Configuring ONLYOFFICE SP and OneLogin IdP

Introduction

Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.

SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (also called as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the OneLogin implementation.

Creating an IdP in OneLogin

1. Sign up for OneLogin, if you have not yet registered.
2. Sign in to OneLogin as an administrator.
3. Go to the Applications -> Applications -> Add App menu.
   
4. In the Find Application search field, type in the following text: SAML Custom Connector (Advanced):
   
5. Select the found option.
6. In a new window that opens, enter any Display Name, for example, "IDP OneLogin DocSpace", to distinguish this application from others, and click the Save button.
   
7. Go to the Configuration submenu and fill in the fields according to the table below:
   Please specify your own domain name or public IP where your ONLYOFFICE SP is hosted instead of myportal-address.com.

   Application Details
   RelayState	https://myportal-address.com
   Audience (EntityID)	https://myportal-address.com/sso/
   Recipient	https://myportal-address.com/sso/acs
   ACS (Consumer) URL Validator*	^https:\/\/myportal-address\.com\/sso\/acs\/$
   ACS (Consumer) URL*	https://myportal-address.com/sso/acs
   Single Logout URL	https://myportal-address.com/sso/slo/callback
   SAML initiator	Service Provider
   SAML nameID format	Email
   SAML issuer type	Specific
   SAML signature element	Assertion
   Encrypt assertion	(check this box)
   SAML encryption method	AES-128-CBC
   Sign SLO Request	(check this box)
   Sign SLO Response	(check this box)

   
   
   
8. Click the Save button and go to the Parameters submenu.
   
9. Use the Add parameter link to create 3 parameters (givenName, sn, mail). Check the Include in SAML assertion option and specify a value from the Value list, suitable for issuing from the field catalog of the LDAP directory, for all of them:
   
10. Once you fill in all the necessary fields for SAML assertion attributes in the IdP, you should receive nearly the same result as shown in the figure below. Click the Save button.
    
11. Go to the SSO submenu. Choose a valid certificate from the certificate list by clicking the Change link, if you have several certificates. In the SAML Signature Algorithm field, leave the SHA-1 option and click the Save button:
    
12. Copy the link from the Issuer URL field (e.g., https://app.onelogin.com/saml/metadata/4d87973f-629d-4a52-812e-bde45eff92b8) and go to the ONLYOFFICE portal signing in as an administrator. Open the Settings -> Integration -> Single Sign-On page.

Configuring ONLYOFFICE SP

1. 
   Enable SSO using the Enable Single Sign-on Authentication switcher and paste the link copied from the OneLogin issuer URL into the URL to Idp Metadata XML field.
   
2. Press the button with the upward arrow to load the IdP metadata. The ONLYOFFICE SP Settings form will be automatically filled in with your data from the OneLogin IdP.
   
   
   
3. Now you need to create a certificate in the SP Certificates section. To do that, click the Add certificate button in the corresponding section.
   
4. In the opened modal window, click the Generate New Self-Signed Certificate link, choose the signing and encrypt option in the Use for list. Before you save the certificate, copy the Public Certificate text to the clipboard (it will be necessary for OneLogin), then click the OK button.
   
   
5. Click the Save button.
6. The ONLYOFFICE SP Metadata section should be opened.
   
7. Return to OneLogin to set up encryption, open your application and go to the Configuration setting. Scroll down the page - the new SAML Encryption field for entering an encryption key should appear. Paste the copied Public Certificate text from the step 4 of this instruction into this field and click the Save button:
   

Creating users in OneLogin and giving them access to ONLYOFFICE

To create users in OneLogin and provide them access to our ONLYOFFICE SP, perform the following steps:

1. go to the OneLogin Users page signing in as an administrator,
   
2. create a new user or edit an existing one,
3. go to the Applications submenu and click the + button,
4. select our newly created application from the list and click Continue,
   
5. in a new window that opens add the missing data and click the SAVE button,
6. now the user is able to work in ONLYOFFICE SP.

Checking the work of the ONLYOFFICE SP with the OneLogin IdP

Logging in to ONLYOFFICE on the SP side

1. Go to the ONLYOFFICE Authentication page (e.g., https://myportal-address.com/Auth.aspx).
2. Click the Single sign-on button. If the button is missing, this means that SSO is not enabled.
   
3. If all the SP and IdP parameters are set correctly, we will be redirected to the OneLogin IdP login form:
   
4. Enter the login and password of the user who has been granted access to the ONLYOFFICE SP and click the LOG IN button.
5. If the credentials are correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).