Nowadays we can barely imagine our lives without multiple social networks, mail services, blogs and forums. That means that we have to keep in mind a great number of different logins and passwords every day. Exhausting? Yes. That's why ONLYOFFICE gives you an opportunity to activate the Single Sign-on authentication option. Since now you won't need to enter you credentials every time when you need to access the portal!
Only portal owner and full access administrators can enable/disable this option.
Don't know how to enable and configure SSO authentication for your portal? Read this article and you will learn how to do that!
Bare Bones Instructions
Identity Provider and Service Provider play indispensable role in the SSO authentication. That's why these two services must be mutually configurated to ensure the SSO correct work. Identity provider is a provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles (OneLogin, ADFS are identity providers).
Service Provider is an entity that provides web services and relies on a trusted Identity Provider for user authentication (ONLYOFFICE is a service provider). Follow the instruction below to adjust the Service Provider.
Check the Identity Provider configuration before adjusting the Service provider.
- Go to the portal Settings page. To do that click the icon in the right upper corner.
- Open the Security section.
- Switch to the Portal Access tab.
- Check the Enable SSO box under the Single Sign-on caption.
- Choose the SSO Type.
ONLYOFFICE supports two SSO types:
- SAML (or Security Assertion Markup Language) is an XML standard that allows to transmit user authentication/authorization data between an identity provider and a service provider through security tokens which contain assertions.
- JWT (or JSON Web Token is a security token) allows to transfer user authentication/authorization data through URLs using the JSON format and digital signatures.
The SSO Type as well as other information you need to fill out on the 'Single Sign-on' page fully depends on the Identity Provider you've chosen and is indicated on it's configuration page.
- Introduce Issuer URL.
The Issuer URL identifies the user account provider. It is used to validate the SAML response or JWT token digital signatures.
- Fill out the SSO Endpoint URL field.
If SSO initializes on the Service Provider side, redirection to this URL will take place.
- Fill out the SLO EndpointURL field.
This is an optional field. If you fill it out, every time you log out from portal, you'll be redirected to the indicated URL.
- Choose the Signature Validation Type.
If you've chosen the JWT option in the SSO Type list, you'll need to select the valid token signature validation type: open X.509 certificate key, public asymmetric RSA SHA-256 algorithm key, or private symmetric HMAC SHA-256 algorithm key.
If you've chosen the SAML option, the Signature Validation Type need to be set to X.509.
- Enter the key specified above in the Key field.
- Click the Save button.
That's it! Now that the SSO authorization is enabled all the portal users can enjoy the Single Sign-on option clicking the Single Sign-on link below the Sign In button at the portal authorization page, or using the sign-in page on the Identity Provider side.
Click to show an example of Identity Provider and Service Provider configuration (ADFS 2.0 and ONLYOFFICE)
- Install the ADFS version with all the latest official updates and bug fixes.
- On the ADFS control panel choose Trust Relationships > Relying Party Trust and add Relying Party Trust.
- In the opened window choose Enter the data about relying party manually and click the Next button.
- In the Display name field type in any name you want and click the Next button.
- Choose the ADFS 2.0 Profile option and click the Next button.
- Skip the next step and click the Next button.
- Check the Enable support for the SAML 2.0 WebSSO protocol box and enter URL: https://@@@/samllogin.ashx/ in the Relying party SAML 2.0 SSO service URL field, where @@@ is a portal DNS name, for example: https://test.onlyoffice.com/samllogin.ashx/. Click the Next button.
- Type in https://@@@/samllogin.ashx in the Relying Party Trust Identifier URL field.
- Choose the necessary option and click the Next button.
- Click the Finish button.
- Open the properties of the created Relying Party, click the Advanced tab and choose the SHA-1 option in the Secure hash algorithm.
- Click the Signature tab and add the client public certificate from ONLYOFFICE that signs SAML-requests to ADFS, then click the OK button
- Right click the created Relying Party and choose Edit claims rules.
- On the Issuance transform rules tab add a new rule indicating the necessary fields for transferring in token, click the OK button.
Set up Single Sign-on on your portal using ADFS information.
- SSO Type - SAML
- Issuer URL - http://@@@/adfs/services/trust
- SSO Endpoint URL - https://@@@/adfs/ls/
- SLO EndpointURL (optional) - https://@@@/adfs/ls/?wa=wsignout1.0
Here @@@ is the DNS name of your ADFS Server
- Signature Validation Type - X.509
- Introduce the Key in the corresponding field
To find the key go ADFS control panel - Service > Certificates > Token-signing, right click it and choose View certificate..., change to Details tab and import it to a file in Base-64 format. Paste the received data to Key field.
- Click the Save button