Artikel zum Thema:
Control Panel

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Control Panelv.2.7 Control Panel changelog

Version 2.7

Release date: 04/25/2019


  • Added more fields mapped for the users loaded via LDAP: user photo, birthday, contacts, primary phone number;
  • Added the setting to autosync LDAP on schedule;
  • Added the possibility to give administrator rights to the user group at the portal via LDAP;
  • Updated the rules for LDAP users.

Version 2.5.1

Release date: 04/07/2018


  • Fixed the Server internal error error when using the groups enclosed inside each other in the AD (bug #37414).

Single Sign-on

  • Fixed the issue when the user data between the Service Provider and the portal was transferred via HTTP only, even when HTTPS was enabled.

Version 2.4.0

Release date: 01/13/2018

Single Sign-on

  • Fixed the Invalid ssoConfig error which occurred when the link to the IdP contained the question mark '?', e.g.: IdP Single Sign-On Endpoint URL:;
  • Fixed the Invalid authentication token error which prevented from adding a user to the portal using the AD FS, in case the + or - characters were present when sending the encrypted data.

Version 2.3.0

Release date: 12/15/2017


  • Added the changelog for Control Panel and link to it;
  • Fixed the bug when JWT parameters were not sent when updating Document Server(bug #36270);
  • Fixed the bug when Audit Trail heading was present at the login history page (bug #36026);
  • The current machine is now checked for being linked with the domain name for multiple portals.


  • Fixed the bug with the LDAP Domain not found error which occurred if the DN record had no DC records (the users with Sun/Oracle DS were affected); now if the LDAP domain could not be specified, the LDAP domain will acquire the unknown value or the ldap.domain value from the web.appsettings.config configuration file;
  • Fixed the bug with the Sizelimit Exceeded error when trying to get more than 1000 users from the Active Directory;
  • Increased the login speed with the Group Membership setting enabled;
  • Added additional logging;
  • Fixed the bug with LDAP operation hanging when using Mono v5.2.0 and older;
  • Fixed the bug with the error when trying to login using the email address entered in the fields different from the Mail Attribute;
  • Fixed the bug occurring in the enclosed groups, when the users were displayed not in all groups.

Version 2.2.0

Release date: 10/31/2017


  • Added the script launch when updating the document-server for the correct edited document saving.


  • Dramatically changed LDAP integration, migrated to the single library for the work with LDAP (Novell.Directory.Ldap.NETStandard, Nuget, MIT);
  • Login and email are now split into two separate fields;
  • Added the support for big data;
  • Increased the work speed via the LDAP protocol (the connection to the server and receiving the data is now made once per session, added the limits when only a certain number of results is necessary, fixed the slow login for bit data, removed the sorting out used to find the SID parameter);
  • Fixed the user re-creation issue;
  • Fixed the duplicate username issue;
  • Fixed the already existing email issue;
  • Replaced the LDAP user deletion with account deactivation (for further data migration and data safety);
  • Instead of re-creating a user with an unknown SID but an existing email the data is updated;
  • Added the attempt to save the correct UserName/Login in case a similar one is already taken on the portal.

Single Sign-on

  • Added the AD FS support;
  • Replaced the Single Sign-on link at the authorization page with the customizable button, added the button customization to the SSO setting of the Control Panel.

Version 2.1.0

Release date: 07/03/2017


  • Added the support of letsencrypt service for the domain certificate generation.

Single Sign-on

  • Added the new sso.auth service;
  • Added the new SSO settings page;
  • Added the support for Shibboleth.

Version 2.0.0

Release date: 05/25/2017


  • The Control Panel migrated from MVC to Node.js.

Version 1.6.0

Release date: 12/05/2016


  • Added LDAP synchronization for users and groups when saving the settings, after login and using the Sync button;
  • Changed email formation for LDAP users;
  • Fixed the problem of creation of users with invalid emails;
  • Fixed the problem of duplicate users;
  • Added icons and hints to the users in the list for the admin;
  • Blocked for editing the user profile fields imported using LDAP;
  • Added the real LDAP password saving to the database during login in case LDAP Auth is disabled, now the LDAP users will become common portal users when LDAP Auth is disabled;
  • Added new API Settings method - Sync LDAP;
  • Added new translations;
  • Bug fixes.

Version for Windows

  • Made changes at the Update page for the Control Panel for Windows;
  • Updates are performed using the downloaded installation packages for each module.
  • The current installed component version numbers are obtained via API request to the Community Server.
  • The new versions available for download are obtained via the request to the file, where all the latest component version numbers and links for their download are stored in the JSON format.


You can configure Shibboleth 2.x - 3.x as your Identity Provider (IDP) for enterprise accounts in ONLYOFFICE. The configuration process includes two main steps: registering your Identity Provider in the ONLYOFFICE Control Panel SSO section and registering ONLYOFFICE SP in the Shibboleth Identity Provider.

ONLYOFFICE SP supports a flow of the givenName, sn, title, locality, mobile and mail attributes of the enterprise account from the enterprise Identity Provider. When a users signs in using an enterprise account, and if ONLYOFFICE SP receives attributes with the givenName, sn and mail names (obligatory attributes), ONLYOFFICE SP populates the full name and email address of the user account with the values received from the Identity Provider.

Registering Shibboleth as an enterprise Identity Provider in ONLYOFFICE SP

  1. Make sure that you are signed in as an Administrator to your ONLYOFFICE Control Panel and click the SSO tab.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
    You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.
  2. Enable SSO using the Enable Single Sign-on Authentication switcher.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  3. Enter metadata for the Identity Provider using one of the following three ways:
    • By the link (LOAD DATA) – if the Shibboleth IdP metadata is accessible from outside by the link (e.g. https://{shibboleth-idp-domain}/idp/shibboleth), insert the link to the URL to IdP Metadata XML field and press the button with the upwards arrow. Then all the required parameters will be displayed within the extended form.
    • File (SELECT FILE) – by default, Shibboleth provides the IdP metadata file at the SHIBBOLETH_HOME/metadata. If the metadata file is available, upload it using the SELECT FILE button to browse for the SHIBBOLETH_HOME/metadata/idp-metadata.xml file stored on your local machine. Then all the required parameters will be displayed within the extended form.
    • Parameters – if the metadata file is not accessible, enter values manually and specify the required parameters: IdP Entity ID, IdP Single Sign-On Endpoint URL, IdP Single Logout Endpoint URL, signing certificates etc. To obtain these values contact your Shibboleth administrator.
  4. In the Custom login button caption field, you can enter any text instead of the default one (Single Sign-on). This text will be displayed on the button used to login to the portal with the Single Sign-on service at the ONLYOFFICE authentication page.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  5. If your Shibboleth IdP requires that input data is signed and/or encrypted, you need to create/add certificates for this purpose in the SP Certificates section. In the advanced settings, you can also set which requests must be signed, specify whether the data must be decrypted or not and select the corresponding signing and decryption algorithms.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. In the Attribute Mapping section, set the correspondence of the fields in the ONLYOFFICE People module to the user attributes which will be returned from the Shibboleth IdP.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  7. Click the Save button.
  8. The ONLYOFFICE SP Metadata section should be opened.
  9. Verify that our settings are publicly available by clicking the Donwnload SP Metadata XML button. The XML file contents should be displayed.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

Registering ONLYOFFICE as a trusted Service Provider in the Shibboleth IdP

  1. Configure ONLYOFFICE SP as a relying party in Shibboleth.
    1. Obtain the metadata file of your ONLYOFFICE portal and save it as an XML file.To receive the metadata file, sign in to the ONLYOFFICE Control Panel as an administrator and click the SSO tab. Click the DOWNLOAD SP METADATA XML button and save the data as the sp-ONLYOFFICE.xml file.
    2. Add ONLYOFFICE as a trusted Service Provider in Shibboleth by specifying a new MetadataProvider element in the SHIBBOLETH_HOME/conf/metadata-providers.xml file.To do that, add the following portion of the code into the root MetadataProvider element. Provide the path to the metadata XML file of your organization (the file that you have saved at the previous step a:
    <MetadataProvider id="ONLYOFFICESP"  xsi:type="FilesystemMetadataProvider" metadataFile="<PATH_TO_THE_SAVED_METADATA>/metadata/sp-ONLYOFFICE.xml"/>
  2. Configure user attributes that will be returned from the Shibboleth IdP.
    1. Edit the SHIBBOLETH_HOME/conf/attribute-resolver.xml file. Comment or delete all the existing definitions of the attributes and data connectors.
    2. Add the following attribute entry into the resolver:AttributeResolver section.
      <!-- ========================================== -->
      <!--          Attribute Definitions             -->
      <!-- ========================================== -->
      <!-- Schema: Core schema attributes-->
      <resolver:AttributeDefinition id="email" xsi:type="ad:Simple" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:" friendlyName="sn" encodeType="false" />
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:" friendlyName="l" encodeType="false" />
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:" friendlyName="title" encodeType="false" />
      <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:" friendlyName="givenName" encodeType="false" />
    1. Configure the attributes to release to the Service Provider. Edit the SHIBBOLETH_HOME/conf/attribute-filter.xml file and add the following code:
    <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
      <!-- Release some attributes to an SP. -->
      <AttributeFilterPolicy id="ONLYOFFICESP">
        <PolicyRequirementRule xsi:type="OR">
          <Rule xsi:type="Requester" value="https://{portal-domain}/sso/metadata" />
        <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="surname">
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="givenName">
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="mobileNumber">
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="title">
          <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="locality">
          <PermitValueRule xsi:type="ANY" />
    Replace {portal-domain} with your portal domain name.
  3. Edit the SHIBBOLETH_HOME/conf/relying-party.xml file.
    1. Copy the following XML code and paste it into the shibboleth.RelyingPartyOverrides elements in order to overwrite default settings for the Shibboleth IdP:
    <util:list id="shibboleth.RelyingPartyOverrides">
      <bean parent="RelyingPartyByName" c:relyingPartyIds="https://{portal-domain}/sso/metadata">
        <property name="profileConfigurations">
            <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.SSO" p:encryptAssertions="true" p:postAuthenticationFlows="attribute-release" />
            <bean parent="SAML2.Logout" />
    Replace {portal-domain} with your portal domain name.
  4. Restart the Shibboleth daemon (Linux) or service (Windows).

Checking the work of the ONLYOFFICE SP with the Shibboleth IdP

Logging in to ONLYOFFICE on the SP side
  1. Go to the ONLYOFFICE Authentication page (e.g.,
  2. Click the Single sign-on button (the caption may differ if you have specified your own text when configuring ONLYOFFICE SP). If the button is missing, this means that SSO is not enabled.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  3. If all the SP and IdP parameters are set correctly, we will be redirected to the Shibboleth IdP login form:
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  4. Enter the username and password of the Shibboleth IdP account and check the Don't Remember Login box.
  5. If the credentials are correct, a new window opens. Allow the provision of information to the service by clicking the Accept button.
    How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP
  6. If everything is correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).
Profiles for users added with SSO authentication

The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e. First Name, Last Name, Email, Title and Location). You can edit these fields from your IdP account only.

The figure below shows the Actions menu for an SSO user:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The following figure shows an SSO user profile opened for editing:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

The users created using the SSO authentication are marked with the SSO icon in the user list for the portal administrators:

How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP

To log out from the Shibboleth IdP (if you have not checked the Don't Remember Login box when logging in), go to the link that looks like this: https://{shibboleth-idp-domain}/idp/profile/Logout

Download Host on your own server Available for
Docker, Windows and Linux
Wer sich dafür interessiert hat,
hat auch das Folgende gelesen: