Control Panel changelog
Release date: 01/13/2018
- Fixed the
Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.:
IdP Single Sign-On Endpoint URL: https://accounts.google.com/o/saml2/idp?idpid=777777;
- Fixed the
Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the
- characters were present when sending the encrypted data.
Release date: 12/15/2017
- Added the changelog for Control Panel and link to it;
- Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
- Fixed the bug when
Audit Trail heading was present at the login history page (bug #36026);
- The current machine is now checked for being linked with the domain name for multiple portals.
- Fixed the bug with the
LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the
unknown value or the
ldap.domain value from the
web.appsettings.config configuration file;
- Fixed the bug with the
Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
- Increased the login speed with the Group Membership setting enabled;
- Added additional logging;
- Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
- Fixed the bug with the error when trying to login using the email address entered in the fields different from the
- Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.
Release date: 10/31/2017
- Added the
documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.
- Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
- Login and email are now split into two separate fields;
- Added the support for big data;
- Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
- Fixed the user re-creation issue;
- Fixed the duplicate username issue;
- Fixed the already existing email issue;
- Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
- Instead of re-creating a user with an unknown SID but an existing email the data is updated;
- Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.
- Added the AD FS support;
- Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.
Release date: 07/03/2017
- Added the support of letsencrypt service for the domain certificate generation.
- Added the new
- Added the new SSO settings page;
- Added the support for Shibboleth.
Release date: 05/25/2017
- The Control Panel migrated from
Release date: 12/05/2016
- Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
- Changed email formation for LDAP users;
- Fixed the problem of creation of users with invalid emails;
- Fixed the problem of duplicate users;
- Added icons and hints to the users in the list for the admin;
- Blocked for editing the user profile fields imported using LDAP;
- Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
- Added new API Settings method - Sync LDAP;
- Added new translations;
- Bug fixes.
- Made changes at the Update page for the Control Panel for Windows;
- Updates are performed using the downloaded installation packages for each module.
- The current installed component version numbers are obtained via API request to the Community Server.
- The new versions available for download are obtained via the request to the http://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.
Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.
If a web portal includes several large independent sections (forum, chat, blogs etc.), a user can undergo the authentication procedure within one of the services and automatically get access to all other services without entering credentials several times.
SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (hereinafter referred to as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the OneLogin implementation.
Preparing ONLYOFFICE Enterprise Edition for the SSO setup
- Install ONLYOFFICE Enterprise Edition v9.1.0 for Docker or any later version with the SSO support.
- Add a domain name, e.g., myportal-address.com.
- On your portal, go to the Control Panel -> HTTPS, create and apply the letsencrypt certificate for the traffic encryption (to enable HTTPS on your portal).
- Go to the host computer, copy the private key and public certificate values that you used to enable HTTPS and save them using any text editor, e.g. Notepad (these values will be required later to configure SSO).
It's not necessary to perform Step 4 if you already have valid certificates or want to use self-signed certificates.
Creating an IdP in OneLogin
- Sign up for OneLogin, if you have not yet registered.
- Sign in to OneLogin as an administrator.
- Go to the APPS -> Add Apps menu.
- In the Find Application search field, type in the following text: SAML Test Connector (Idp:
- Select an appropriate option among the received results, e.g., SAML Test Connector (IdP) w/encrypt.
- In a new window that opens, enter any Display Name to distinguish this application from others, replace icons with your own ones and click the Save button.
- Go to the Configuration submenu and fill in the fields according to the table below:
Please specify your own domain name or public IP where your ONLYOFFICE SP is hosted instead of myportal-address.com.
|ACS (Consumer) URL Validator
|ACS (Consumer) URL
|Single Logout URL
|Public key *
* This is the example of the HTTPS certificate for the myportal-address.com domain name created using the letsencrypt service.
- Click the Save button and go to the Parameters submenu. Use the Add parameter link to create 5 parameters (
mobile) checking the Include in SAML assertion option for all of them:
- Edit values of each parameter selecting an appropriate value from the list:
- Once you fill in all the necessary fields for SAML assertion attributes in the IdP, you should receive nearly the same result as shown in the figure below. Click the Save button.
- Go to the SSO submenu:
Copy the link from the Issuer URL field (e.g., https://app.onelogin.com/saml/metadata/666179) and go to the ONLYOFFICE portal signing in as an administrator. Open the Control Panel -> SSO page.
Configuring ONLYOFFICE SP
- Make sure that you are signed in as an Administrator to your ONLYOFFICE Control Panel and click the SSO tab.
You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.
- Enable SSO using the Enable Single Sign-on Authentication switcher and paste the link copied from the OneLogin issuer URL into the URL to Idp Metadata XML field.
Press the button with the upward arrow to load the IdP metadata. The ONLYOFFICE SP Settings form will be automatically filled in with your data from the OneLogin IdP.
- In the Custom login button caption field, you can enter any text instead of the default one (Single Sign-on). This text will be displayed on the button used to login to the portal with the Single Sign-on service at the ONLYOFFICE authentication page.
- Now you need to add certificates to the SP Certificates section. You can add the certificates used earlier when enabling HTTPS or any other certificates.
the public certificate in OneLogin must be the same that you upload in the SP Certificates section and the private key must correspond to it.
You should get nearly the same result:
It is not necessary to adjust the Attribute Mapping form, since we specified the same parameters when creating OneLogin IdP.
- Click the Save button. The ONLYOFFICE SP Metadata section should be opened. Verify that our settings are publicly available by clicking the Download SP Metadata XML button. The XML file contents should be displayed.
Creating users in OneLogin and giving them access to ONLYOFFICE
To create users in OneLogin and provide them access to our ONLYOFFICE SP, perform the following steps:
- go to the OneLogin All Users page signing in as an administrator,
- create a new user or edit an existing one,
- go to the Applications submenu,
- select our newly created application from the list and click CONTINUE,
- in a new window that opens add the missing data if necessary or just close the window,
- click the SAVE USER button,
- now the user is able to work in ONLYOFFICE SP.
Checking the work of the ONLYOFFICE SP with the OneLogin IdP
Logging in to ONLYOFFICE on the SP side
- Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/auth.aspx).
- Click the Single sign-on button (the caption may differ if you have specified your own text when configuring ONLYOFFICE SP). If the button is missing, this means that SSO is not enabled.
- If all the SP and IdP parameters are set correctly, we will be redirected to the OneLogin IdP login form:
- Enter the login and password of the user who has been granted access to the ONLYOFFICE SP and click the LOG IN button.
- If you get the following page, this means that the user has not been granted access to ONLYOFFICE SP:
In this case you will need to log out from OneLogin and repeat steps 1-4, but using another user credentials.
- If the credentials are correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).
Profiles for users added with SSO authentication
The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e.
Location). You can edit these fields from your IdP account only.
The figure below shows the Actions menu for an SSO user:
The following figure shows an SSO user profile opened for editing:
The users created using the SSO authentication are marked with the SSO icon in the user list for the portal administrators:
Logging out from ONLYOFFICE SP
- Logout can be made from the portal using the Sign Out menu. The user should also be automatically logged out from the OneLogin IdP in case he/she is logged out from all other applications that he/she has been granted access to in OneLogin and that he/she previously signed in to.
- If you signed out successfully, you will be redirected to the portal authentication page.
- If you go to the application page (e.g., https://companypage.onelogin.com/login), you will see the login form:
Logging in to ONLYOFFICE on the Onlogin IdP side
- Go to your company page in OneLogin (e.g. https://companypage.onelogin.com/login).
- Sign in using your OnleLogin credentials.
- If the credentials are correct, you will be redirected to the page of the applications that you have been granted access to by your company administrator in OneLogin. Click on the necessary application (e.g., SAML Test Connector (IdP) w/encrypt).
- If all the settings are correct, you will be redirected to the myportal-address.com portal.
Logging out from OneLogin IdP
- Go to your company page in OneLogin (e.g. https://companypage.onelogin.com/) and click the Log Out option:
- If everything is correct, you will be signed out from the portal and redirected to the OneLogin login page.