog
Cerrar
Centro de ayuda
Control Panel

Cómo configurar ONLYOFFICE SP y Shibboleth IdP

Control Panelv.2.9 ONLYOFFICE Control Panel changelog

Version 2.9.1

Release date: 12/10/2020

Bug fixes

  • Bug Fixes & Performance Improvements.

Version 2.9

Release date: 10/14/2020

General

  • Control Panel is available in the free Community version with all settings excepting the editors logo replacement;
  • Added the vsyscall check to the installation scripts when installing Mail Server on Debian with kernel 4.18.0 and later;
  • Redesign of the navigation menu: added Common and Portal settings sections, added icons to menu items;
  • Added the advanced rebranding page in the Common Settings;
  • Added the possibility to reindex the full-text search;
  • Updated node.js, updated packages (transition to samlify for SSO);
  • Added the Encryption at rest block in the Storage section;
  • Added the Private Room section for the server version only;
  • Added the upgrade page with a proposal to upgrade to Enterprise Edition;
  • Added the activate page with a possibility to upload a license file;
  • Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

LDAP

  • Added the Sign in to domain option on the authorization page.

Single Sign-on

  • Transition to the new samlify library;
  • Added the HideAuthPage option to the SSO settings to hide the authorization page. When the HideAuthPage option is enabled, an automatic redirect from the authorization page to the SSO service will occur.

Version 2.7

Release date: 04/25/2019

LDAP

  • Added more fields mapped for the users loaded via LDAP: user photo, birthday, contacts, primary phone number;
  • Added the setting to autosync LDAP on schedule;
  • Added the possibility to give administrator rights to the user group at the portal via LDAP;
  • Updated the rules for LDAP users.

Version 2.5.1

Release date: 04/07/2018

LDAP

  • Fixed the Server internal error error when using the groups enclosed inside each other in the AD (bug #37414).

Single Sign-on

  • Fixed the issue when the user data between the Service Provider and the portal was transferred via HTTP only, even when HTTPS was enabled.

Version 2.4.0

Release date: 01/13/2018

Single Sign-on

  • Fixed the Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.: IdP Single Sign-On Endpoint URL: https://accounts.google.com/o/saml2/idp?idpid=777777;
  • Fixed the Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the + or - characters were present when sending the encrypted data.

Version 2.3.0

Release date: 12/15/2017

General

  • Added the changelog for Control Panel and link to it;
  • Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
  • Fixed the bug when Audit Trail heading was present at the login history page (bug #36026);
  • The current machine is now checked for being linked with the domain name for multiple portals.

LDAP

  • Fixed the bug with the LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the unknown value or the ldap.domain value from the web.appsettings.config configuration file;
  • Fixed the bug with the Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
  • Increased the login speed with the Group Membership setting enabled;
  • Added additional logging;
  • Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
  • Fixed the bug with the error when trying to login using the email address entered in the fields different from the Mail Attribute;
  • Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.

Version 2.2.0

Release date: 10/31/2017

General

  • Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

  • Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
  • Login and email are now split into two separate fields;
  • Added the support for big data;
  • Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
  • Fixed the user re-creation issue;
  • Fixed the duplicate username issue;
  • Fixed the already existing email issue;
  • Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
  • Instead of re-creating a user with an unknown SID but an existing email the data is updated;
  • Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

  • Added the AD FS support;
  • Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

  • Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

  • Added the new sso.auth service;
  • Added the new SSO settings page;
  • Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

  • The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

  • Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
  • Changed email formation for LDAP users;
  • Fixed the problem of creation of users with invalid emails;
  • Fixed the problem of duplicate users;
  • Added icons and hints to the users in the list for the admin;
  • Blocked for editing the user profile fields imported using LDAP;
  • Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
  • Added new API Settings method - Sync LDAP;
  • Added new translations;
  • Bug fixes.

Version for Windows

  • Made changes at the Update page for the Control Panel for Windows;
  • Updates are performed using the downloaded installation packages for each module.
  • The current installed component version numbers are obtained via API request to the Community Server.
  • The new versions available for download are obtained via the request to the https://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

Introducción

Single Sign-on (SSO) es una tecnología que permite a los usuarios ingresar sólo una vez y luego obtener acceso a múltiples aplicaciones/servicios sin re-autenticación.

Si un portal web incluye varias secciones amplias e independientes (foros, chat, blogs etc.), un usuario puede someterse a un procedimiento de autenticación en uno de los servicios y automáticamente obtener acceso a todos los demás servicios sin tener que ingresar las credenciales vaias veces.

SSO es siempre una operación conjunta de dos aplicaciones: un Proveedor de Identidad y un Proveedor de Servicios (en lo sucesivo denominados "IdP" y "SP"). ONLYOFFICE SSO aplica sólo SP. Diferentes proveedores pueden actuar como IdP, pero este artículo considera la implementación de Shibboleth.

If you want to use SSO when connecting ONLYOFFICE Desktop Editors to your ONLYOFFICE Workspace, disable Private Rooms in the Control Panel.

Preparación de ONLYOFFICE Workspace para configurar SSO

  1. Instale ONLYOFFICE Workspace v. 11.0.0 para Docker o cualquier versión posterior con el soporte de SSO.
  2. Añada un nombre del dominio, por ejemplo, myportal-address.com.
  3. En su portal vaya al Panel de Control -> HTTPS, cree y aplique el certificado letsencrypt para la encriptación del tráfico (para activar HTTPS en su portal).

Creación de Shibboleth IdP

Requirements
  • To deploy Shibboleth IDP, a clean CentOS 7 host machine is required.
  • Time must be set correctly and the time synchronization service must be installed on the host machine for IDP:
    timedatectl  status
    yum install ntp
    systemctl enable ntpd.service
    ntpdate time.apple.com
  • The unzip package must be installed on the machine:
    yum install unzip
  • Docker and Docker Compose must be installed on the machine.
  • A domain name must be associated with the machine (for example, your-idp-domain.com)
Creación de Shibboleth IdP

To create, configure and start Shibboleth IDP, download and execute the install.sh script.

Here's what the script does:

  • downloads docker files for creating Shibboleth Idp images and containers from github,
  • changes the default idptestbed.edu domain in the configuration files to the domain specified when executing the script,
  • adds access via the SAML protocol for the specified ONLYOFFICE SP domain,
  • specifies which attributes are required for ONLYOFFICE SP to issue information about users from Shibboleth IDP (the Attribute Mapping setting),
  • creates and configures LDAP and creates users for issuing,
  • enables dynamic loading of metadata from ONLYOFFICE SP to Shibboleth IDP,
  • enables Shibboleth SLO, if necessary.
  1. Download the install.sh script:
    curl -L https://bit.ly/3fwo5e6 -o install.sh
  2. Make the script executable:
    chmod +x install.sh
  3. Execute the script replacing parameters with your own ones:
    ./install.sh -id your-idp-domain.com -sd myportal-address.com --no_slo

    Script parameters:

    • -id - a domain name of the current machine for Shibboleth IDP.
    • -sd - a domain name where ONLYOFFICE SP is deployed.
    • --no_slo - disables Single Logout in Shibboleth IDP (optional parameter).
  4. Wait when Shibboleth IDP starts after executing the script.
  5. To verify that Shibboleth IDP started correctly, open the https://your-idp-domain.com/idp/shibboleth link in your browser. An xml file should be displayed.
  6. Copy the https://{your_idp_domain}/idp/shibboleth link (por ejemplo, https://your-idp-domain.com/idp/shibboleth) y vaya al portal ONLYOFFICE ingresando como un administrador. Abra la página Panel de Control -> SSO.

Configuración de ONLYOFFICE SP

  1. Asegúrese de que se ha registrado como Administrador en el Panel de Control de su ONLYOFFICE y haga clic en la pestaña SSO.
    Usted puede registrar sólo un proveedor de identidad corporativo para su organización en el portal ONLYOFFICE.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  2. Active SSO usando el conmutador Activar Autenticación Single Sign-on and paste the link to the Shibboleth IdP into the URL to Idp Metadata XML field.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  3. Pulse el botón con la flecha hacia arriba para cargar los metadatos IdP. El formulario Ajustes de ONLYOFFICE SP se llenará automáticamente con sus datos del Shibboleth IdP.

    As we disabled SLO when executing the install.sh script by specifying the --no_slo parameter, the IdP Single Logout Endpoint URL field will be empty.

  4. Once the IdP metadata is loaded, two certificates will be added in the IdP Public certificates section. You'll also see the pop-up window with the following text: 'Multiple Idp verification certificates are not supported. Please leave only Primary certificate'.

    You need to delete the second certificate in the list and leave the first certificate only, which is the primary certificate. Use the Delete link next to the second certificate to remove it. If you do not remove the certificate, you'll not be able to save the settings.

  5. En el campo Texto personalizado para botón de acceso Usted puede introducir cualquier texto en vez del estándar (Single Sign-on). Este texto se mostrará en el botón usado para acceso al portal con el servicio Single Sign-on en la página de autenticación de ONLYOFFICE.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  6. Now you need to create self-signed certificates or add any other certificates in the SP Certificates section.
    Important!In the Use for list, choose the signing and encrypt option as your Shibboleth IdP is automatically configured with the install.sh script to verify that data is digitally signed and encrypted.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP

    You should get nearly the same result:

    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  7. En la sección Mapeo de Atributos indique la correspondencia de los campos en el módulo Personas ONLYOFFICE para los atributos de usuario que serán devueltos del Shibboleth IdP.
    First Name urn:oid:2.5.4.42
    Last Name urn:oid:2.5.4.4
    Email urn:oid:0.9.2342.19200300.100.1.3
    Location urn:oid:2.5.4.7
    Title urn:oid:2.5.4.12
    Phone urn:oid:0.9.2342.19200300.100.1.41
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  8. Haga clic en el botón Guardar.
  9. La sección Metadatos de ONLYOFFICE SP debe abrirse.
  10. Verifique que nuestros ajustes están disponibles al público pulsando el botón Descargar XML de Metadatos de SP. El contenido del archivo XML debe ser mostrado.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP

    This xml file is usually used to configure Shibboleth IDP, but because the install.sh script enables DynamicHTTPMetadataProvider, we do not need to do that (Shibboleth IDP will download this xml file at the first request for the login).

Verificación del funcionamiento del ONLYOFFICE SP con el Shibboleth IdP

The install.sh script created 4 users which can be used for testing the work of the ONLYOFFICE SP with the Shibboleth IdP.

Email Username Password Comment
student1@{your_idp_domain} student1 password Standard
student2@{your_idp_domain} student2 password Without givenName
student3@{your_idp_domain} student3 password With umlauts
staff1@{your_idp_domain} staff1 password Obligatory fields only
Acceso al ONLYOFFICE en el lado de SP
  1. Vaya a la página de Autenticación de ONLYOFFICE (por ejemplo, https://myportal-address.com/Auth.aspx).
  2. Haga clic en el botón Single sign-on (el nombre del botón puede variar si Usted ha especificado su propio texto al configurar ONLYOFFICE SP). Si el botón está desaparecido, esto significa que SSO no está activado.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  3. Si todos los parámetros de SP y IdP están correctamente configurados, nos redirigirá al formulario de acceso en Shibboleth IdP:
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  4. Introduzca el login y la contraseña de la cuenta en Shibboleth IdP (username: student1, password: password) y marque la casilla Don't Remember Login.
  5. Si las credenciales son correctas, se abrirá la nueva ventana. Permita la prestación de información al servicio haciendo clic en el botón Accept.
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
  6. Si todo es correcto, nos redirigirá a la página principal del portal (si no hay tal usuario en el portal, él se creará automáticamente, o si los datos han sido modificados en el IDP, ellos se actualizarán).
    How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP
Perfiles de usuarios añadidos con autenticación SSO

La posibilidad de editar perfiles de usuarios creados usando la autenticación SSO está restringida. Los campos del perfil de usuario recibidos del IdP están desactivados para edición (como Nombre, Apellido, Correo, Posición y Ubicación). Usted puede editar estos campos sólo en su cuenta IdP.

La imagen debajo muestra el menú "Acciones" para un usuario SSO:

How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP

La imagen siguiente muestra el perfil de un usuario SSO abierto para edición:

How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP

Los usuarios creados usando la autenticación SSO están marcados con el icono SSO en la lista de usuarios para los administradores del portal:

How to configure Shibboleth IdP and ONLYOFFICE SP How to configure Shibboleth IdP and ONLYOFFICE SP

Para desconectarse del Shibboleth IdP (si Usted no ha marcado la casilla Don't Remember Login al iniciar la sesión), siga el enlace que tiene el siguiente aspecto: https://{shibboleth-idp-domain}/idp/profile/Logout

Download Host on your own server Available for
Docker, Windows and Linux
También le podría gustar:
Cerrar