Articles with the tag:
Close
Changelog
Close
Help Center
Control Panel

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Introduction

You can configure Shibboleth 2.x - 3.x as your Identity Provider (IDP) for enterprise accounts in ONLYOFFICE. The configuration process includes two main steps: registering your Identity Provider in the ONLYOFFICE Control Panel SSO section and registering ONLYOFFICE SP in the Shibboleth Identity Provider.

ONLYOFFICE SP supports a flow of the givenName, sn, title, locality, mobile and mail attributes of the enterprise account from the enterprise Identity Provider. When a users signs in using an enterprise account, and if ONLYOFFICE SP receives attributes with the givenName, sn and mail names (obligatory attributes), ONLYOFFICE SP populates the full name and email address of the user account with the values received from the Identity Provider.

Registering Shibboleth as an enterprise Identity Provider in ONLYOFFICE SP

  1. Make sure that you are signed in as an Administrator to your ONLYOFFICE Control Panel and click the SSO tab.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
    You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.
  2. Enable SSO using the Enable Single Sign-on Authentication switcher.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  3. Enter metadata for the Identity Provider using one of the following three ways:
    • By the link (LOAD DATA) – if the Shibboleth IdP metadata is accessible from outside by the link (e.g. https://{shibboleth-idp-domain}/idp/shibboleth), insert the link to the URL to IdP Metadata XML field and press the button with the upwards arrow. Then all the required parameters will be displayed within the extended form.
    • File (SELECT FILE) – by default, Shibboleth provides the IdP metadata file at the SHIBBOLETH_HOME/metadata. If the metadata file is available, upload it using the SELECT FILE button to browse for the SHIBBOLETH_HOME/metadata/idp-metadata.xml file stored on your local machine. Then all the required parameters will be displayed within the extended form.
    • Parameters – if the metadata file is not accessible, enter values manually and specify the required parameters: IdP Entity ID, IdP Single Sign-On Endpoint URL, IdP Single Logout Endpoint URL, signing certificates etc. To obtain these values contact your Shibboleth administrator.
  4. If your Shibboleth IdP requires that input data is signed and/or encrypted, you need to create/add certificates for this purpose in the SP Certificates section. In the advanced settings, you can also set which requests must be signed, specify whether the data must be decrypted or not and select the corresponding signing and decryption algorithms.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  5. In the Attribute Mapping section, set the correspondence of the fields in the ONLYOFFICE People module to the user attributes which will be returned from the Shibboleth IdP.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. Click the Save button.
  7. The ONLYOFFICE SP Metadata section should be opened.
  8. Verify that our settings are publicly available by clicking the Donwnload SP Metadata XML button. The XML file contents should be displayed.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Registering ONLYOFFICE as a trusted Service Provider in the Shibboleth IdP

  1. Configure ONLYOFFICE SP as a relying party in Shibboleth.
    1. Obtain the metadata file of your ONLYOFFICE portal and save it as an XML file.To receive the metadata file, sign in to the ONLYOFFICE Control Panel as an administrator and click the SSO tab. Click the DOWNLOAD SP METADATA XML button and save the data as the sp-ONLYOFFICE.xml file.
    2. Add ONLYOFFICE as a trusted Service Provider in Shibboleth by specifying a new MetadataProvider element in the SHIBBOLETH_HOME/conf/metadata-providers.xml file.To do that, add the following portion of the code into the root MetadataProvider element. Provide the path to the metadata XML file of your organization (the file that you have saved at the previous step a:
    <MetadataProvider id="ONLYOFFICESP"  xsi:type="FilesystemMetadataProvider" metadataFile="<PATH_TO_THE_SAVED_METADATA>/metadata/sp-ONLYOFFICE.xml"/>
  2. Configure user attributes that will be returned from the Shibboleth IdP.
    1. Edit the SHIBBOLETH_HOME/conf/attribute-resolver.xml file. Comment or delete all the existing definitions of the attributes and data connectors.
    2. Add the following attribute entry into the resolver:AttributeResolver section.
    <resolver:AttributeResolver
      xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
      xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
      xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
      xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
      xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
      xmlns:sec="urn:mace:shibboleth:2.0:security"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
      urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
      urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
      urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
      urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
      urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
      <!-- ========================================== -->
      <!--          Attribute Definitions             -->
      <!-- ========================================== -->
      <!-- Schema: Core schema attributes-->
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
      </resolver:AttributeDefinition>
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
      </resolver:AttributeDefinition>
    </resolver:AttributeResolver>
    1. Configure the attributes to release to the Service Provider. Edit the SHIBBOLETH_HOME/conf/attribute-filter.xml file and add the following code:
    <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
      xmlns="urn:mace:shibboleth:2.0:afp"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
      <!-- Release some attributes to an SP. -->
      <AttributeFilterPolicy id="ONLYOFFICESP">
        <PolicyRequirementRule xsi:type="OR">
          <Rule xsi:type="Requester" value="https://{portal-domain}/sso/metadata" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="surname">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mobileNumber">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="title">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="locality">
          <PermitValueRule xsi:type="ANY" />
        </AttributeRule>      
      </AttributeFilterPolicy>
    </AttributeFilterPolicyGroup>
    Replace {portal-domain} with your portal domain name.
  3. Edit the SHIBBOLETH_HOME/conf/relying-party.xml file.
    1. Copy the following XML code and paste it into the shibboleth.RelyingPartyOverrides elements in order to overwrite default settings for the Shibboleth IdP:
    <util:list id="shibboleth.RelyingPartyOverrides">
      <bean parent="RelyingPartyByName" c:relyingPartyIds="https://{portal-domain}/sso/metadata">
        <property name="profileConfigurations">
          <list>
            <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.SSO" p:encryptAssertions="true" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.Logout" />
          </list>
        </property>
      </bean>
    Replace {portal-domain} with your portal domain name.
  4. Restart the Shibboleth daemon (Linux) or service (Windows).

Checking the work of the ONLYOFFICE SP with the Shibboleth IdP

Logging in to ONLYOFFICE on the SP side
  1. Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/auth.aspx).
  2. Click the Single sign-on link below the Sign In button (if the link is missing, this means that SSO is not enabled).
  3. If all the SP and IdP parameters are set correctly, we will be redirected to the Shibboleth IdP login form:
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  4. Enter the username and password of the Shibboleth IdP account and check the Don't Remember Login box.
  5. If the credentials are correct, a new window opens. Allow the provision of information to the service by clicking the Accept button.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. If everything is correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).
Profiles for users added with SSO authentication

The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e. First Name, Last Name, Email, Title and Location). You can edit these fields from your IdP account only.

The figure below shows the Actions menu for an SSO user:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The following figure shows an SSO user profile opened for editing:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The users created using the SSO authentication are marked with the SSO icon in the user list for the portal administrators:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

To log out from the Shibboleth IdP (if you have not checked the Don't Remember Login box when logging in), go to the link that looks like this: https://{shibboleth-idp-domain}/idp/profile/Logout

Download Host on your own server Available for Docker,
Windows, Linux and virtual machines
You Might Also Like This:
Close