IlyaSobolev/helpcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 27 Wiki Activity
a767e2417f
helpcenter/Web/Controls/Help/Server/ControlPanel/ConfigureADFS/ConfigureADFS.ascx
alexandervnuchkov a08e774a5a Updates: updated article about AD FS
2018-07-13 14:49:57 +03:00

361 lines
36 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<%@ Control Language="C#" Inherits="BaseContentUserControls" %>
<%@ Register Namespace="TeamLab.Controls" Assembly="__Code" TagPrefix="cc" %>
<script runat="server">
protected override void Init()
{
PageTitle = PageCaption = "How to configure ONLYOFFICE SP and AD FS IdP";
MetaKeyWords = "Control Panel, SSO, Single sign-on, AD FS";
MetaDescription = "Learn how to configure ONLYOFFICE SP and AD FS IdP.";
}
</script>
<div class="main_buscall_container dataBackup">
<div class="MainHelpCenter">
<h1 class="subHeaderFeaturesCaption TipsCaption">How to configure ONLYOFFICE SP and AD FS IdP</h1>
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/VariousControls/Versions/ControlPanel/ControlPanel_Current.ascx" />
<div class="keyword_block">
<ul>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/server-version/server-version.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/local-server/local-server.ascx" /></li>
<li>
<span class="enterprise_display">
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/enterprise-edition/enterprise-edition.ascx" />
</span>
</li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/control-panel/control-panel.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/sso/sso.ascx" /></li>
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/adfs/adfs.ascx" /></li>
</ul>
</div>
<h2 id="Introduction">Introduction</h2>
<p><b>Single Sign-on</b> (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.</p>
<div class="example">If a web portal includes several large independent sections (forum, chat, blogs etc.), a user can undergo the authentication procedure within one of the services and automatically get access to all other services without entering credentials several times.</div>
<p>SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (hereinafter referred to as "IdP" and "SP"). <b>ONLYOFFICE SSO</b> implements the <b>SP only</b>. A lot of different providers can act as an IdP, but this article considers the <a target="_blank" href="https://en.wikipedia.org/wiki/Active_Directory_Federation_Services">Active Directory Federation Services (AD FS)</a> implementation.</p>
<h2 id="SysReqs">System requirements</h2>
<p>The system requirements include the following software which has been tested and proved to be working correctly with <b>ONLYOFFICE SSO</b>:</p>
<ul>
<li>Windows Server 2008 R2, Windows Server 2016;</li>
<li>AD FS version <b>3.0</b> or later.</li>
</ul>
<h2 id="Prepare">Preparing ONLYOFFICE Enterprise Edition for the SSO setup</h2>
<ol>
<li>Install ONLYOFFICE Enterprise Edition v9.5 for Docker or any later version with the SSO support.</li>
<li>Add a domain name, e.g., myportal-address.com.</li>
<li>On your portal, go to the <b>Control Panel</b> -> <b>HTTPS</b>, create and apply the <a target="_blank" href="https://letsencrypt.org/">letsencrypt</a> certificate for the traffic encryption (to enable HTTPS on your portal).</li>
</ol>
<h2 id="CreateIdP">Preparing AD FS for the SSO setup</h2>
<ol>
<li>Install the latest AD DS (<a target="_blank" href="https://en.wikipedia.org/wiki/Active_Directory">Active Directory Domain Service</a>) version with all official updates and patches.</li>
<li>Install the latest AD FS version with all official updates and patches.
<div class="notehelp">To deploy AD FS from scratch you can use the following <a target="_blank" href="https://tech.greenhouse.io/2016/08/01/create-adfs-instance-on-azure-virtual-machine.html">instructions</a>.</div>
</li>
<li>Verify that the link to the AD FS metadata is publicly available. To do that,
<ol>
<li>In the <b>Server Manager</b>, open <b>Tools</b> -> <b>AD FS Management</b>,</li>
<li>Go to <b>AD FS \ Service \ Endpoints</b>,</li>
<li>Find the row with the <b>Federation Metadata</b> type in the table. The link to the IdP metadata is constructed under the following scheme:
<pre><code>https://{ad-fs-domain}/{path-to-FederationMetadata.xml}</code></pre>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img1_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_1.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img1_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_1.png")%>" />
<div target="img1_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Alternatively, you can use the following <b>PowerShell</b> command:</p>
<pre><code>PS C:\Users\Administrator> (Get-ADFSEndpoint | Where {$_.Protocol -eq "FederationMetadata" -or $_.Protocol -eq "Federation Metadata"}).FullUrl.ToString()</code></pre>
<p>As a result you should get a link that looks like this:</p>
<pre><code>https://onlyofficevm.northeurope.cloudapp.azure.com/FederationMetadata/2007-06/FederationMetadata.xml</code></pre>
</li>
<li>To verify that AD FS has been started correctly, open the received link in a web browser. The xml should be displayed or downloaded. Copy the link to the metadata xml: it will be required at the next step.</li>
</ol>
</li>
</ol>
<h2 id="ConfigureSP">Configuring ONLYOFFICE SP</h2>
<ol>
<li>Make sure that you are signed in as an Administrator to your ONLYOFFICE <b>Control Panel</b> and click the <b>SSO</b> tab.
<div class="notehelp">You can only register one enterprise Identity Provider for your organization on the ONLYOFFICE portal.</div>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img3_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_3.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img3_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_3.png")%>" />
<div target="img3_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Enable SSO using the <b>Enable Single Sign-on Authentication</b> switcher and paste the link copied from the AD FS into the <b>URL to Idp Metadata XML</b> field.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img4_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_4.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img4_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_4.png")%>" />
<div target="img4_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Press the button with the upward arrow to load the IdP metadata. The <b>ONLYOFFICE SP Settings</b> form will be automatically filled in with your data from the AD FS IdP.</p>
</li>
<li>In the <b>Custom login button caption</b> field, you can enter any text instead of the default one (<em>Single Sign-on</em>). This text will be displayed on the button used to login to the portal with the Single Sign-on service at the ONLYOFFICE authentication page.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img113_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_4-1.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img113_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_4-1.png")%>" />
<div target="img113_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>NameID Format</b> selector, choose the following value: <b>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</b>.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img5_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_5.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img5_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_5.png")%>" />
<div target="img5_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>IdP Public Certificates \ Advanced settings</b> section, uncheck the <b>Verify Logout Response Signature</b> option, as AD FS does not require that by default.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img6_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_6.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img6_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_6.png")%>" />
<div target="img6_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Now you need to add certificates to the <b>SP Certificates</b> section. You can generate self-signed certificates or add any other certificates.
<div class="notehelp nh_notice">in the <b>New Certificate</b> window, switch the <b>Use for</b> selector to the <b>signing and encrypt</b> option, as AD FS IdP is automatically configured to verify digital signatures and encrypt data.</div>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img7_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_7.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img7_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_7.png")%>" />
<div target="img7_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>You should get nearly the same result:</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img8_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_8.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img8_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_8.png")%>" />
<div target="img8_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>SP Certificates \ Advanced settings</b>, uncheck the <b>Sign Logout Responses</b>, as AD FS does not require that by default.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img9_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_9.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img9_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_9.png")%>" />
<div target="img9_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<div class="notehelp">It is not necessary to adjust the <b>Attribute Mapping</b> form, as we will set these parameters in the AD FS IdP later.</div>
</li>
<li>Click the <b>Save</b> button. The <b>ONLYOFFICE SP Metadata</b> section should be opened.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img91_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_9_1.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img91_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_9_1.png")%>" />
<div target="img91_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Verify that our settings are publicly available by clicking the <b>Download SP Metadata XML</b> button. The XML file contents should be displayed.</p>
</li>
<li>Copy the link to the ONLYOFFICE SP metadata from the <b>SP Entity ID (link to metadata XML)</b> field and go to the machine where AD FS is installed.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img10_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_10.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img10_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_10.png")%>" />
<div target="img10_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
</ol>
<h2 id="CreateUsers">Configuring AD FS IdP</h2>
<ol>
<li>In the <b>Server Manager</b>, open <b>Tools</b> -> <b>AD FS Management</b>,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img11_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_11.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img11_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_11.png")%>" />
<div target="img11_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>AD FS Management</b> panel, select the <b>Trust Relationships > Relying Party Trusts</b>. Click the <b>Add Relying Party Trust...</b> option on the right. The <b>Add Relying Party Trust Wizard</b> opens,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img12_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_12.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img12_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_12.png")%>" />
<div target="img12_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the wizard window, select the <b>Import data about the relying party published online or on a local network</b> radio button, paste the previously copied link to the ONLYOFFICE SP metadata into the <b>Federation metadata address (host name or URL)</b> field and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img13_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_13.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img13_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_13.png")%>" />
<div target="img13_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>Display name</b> field, specify any name and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img14_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_14.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img14_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_14.png")%>" />
<div target="img14_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Select the <b>I do not want to configure multi-factor authentication settings for this relying party trust at this time</b> option and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img15_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_15.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img15_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_15.png")%>" />
<div target="img15_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Select the <b>Permit all users to access this relying party</b> option and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img16_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_16.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img16_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_16.png")%>" />
<div target="img16_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Check the resulting settings and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img17_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_17.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img17_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_17.png")%>" />
<div target="img17_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Leave the default option unchanged and click the <b>Close</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img18_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_18.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img18_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_18.png")%>" />
<div target="img18_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>A new window opens. At the <b>Issuance Transform Rules</b> tab, click the <b>Add Rule...</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img19_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_19.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img19_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_19.png")%>" />
<div target="img19_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Select the <b>Send LDAP Attributes as Claims</b> option from the <b>Claim rule template</b> list and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img20_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_20.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img20_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_20.png")%>" />
<div target="img20_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Type in any name in the <b>Claim rule name</b> field. Select the <b>Active Directory</b> option from the <b>Attribute store</b> list and fill in the <b>Mapping of LDAP attributes to outgoing claim types</b> form according to the table below. When ready, click <b>Finish</b>.
<table class="table_parameters">
<thead>
<tr>
<th>LDAP Attribute (Select or type to add more)</th>
<th>Outgoing Claim Type (Select or type to add more)</th>
</tr>
</thead>
<tbody>
<tr>
<td>Given-Name</td>
<td>givenName</td>
</tr>
<tr>
<td>Surname</td>
<td>sn</td>
</tr>
<tr>
<td>E-Mail-Addresses</td>
<td>mail</td>
</tr>
<tr>
<td>Telephone-Number</td>
<td>mobile</td>
</tr>
<tr>
<td>Title</td>
<td>title</td>
</tr>
<tr>
<td>physicalDeliveryOfficeName</td>
<td>l</td>
</tr>
</tbody>
</table>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img21_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_21.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img21_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_21.png")%>" />
<div target="img21_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>In the <b>Edit Claim Rules</b> window, click the <b>Add Rule...</b> button once again, select the <b>Transform an Incoming Claim</b> option from the <b>Claim rule template</b> list and click the <b>Next</b> button,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img22_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_22.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img22_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_22.png")%>" />
<div target="img22_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Type in any name in the <b>Claim rule name</b> field and select the following options from the lists:
<ul>
<li><b>Incoming claim type:</b> mail,</li>
<li><b>Outgoing claim type:</b> Name ID,</li>
<li><b>Outgoing name ID format:</b> Email</li>
</ul>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img23_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_23.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img23_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_23.png")%>" />
<div target="img23_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>When ready, click the <b>Finish</b> button.</p>
<p>You should get nearly the same result:</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img24_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_24.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img24_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_24.png")%>" />
<div target="img24_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>If logout from AD FS does not work, it's recommended to add a Custom Claim Rule replacing <code>{portal-domain}</code> with your SP domain and changing <code>{ad-fs-domain}</code> to your IdP domain:</p>
<pre><code>c:[Type == "mail"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://{ad-fs-domain}/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://{portal-domain}/sso/metadata");</code></pre>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img114_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_29.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img114_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_29.png")%>" />
<div target="img114_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Click the <b>OK</b> button,</li>
<li>So that SSO can work from the intranet you need to enable the <b>Forms Authentication</b> option in the <b>Edit Global Authentication Policy</b> (contextual menu <b>AD FS / Authentication Policies</b>),
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img25_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_25.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img25_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_25.png")%>" />
<div target="img25_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Open the properties of the created relying party trust and switch to the <b>Advanced</b> tab,
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img26_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_26.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img26_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_26.png")%>" />
<div target="img26_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>Select the <b>SHA-1</b> option in the <b>Secure hash algorithm</b> list.</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img27_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_27.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img27_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_27.png")%>" />
<div target="img27_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
</ol>
<h2 id="CheckWork">Checking the work of the ONLYOFFICE SP with the AD FS IdP</h2>
<h5>Logging in to ONLYOFFICE on the SP side</h5>
<ol>
<li>Go to the ONLYOFFICE Authentication page (e.g., <span class="param-type">https://myportal-address.com/auth.aspx</span>).</li>
<li>Click the <b>Single sign-on</b> button (the caption may differ if you have specified your own text when configuring ONLYOFFICE SP). If the button is missing, this means that SSO is not enabled.
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img112_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/authenticationpage.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img112_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/authenticationpage.png")%>" />
<div target="img112_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>If all the SP and IdP parameters are set correctly, we will be redirected to the AD FS IdP login form:
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img108_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_28.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img108_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_28.png")%>" />
<div target="img108_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</li>
<li>Enter the login and password of the AD FS IdP account and click the <b>Sign in</b> button.</li>
<li>If the credentials are correct, we will be redirected to the main page of the portal (the user will be created automatically if missing, or the data will be updated if changed in the IDP).</li>
</ol>
<h5>Profiles for users added with SSO authentication</h5>
<p>The possibility to edit user profiles created using the SSO authentication is restricted. The user profile fields received from the IdP are disabled for editing (i.e. <code>First Name</code>, <code>Last Name</code>, <code>Email</code>, <code>Title</code> and <code>Location</code>). You can edit these fields from your IdP account only.</p>
<p>The figure below shows the Actions menu for an SSO user:</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img109_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_8.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img109_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_8.png")%>" />
<div target="img109_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>The following figure shows an SSO user profile opened for editing:</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img110_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_9.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img110_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_9.png")%>" />
<div target="img110_eventcom_guides" class="screenphoto magnifier"></div>
</div>
<p>The users created using the SSO authentication are marked with the <span class="sso_icon">SSO</span> icon in the user list for the portal administrators:</p>
<div class="screen_block">
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" target="img111_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_10.png")%>" />
<img alt="How to configure ONLYOFFICE SP and AD FS IdP" id="img111_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_10.png")%>" />
<div target="img111_eventcom_guides" class="screenphoto magnifier"></div>
</div>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink