The Security section allows you to control access to your portal and monitor all users activity. It includes four subsections: Portal Access, Access Rights, Login History and Audit Trail.
Controlling portal access
The Portal Access subsection of the Security settings allows you to provide users with secure and convenient ways to access the portal.
Password strength settings
This section allows you to determine password complexity (the effectiveness of a password in resisting guessing and brute-force attacks). To do that,
This section allows you to enable two-step verification that ensures more secure portal access. A user can access the portal data after entering his/her regular email and password or signing in via a social account and typing in a six-digit verification code received via SMS. The SMS messages are sent to the user primary mobile phone which is specified at the first portal login via the two-factor authentication and later can be changed on the user profile page. A verification code can be resent by clicking the Send code again button, but no more often than 5 times per 5 minutes. The sent code is valid for 10 minutes.
To enable this feature,
- make sure that one of the SMS providers is connected in the Integration section,
- check the Enable radiobutton under the Two-factor authentication section and click the Save button at the bottom of the section to make the parameters you set take effect.
SMS messages can be sent if you have a positive balance only. You can always check your current balance in your SMS provider account. Do not forget to replenish your balance in good time.
To learn more on how to use the two-factor authentication on your portal you can read the following article.
Single sign-on settings
The Single Sign-on section allows you to enable/disable third party authentication using SAML/JWT, thereby providing a more quick, easy and secure way to access the portal for users.
Generally, the Single Sign-on technology allows users to sign in only once and then get access to multiple authorized (i.e. integrated with an Identity Provider) applications/services without having to enter their credentials each time they access a different application.
An Identity Provider (IdP) is a service that creates, maintains and manages user identity information and provides user authentication to other Service Providers within a federation. Such services as OneLogin, ADFS etc. act as Identity Providers. A Service Provider (SP) is an entity that provides web services and relies on a trusted Identity Provider for user authentication. In our case, the Service Provider is the online office.
In your online office, you can enable SSO on the base of one of the following standards for the authentication/authorization data exchange between an Identity Provider and a Service Provider:
- SAML (Security Assertion Markup Language) - an XML standard that allows to transmit user authentication/authorization data between an identity provider and a service provider through security tokens which contain assertions.
- JWT (JSON Web Token) - a security token that allows to transfer user authentication/authorization data through URLs using the JSON format and digital signatures.
Enhanced security is enabled by means of the fact that the online office does not store user passwords, instead of that it uses the results of the authentication on the Identity Provider side. All the necessary user information is transmitted through an authentication token. If the user information changes on the Identity Provider side, it will be automatically updated on the portal during the next SSO authentication (note, that the data can only be synchronized in one direction: from the Identity Provider to the online office).
After the Identity Provider and the online office are mutually configured to ensure SSO, the user SSO authentication process will be performed on the Identity Provider side. The online office will receive an authentication token (SAML or JWT) from the Identity Provider. After the token is validated (by using digital signatures and the token lifetime), the online office allows the user to access the portal.
To enable and configure SSO authentication for your portal, you should integrate it with your Identity Provider, i.e.:
- Specify your portal data in your Identity Provider account. This procedure differs depending on the selected Identity Provider. For example, for the OneLogin service, you should open the 'Configuration' tab and enter https://@@@/samllogin.ashx/ in the 'SAML Consumer URL' field, where @@@ is your portal DNS name (e.g. https://test.onlyoffice.com/samllogin.ashx/). Save the settings.
- Specify your Identity Provider data at the portal Settings page. To do that check the Enable SSO box, select a corresponding SSO Type (SAML or JWT) and fill in the required fields. The information you should specify in the Issuer URL, SSO Endpoint URL, SLO Endpoint URL, Signature validation type and Key fields can be found in your Identity Provider account. When all the parameters are set, click the Save button.
Each portal can only be integrated with one Identity Provider at the same time. For working with a different Identity Provider you should previously integrate it with the online office as described above.
After the SSO is enabled, users can click the Single Sign-on link below the Sign In button at the portal authorization page, or use the sign-in page on the Identity Provider side. Moreover, you still be able to use other authentication methods.
Trusted mail domain settings
This section allows you to specify the mail servers used for user self-registeration in your portal. By default, this option is disabled. To enable it,
- check the Custom domains radiobutton,
- enter the trusted mail server in the field which appears below,
- check the Add users as guests box if you wish the added users to get the view-only permissions,
- click the Save button at the bottom of the section to make the parameters you set take effect.
To add more mail servers, use the Add trusted domain link. To delete a server added by mistake, click the corresponding icon to the right of the field.
After that any user who has an account at a specified mail server will be able to register him(her)self clicking the Click here to join link on the Sign In page and entering the email address. An invitation email with a link to the portal will be sent at the specified email address. To sign in the user will need to follow the link provided in the email, enter a password and confirm it.
To disable this option again just check the Disabled radiobutton.
IP security settings
This section allows you to prevent unwanted visitors from accessing your portal by allowing access to the portal from trusted networks only. If a user attempts to log in to your portal from any IP address except those you specify, this login attempt will be blocked. To restrict access to your portal based on the IP addresses,
- check the Enable radio button;
- click the Add allowed IP address link;
- in the entry field that appears, specify a single IP address in the IPv4 format (#.#.#.#, where # is a numeric value from 0 to 255) or set an IP addresses range by entering the starting and ending IP addresses of the range in the #.#.#.#-#.#.#.# format;
You can find the information on your portal visitors IP addresses in the Login History subsection of the Security settings by clicking the Download and open report button.
- in the same way, add as many trusted IP addresses as you need;
- click the Save button at the bottom of the section.
If necessary, you can delete the added IP addresses by clicking the corresponding icon to the right of the IP address. To disable this option again just check the Disable radio button and click the Save button.
Administrator message settings
This section allows you to display the contact form on the Sign In page so that people could send the message to the portal administrator in case they have troubles accessing the portal.
To enable it, just check the corresponding radiobutton and click the Save button at the bottom of the section to make the parameters you set take effect.
This section allows you to set cookie lifetime.
To set cookie lifetime, check the Enable radiobutton, enter the necessary time value measured in minutes in the field that appears and click the Save button at the bottom of the section to make the parameters you set take effect. After save all the users will be logged out from portal.