Articles with the tag:
Close
Changelog
Close
Help Center
Control Panel

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Control Panelv.2.2 Control Panel changelog

Version 2.2.0

Release date: 11/02/2017

General

  • Added the documentserver-prepare4shutdown.sh script launch when updating the document-server for the correct edited document saving.

LDAP

  • Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
  • Login and email are now split into two separate fields;
  • Added the support for big data;
  • Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
  • Fixed the user re-creation issue;
  • Fixed the duplicate username issue;
  • Fixed the already existing email issue;
  • Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
  • Instead of re-creating a user with an unknown SID but an existing email the data is updated;
  • Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

  • Added the AD FS support;
  • Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017

HTTPS

  • Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

  • Added the new sso.auth service;
  • Added the new SSO settings page;
  • Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017

General

  • The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016

LDAP

  • Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
  • Changed email formation for LDAP users;
  • Fixed the problem of creation of users with invalid emails;
  • Fixed the problem of duplicate users;
  • Added icons and hints to the users in the list for the admin;
  • Blocked for editing the user profile fields imported using LDAP;
  • Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
  • Added new API Settings method - Sync LDAP;
  • Added new translations;
  • Bug fixes.

Version for Windows

  • Made changes at the Update page for the Control Panel for Windows;
  • Updates are performed using the downloaded installation packages for each module.
  • The current installed component version numbers are obtained via API request to the Community Server.
  • The new versions available for download are obtained via the request to the http://download.onlyoffice.com/install/windows/updates.txt file, where all the latest component version numbers and links for their download are stored in the JSON format.

Introduction

You can configure Shibboleth 2.x - 3.x as your Identity Provider (IDP) for enterprise accounts in ONLYOFFICE. The configuration process includes two main steps: registering your Identity Provider in the ONLYOFFICE Control Panel SSO section and registering ONLYOFFICE SP in the Shibboleth Identity Provider.

ONLYOFFICE SP supports a flow of the givenName, sn, title, locality, mobile and mail attributes of the enterprise account from the enterprise Identity Provider. When a users signs in using an enterprise account, and if ONLYOFFICE SP receives attributes with the givenName, sn and mail names (obligatory attributes), ONLYOFFICE SP populates the full name and email address of the user account with the values received from the Identity Provider.

Registering Shibboleth as an enterprise Identity Provider in ONLYOFFICE SP

  1. Make sure that you are signed in as an Administrator to your ONLYOFFICE Control Panel and click the SSO tab.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
    You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.
  2. Enable SSO using the Enable Single Sign-on Authentication switcher.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  3. Enter metadata for the Identity Provider using one of the following three ways:
    • By the link (LOAD DATA) – if the Shibboleth IdP metadata is accessible from outside by the link (e.g. https://{shibboleth-idp-domain}/idp/shibboleth), insert the link to the URL to IdP Metadata XML field and press the button with the upwards arrow. Then all the required parameters will be displayed within the extended form.
    • File (SELECT FILE) – by default, Shibboleth provides the IdP metadata file at the SHIBBOLETH_HOME/metadata. If the metadata file is available, upload it using the SELECT FILE button to browse for the SHIBBOLETH_HOME/metadata/idp-metadata.xml file stored on your local machine. Then all the required parameters will be displayed within the extended form.
    • Parameters – if the metadata file is not accessible, enter values manually and specify the required parameters: IdP Entity ID, IdP Single Sign-On Endpoint URL, IdP Single Logout Endpoint URL, signing certificates etc. To obtain these values contact your Shibboleth administrator.
  4. In the Custom login button caption field, you can enter any text instead of the default one (Single Sign-on). This text will be displayed on the button used to login to the portal with the Single Sign-on service at the ONLYOFFICE authentication page.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  5. If your Shibboleth IdP requires that input data is signed and/or encrypted, you need to create/add certificates for this purpose in the SP Certificates section. In the advanced settings, you can also set which requests must be signed, specify whether the data must be decrypted or not and select the corresponding signing and decryption algorithms.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. In the Attribute Mapping section, set the correspondence of the fields in the ONLYOFFICE People module to the user attributes which will be returned from the Shibboleth IdP.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  7. Click the Save button.
  8. The ONLYOFFICE SP Metadata section should be opened.
  9. Verify that our settings are publicly available by clicking the Donwnload SP Metadata XML button. The XML file contents should be displayed.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Registering ONLYOFFICE as a trusted Service Provider in the Shibboleth IdP

  1. Configure ONLYOFFICE SP as a relying party in Shibboleth.
    1. Obtain the metadata file of your ONLYOFFICE portal and save it as an XML file.To receive the metadata file, sign in to the ONLYOFFICE Control Panel as an administrator and click the SSO tab. Click the DOWNLOAD SP METADATA XML button and save the data as the sp-ONLYOFFICE.xml file.
    2. Add ONLYOFFICE as a trusted Service Provider in Shibboleth by specifying a new MetadataProvider element in the SHIBBOLETH_HOME/conf/metadata-providers.xml file.To do that, add the following portion of the code into the root MetadataProvider element. Provide the path to the metadata XML file of your organization (the file that you have saved at the previous step a:
    <MetadataProvider id="ONLYOFFICESP"  xsi:type="FilesystemMetadataProvider" metadataFile="<PATH_TO_THE_SAVED_METADATA>/metadata/sp-ONLYOFFICE.xml"/>
  2. Configure user attributes that will be returned from the Shibboleth IdP.
    1. Edit the SHIBBOLETH_HOME/conf/attribute-resolver.xml file. Comment or delete all the existing definitions of the attributes and data connectors.
    2. Add the following attribute entry into the resolver:AttributeResolver section.
    <resolver:AttributeResolver
      xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
      xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
      xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
      xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
      xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
      xmlns:sec="urn:mace:shibboleth:2.0:security"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
      urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
      urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
      urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
      urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
      urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
      <!-- ========================================== -->
      <!--          Attribute Definitions             -->
      <!-- ========================================== -->
      <!-- Schema: Core schema attributes-->
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
      </resolver:AttributeDefinition>
    </resolver:AttributeResolver>
    1. Configure the attributes to release to the Service Provider. Edit the SHIBBOLETH_HOME/conf/attribute-filter.xml file and add the following code:
    <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
      xmlns="urn:mace:shibboleth:2.0:afp"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
      <!-- Release some attributes to an SP. -->
      <AttributeFilterPolicy id="ONLYOFFICESP">
        <PolicyRequirementRule xsi:type="OR">
          <Rule xsi:type="Requester" value="https://{portal-domain}/sso/metadata" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mobileNumber">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="title">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="locality">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>      
      </AttributeFilterPolicy>
    </AttributeFilterPolicyGroup>
    Replace {portal-domain} with your portal domain name.
  3. Edit the SHIBBOLETH_HOME/conf/relying-party.xml file.
    1. Copy the following XML code and paste it into the shibboleth.RelyingPartyOverrides elements in order to overwrite default settings for the Shibboleth IdP:
    <util:list id="shibboleth.RelyingPartyOverrides">
      <bean parent="RelyingPartyByName" c:relyingPartyIds="https://{portal-domain}/sso/metadata">
        <property name="profileConfigurations">
          <list>
            <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.SSO" p:encryptAssertions="true" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.Logout" />
          </list>
        </property>
      </bean>
    Replace {portal-domain} with your portal domain name.
  4. Restart the Shibboleth daemon (Linux) or service (Windows).

Checking the work of the ONLYOFFICE SP with the Shibboleth IdP

Logging in to ONLYOFFICE on the SP side
  1. Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/auth.aspx).
  2. Click the Single sign-on button (the caption may differ if you have specified your own text when configuring ONLYOFFICE SP). If the button is missing, this means that SSO is not enabled.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  3. If all the SP and IdP parameters are set correctly, we will be redirected to the Shibboleth IdP login form:
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  4. Enter the username and password of the Shibboleth IdP account and check the Don't Remember Login box.
  5. If the credentials are correct, a new window opens. Allow the provision of information to the service by clicking the Accept button.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. If everything is correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).
Profiles for users added with SSO authentication

The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e. First Name, Last Name, Email, Title and Location). You can edit these fields from your IdP account only.

The figure below shows the Actions menu for an SSO user:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The following figure shows an SSO user profile opened for editing:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The users created using the SSO authentication are marked with the SSO icon in the user list for the portal administrators:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

To log out from the Shibboleth IdP (if you have not checked the Don't Remember Login box when logging in), go to the link that looks like this: https://{shibboleth-idp-domain}/idp/profile/Logout

Download Host on your own server Available for Docker,
Windows, Linux and virtual machines
You Might Also Like This:
Close