IlyaSobolev/helpcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 27 Wiki Activity
7f0270a3ad
helpcenter/Web/Controls/Help/Server/ControlPanel/ConfigureShibboleth/ConfigureShibboleth.es.ascx

275 lines
24 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<%@ Control Language="C#" Inherits="BaseContentUserControls" %>
<%@ Register Namespace="TeamLab.Controls" Assembly="__Code" TagPrefix="cc" %>
<script runat="server">
protected override void Init()
{
PageTitle = PageCaption = "Cómo configurar Shibboleth IdP y ONLYOFFICE SP";
MetaKeyWords = "Panel de Control, SSO, Single sign-on, Shibboleth";
MetaDescription = "Aprenda cómo configurar Shibboleth IdP y ONLYOFFICE SP.";
}
</script>
<div class="main_buscall_container dataBackup">
<div class="MainHelpCenter">
<h1 class="subHeaderFeaturesCaption TipsCaption">Cómo configurar Shibboleth IdP y ONLYOFFICE SP</h1>
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/VariousControls/Versions/ControlPanel/ControlPanel_Current.ascx" />
<div class="keyword_block">
<ul>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/server-version/server-version.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/local-server/local-server.ascx" /></li>
<%--<li>
<span class="enterprise_display">
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/enterprise-edition/enterprise-edition.ascx" />
</span>
</li>--%>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/control-panel/control-panel.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/sso/sso.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/shibboleth/shibboleth.ascx" /></li>
</ul>
</div>
<h2 id="Introduction">Introducción</h2>
<p><b>Single Sign-on</b> (SSO) es una tecnología que permite a los usuarios ingresar sólo una vez y luego obtener acceso a múltiples aplicaciones/servicios sin re-autenticación.</p>
<div class="example">Si un portal web incluye varias secciones amplias e independientes (foros, chat, blogs etc.), un usuario puede someterse a un procedimiento de autenticación en uno de los servicios y automáticamente obtener acceso a todos los demás servicios sin tener que ingresar las credenciales vaias veces.</div>
<p>SSO es siempre una operación conjunta de dos aplicaciones: un Proveedor de Identidad y un Proveedor de Servicios (en lo sucesivo denominados "IdP" y "SP"). <b>ONLYOFFICE SSO</b> aplica sólo <b>SP</b>. Diferentes proveedores pueden actuar como IdP, pero este artículo considera <a target="_blank" href="https://www.shibboleth.net/">la implementación de Shibboleth</a>.</p>
<div class="notehelp enterprise_display">If you want to use SSO when connecting <b>ONLYOFFICE Desktop Editors</b> to your <b><%= ((BasePage)Page).EditionVersion %></b>, disable <b>Private Rooms</b> in the <b>Control Panel</b>.</div>
<h2 id="Prepare">Preparación de <%= ((BasePage)Page).EditionVersion %> para configurar SSO</h2>
<ol>
<li>Instale <%= ((BasePage)Page).EditionVersion %> <b>v. 11.0.0</b> para Docker o cualquier versión posterior con el soporte de SSO.</li>
<li>Añada un nombre del dominio, por ejemplo, <span class="param-type">myportal-address.com</span>.</li>
<li>En su portal vaya al <b>Panel de Control</b> -> <b>HTTPS</b>, cree y aplique el certificado <a target="_blank" href="https://letsencrypt.org/">letsencrypt</a> para la encriptación del tráfico (para activar HTTPS en su portal).</li>
</ol>
<h2 id="CreateIdP">Creación de Shibboleth IdP</h2>
<h5>Requirements</h5>
<ul>
<li>To deploy Shibboleth IDP, a clean CentOS 7 host machine is required.</li>
<li>Time must be set correctly and the time synchronization service must be installed on the host machine for IDP:
<pre><code>timedatectl status
yum install ntp
systemctl enable ntpd.service
ntpdate time.apple.com</code></pre>
</li>
<li>The <code>unzip</code> package must be installed on the machine:
<pre><code>yum install unzip</code></pre>
</li>
<li><a target="_blank" href="https://docs.docker.com/engine/install/">Docker</a> and <a target="_blank" href="https://docs.docker.com/compose/install/">Docker Compose</a> must be installed on the machine.</li>
<li>A domain name must be associated with the machine (for example, <span class="param-type">your-idp-domain.com</span>)</li>
</ul>
<h5>Creación de Shibboleth IdP</h5>
<p>To create, configure and start Shibboleth IDP, download and execute the <a target="_blank" href="https://bit.ly/3fwo5e6">install.sh</a> script.</p>
<p>Here's what the script does:</p>
<ul>
<li>downloads docker files for creating Shibboleth Idp images and containers from <a target="_blank" href="https://github.com/UniconLabs/dockerized-idp-testbed">github</a>,</li>
<li>changes the default <span class="param-type">idptestbed.edu</span> domain in the configuration files to the domain specified when executing the script,</li>
<li>adds access via the SAML protocol for the specified ONLYOFFICE SP domain,</li>
<li>specifies which attributes are required for ONLYOFFICE SP to issue information about users from Shibboleth IDP (the <b>Attribute Mapping</b> setting),</li>
<li>creates and configures LDAP and creates users for issuing,</li>
<li>enables dynamic loading of metadata from ONLYOFFICE SP to Shibboleth IDP,</li>
<li>enables Shibboleth SLO, if necessary.</li>
</ul>
<ol>
<li>Download the install.sh script:
<pre><code>curl -L https://bit.ly/3fwo5e6 -o install.sh</code></pre>
</li>
<li>Make the script executable:
<pre><code>chmod +x install.sh</code></pre>
</li>
<li>Execute the script replacing parameters with your own ones:
<pre><code>./install.sh -id your-idp-domain.com -sd myportal-address.com --no_slo</code></pre>
<p>Script parameters:</p>
<ul>
<li><b>-id</b> - a domain name of the current machine for Shibboleth IDP.</li>
<li><b>-sd</b> - a domain name where ONLYOFFICE SP is deployed.</li>
<li><b>--no_slo</b> - disables Single Logout in Shibboleth IDP (<b>optional parameter</b>).</li>
</ul>
</li>
<li>Wait when Shibboleth IDP starts after executing the script.</li>
<li>To verify that Shibboleth IDP started correctly, open the <span class="param-type">https://your-idp-domain.com/idp/shibboleth</span> link in your browser. An xml file should be displayed.</li>
<li>Copy the <span class="param-type">https://{your_idp_domain}/idp/shibboleth</span> link (por ejemplo, <span class="param-type">https://your-idp-domain.com/idp/shibboleth</span>) y vaya al portal ONLYOFFICE ingresando como un administrador. Abra la página <b>Panel de Control</b> -> <b>SSO</b>.</li>
</ol>
<h2 id="ConfigureSP">Configuración de ONLYOFFICE SP</h2>
<ol>
<li>Asegúrese de que se ha registrado como Administrador en el <b>Panel de Control</b> de su ONLYOFFICE y haga clic en la pestaña <b>SSO</b>.
<div class="notehelp">Usted puede registrar sólo un proveedor de identidad corporativo para su organización en el portal ONLYOFFICE.</div>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img1_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_1.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img1_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_1.png")%>" />
<div target="img1_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Active SSO usando el conmutador <b>Activar Autenticación Single Sign-on</b> and paste the link to the Shibboleth IdP into the <b>URL to Idp Metadata XML</b> field.
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img2_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_2.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img2_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_2.png")%>" />
<div target="img2_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Pulse el botón con la flecha hacia arriba para cargar los metadatos IdP. El formulario <b>Ajustes de ONLYOFFICE SP</b> se llenará automáticamente con sus datos del Shibboleth IdP.
<p>As we disabled SLO when executing the install.sh script by specifying the <code>--no_slo</code> parameter, the <b>IdP Single Logout Endpoint URL</b> field will be empty.</p>
</li>
<li>Once the IdP metadata is loaded, two certificates will be added in the <b>IdP Public certificates</b> section. You'll also see the pop-up window with the following text: 'Multiple Idp verification certificates are not supported. Please leave only Primary certificate'.
<p>You need to delete the <b>first certificate in the list</b> and leave the second certificate only, which is the primary certificate. Use the <b>Delete</b> link next to the first certificate to remove it. If you do not remove the certificate, you'll not be able to save the settings.</p>
</li>
<li>En el campo <b>Texto personalizado para botón de acceso</b> Usted puede introducir cualquier texto en vez del estándar (<em>Single Sign-on</em>). Este texto se mostrará en el botón usado para acceso al portal con el servicio Single Sign-on en la página de autenticación de ONLYOFFICE.
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img113_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_4-1.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img113_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_4-1.png")%>" />
<div target="img113_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Now you need to create self-signed certificates or add any other certificates in the <b>SP Certificates</b> section.
<div class="notehelp nh_important"><span class="important_notice_label">Important!</span>In the <b>Use for</b> list, choose the <b>signing and encrypt</b> option as your Shibboleth IdP is automatically configured with the install.sh script to verify that data is digitally signed and encrypted.</div>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img3_1_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide94/onelogin_11.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img3_1_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide94/onelogin_11.png")%>" />
<div target="img3_1_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>You should get nearly the same result:</p>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img3_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_3.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img3_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_3.png")%>" />
<div target="img3_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>En la sección <b>Mapeo de Atributos</b> indique la correspondencia de los campos en el módulo Personas ONLYOFFICE para los atributos de usuario que serán devueltos del Shibboleth IdP.
<table class="table_parameters">
<tbody>
<tr>
<th>First Name</th>
<td><span class="param-type">urn:oid:2.5.4.42</span></td>
</tr>
<tr>
<th>Last Name</th>
<td><span class="param-type">urn:oid:2.5.4.4</span></td>
</tr>
<tr>
<th>Email</th>
<td><span class="param-type">urn:oid:0.9.2342.19200300.100.1.3</span></td>
</tr>
<tr>
<th>Location</th>
<td><span class="param-type">urn:oid:2.5.4.7</span></td>
</tr>
<tr>
<th>Title</th>
<td><span class="param-type">urn:oid:2.5.4.12</span></td>
</tr>
<tr>
<th>Phone</th>
<td><span class="param-type">urn:oid:0.9.2342.19200300.100.1.41</span></td>
</tr>
</tbody>
</table>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img5_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_5.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img5_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_5.png")%>" />
<div target="img5_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Haga clic en el botón <b>Guardar</b>.</li>
<li>La sección <b>Metadatos de ONLYOFFICE SP</b> debe abrirse.</li>
<li>Verifique que nuestros ajustes están disponibles al público pulsando el botón <b>Descargar XML de Metadatos de SP</b>. El contenido del archivo XML debe ser mostrado.
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img6_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_6.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img6_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_6.png")%>" />
<div target="img6_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>This xml file is usually used to configure Shibboleth IDP, but because the install.sh script enables <code>DynamicHTTPMetadataProvider</code>, we do not need to do that (Shibboleth IDP will download this xml file at the first request for the login).</p>
</li>
</ol>
<h2 id="CheckWork">Verificación del funcionamiento del ONLYOFFICE SP con el Shibboleth IdP</h2>
<p>The install.sh script created 4 users which can be used for testing the work of the ONLYOFFICE SP with the Shibboleth IdP.</p>
<table class="table_parameters">
<thead>
<tr>
<th>Email</th>
<th>Username</th>
<th>Password</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<th>student1@{your_idp_domain}</th>
<td>student1</td>
<td>password</td>
<td>Standard</td>
</tr>
<tr>
<th>student2@{your_idp_domain}</th>
<td>student2</td>
<td>password</td>
<td>Without givenName</td>
</tr>
<tr>
<th>student3@{your_idp_domain}</th>
<td>student3</td>
<td>password</td>
<td>With umlauts</td>
</tr>
<tr>
<th>staff1@{your_idp_domain}</th>
<td>staff1</td>
<td>password</td>
<td>Obligatory fields only</td>
</tr>
</tbody>
</table>
<h5>Acceso al ONLYOFFICE en el lado de SP</h5>
<ol>
<li>Vaya a la página de Autenticación de ONLYOFFICE (por ejemplo, <span class="param-type">https://myportal-address.com/Auth.aspx</span>).</li>
<li>Haga clic en el botón <b>Single sign-on</b> (el nombre del botón puede variar si Usted ha especificado su propio texto al configurar ONLYOFFICE SP). Si el botón está desaparecido, esto significa que SSO no está activado.
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img112_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/authenticationpage.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img112_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/authenticationpage.png")%>" />
<div target="img112_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Si todos los parámetros de SP y IdP están correctamente configurados, nos redirigirá al formulario de acceso en Shibboleth IdP:
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img7_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_7.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img7_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_7.png")%>" />
<div target="img7_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Introduzca el login y la contraseña de la cuenta en Shibboleth IdP (username: <span class="param-type">student1</span>, password: <span class="param-type">password</span>) y marque la casilla <b>Don't Remember Login</b>.</li>
<li>Si las credenciales son correctas, se abrirá la nueva ventana. Permita la prestación de información al servicio haciendo clic en el botón <b>Accept</b>.
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img11_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_7-1.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img11_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_7-1.png")%>" />
<div target="img11_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Si todo es correcto, nos redirigirá a la página principal del portal (si no hay tal usuario en el portal, él se creará automáticamente, o si los datos han sido modificados en el IDP, ellos se actualizarán).
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img17_2_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/startpage.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img17_2_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/startpage.png")%>" />
<div target="img17_2_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
</ol>
<h5>Perfiles de usuarios añadidos con autenticación SSO</h5>
<p>La posibilidad de editar perfiles de usuarios creados usando la autenticación SSO está restringida. Los campos del perfil de usuario recibidos del IdP están desactivados para edición (como <code>Nombre</code>, <code>Apellido</code>, <code>Correo</code>, <code>Posición</code> y <code>Ubicación</code>). Usted puede editar estos campos sólo en su cuenta IdP.</p>
<p>La imagen debajo muestra el menú "Acciones" para un usuario SSO:</p>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img8_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_8.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img8_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_8.png")%>" />
<div target="img8_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>La imagen siguiente muestra el perfil de un usuario SSO abierto para edición:</p>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img9_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_9.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img9_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_9.png")%>" />
<div target="img9_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Los usuarios creados usando la autenticación SSO están marcados con el icono <span class="sso_icon">SSO</span> en la lista de usuarios para los administradores del portal:</p>
<div class="screen_block">
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" target="img10_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_10.png")%>" />
<img alt="How to configure Shibboleth IdP and ONLYOFFICE SP" id="img10_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_10.png")%>" />
<div target="img10_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Para desconectarse del Shibboleth IdP (si Usted no ha marcado la casilla <b>Don't Remember Login</b> al iniciar la sesión), siga el enlace que tiene el siguiente aspecto: <span class="param-type">https://{shibboleth-idp-domain}/idp/profile/Logout</span></p>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink