383 lines
33 KiB
Plaintext
383 lines
33 KiB
Plaintext
<%@ Control Language="C#" Inherits="BaseContentUserControls" %>
|
||
<%@ Register Namespace="TeamLab.Controls" Assembly="__Code" TagPrefix="cc" %>
|
||
|
||
<script runat="server">
|
||
protected override void Init()
|
||
{
|
||
PageTitle = PageCaption = "Cómo configurar Shibboleth IdP y ONLYOFFICE SP";
|
||
MetaKeyWords = "Panel de Control, SSO, Single sign-on, Shibboleth";
|
||
MetaDescription = "Aprenda cómo configurar Shibboleth IdP y ONLYOFFICE SP.";
|
||
}
|
||
</script>
|
||
<div class="main_buscall_container dataBackup">
|
||
<div class="MainHelpCenter">
|
||
<h1 class="subHeaderFeaturesCaption TipsCaption">Cómo configurar Shibboleth IdP y ONLYOFFICE SP</h1>
|
||
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/VariousControls/Versions/ControlPanel/ControlPanel_Current.ascx" />
|
||
<div class="keyword_block">
|
||
<ul>
|
||
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/server-version/server-version.ascx" /></li>
|
||
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/local-server/local-server.ascx" /></li>
|
||
<%--<li>
|
||
<span class="enterprise_display">
|
||
<cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/enterprise-edition/enterprise-edition.ascx" />
|
||
</span>
|
||
</li>--%>
|
||
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/control-panel/control-panel.ascx" /></li>
|
||
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/sso/sso.ascx" /></li>
|
||
<li><cc:LocalizeContent runat="Server" ControlName="~/Controls/Help/Tags/shibboleth/shibboleth.ascx" /></li>
|
||
</ul>
|
||
</div>
|
||
<h2 id="Introduction">Introducción</h2>
|
||
<p><b>Single Sign-on</b> (SSO) es una tecnología que permite a los usuarios ingresar sólo una vez y luego obtener acceso a múltiples aplicaciones/servicios sin re-autenticación.</p>
|
||
<div class="example">Si un portal web incluye varias secciones amplias e independientes (foros, chat, blogs etc.), un usuario puede someterse a un procedimiento de autenticación en uno de los servicios y automáticamente obtener acceso a todos los demás servicios sin tener que ingresar las credenciales vaias veces.</div>
|
||
<p>SSO es siempre una operación conjunta de dos aplicaciones: un Proveedor de Identidad y un Proveedor de Servicios (en lo sucesivo denominados "IdP" y "SP"). <b>ONLYOFFICE SSO</b> aplica sólo <b>SP</b>. Diferentes proveedores pueden actuar como IdP, pero este artículo considera <a target="_blank" href="https://www.shibboleth.net/">la implementación de Shibboleth</a>.</p>
|
||
<div class="notehelp enterprise_display">If you want to use SSO when connecting <b>ONLYOFFICE Desktop Editors</b> to your <b><%= ((BasePage)Page).EditionVersion %></b>, disable <b>Private Rooms</b> in the <b>Control Panel</b>.</div>
|
||
<h2 id="Prepare">Preparación de <%= ((BasePage)Page).EditionVersion %> para configurar SSO</h2>
|
||
<ol>
|
||
<li>Instale <%= ((BasePage)Page).EditionVersion %> <b>v. 11.0.0</b> para Docker o cualquier versión posterior con el soporte de SSO.</li>
|
||
<li>Añada un nombre del dominio, por ejemplo, <span class="param-type">myportal-address.com</span>.</li>
|
||
<li>En su portal vaya al <b>Panel de Control</b> -> <b>HTTPS</b>, cree y aplique el certificado <a target="_blank" href="https://letsencrypt.org/">letsencrypt</a> para la encriptación del tráfico (para activar HTTPS en su portal).</li>
|
||
</ol>
|
||
<h2 id="CreateIdP">Creación de Shibboleth IdP</h2>
|
||
<h5>Requirements</h5>
|
||
<ul>
|
||
<li>To deploy Shibboleth IDP, a clean host machine is required.</li>
|
||
<li>Time must be set correctly and the time synchronization service must be installed on the host machine for IDP:
|
||
<pre><code>timedatectl status
|
||
yum install ntp
|
||
systemctl enable ntpd.service
|
||
ntpdate time.apple.com</code></pre>
|
||
</li>
|
||
<li><a target="_blank" href="https://docs.docker.com/engine/install/">Docker</a> and <a target="_blank" href="https://docs.docker.com/compose/install/">Docker Compose</a> must be installed on the machine.</li>
|
||
<li>A domain name must be associated with the machine (for example, <span class="param-type">shibbolethoo.tk</span>)</li>
|
||
</ul>
|
||
<h5>Creación de Shibboleth IdP</h5>
|
||
<p>To create, configure and start Shibboleth IDP, download and execute the <a target="_blank" href="https://bit.ly/3fwo5e6">install.sh</a> script.</p>
|
||
<p>Here's what the script does:</p>
|
||
<ul>
|
||
<li>downloads docker files for creating Shibboleth Idp images and containers from <a target="_blank" href="https://github.com/UniconLabs/dockerized-idp-testbed">github</a>,</li>
|
||
<li>changes the default <span class="param-type">idptestbed.edu</span> domain in the configuration files to the domain specified when executing the script,</li>
|
||
<li>adds access via the SAML protocol for the specified ONLYOFFICE SP domain,</li>
|
||
<li>specifies which attributes are required for ONLYOFFICE SP to issue information about users from Shibboleth IDP (the <b>Attribute Mapping</b> setting),</li>
|
||
<li>creates and configures LDAP and creates users for issuing,</li>
|
||
<li>enables dynamic loading of metadata from ONLYOFFICE SP to Shibboleth IDP,</li>
|
||
<li>enables Shibboleth SLO, if necessary.</li>
|
||
</ul>
|
||
<ol>
|
||
<li>Download the install.sh script:
|
||
<pre><code>curl -L https://bit.ly/3fwo5e6 -o install.sh</code></pre>
|
||
</li>
|
||
<li>Make the script executable:
|
||
<pre><code>chmod +x install.sh</code></pre>
|
||
</li>
|
||
<li>Execute the script replacing parameters with your own ones:
|
||
<pre><code>./install.sh -id shibbolethoo.tk -sd myportal-address.com --no_slo</code></pre>
|
||
<p>Script parameters:</p>
|
||
<ul>
|
||
<li><b>-id</b> - a domain name of the current machine for Shibboleth IDP.</li>
|
||
<li><b>-sd</b> - a domain name where ONLYOFFICE SP is deployed.</li>
|
||
<li><b>--no_slo</b> - disables Single Logout in Shibboleth IDP (<b>optional parameter</b>).</li>
|
||
</ul>
|
||
</li>
|
||
<li>Wait when Shibboleth IDP starts after executing the script.</li>
|
||
<li>To verify that Shibboleth IDP started correctly, open the <span class="param-type">https://shibbolethoo.tk/idp/shibboleth</span> link in your browser. An xml file should be displayed.</li>
|
||
<li>Copy the <span class="param-type">https://{your_idp_domain}/idp/shibboleth</span> link (por ejemplo, <span class="param-type">https://shibbolethoo.tk/idp/shibboleth</span>) y vaya al portal ONLYOFFICE ingresando como un administrador. Abra la página <b>Panel de Control</b> -> <b>SSO</b>.</li>
|
||
</ol>
|
||
<h2 id="ConfigureSP">Configuración de ONLYOFFICE SP</h2>
|
||
<ol>
|
||
<li>Asegúrese de que se ha registrado como Administrador en el <b>Panel de Control</b> de su ONLYOFFICE y haga clic en la pestaña <b>SSO</b>.
|
||
<div class="notehelp">Usted puede registrar sólo un proveedor de identidad corporativo para su organización en el portal ONLYOFFICE.</div>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img1_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_1.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img1_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_1.png")%>" />
|
||
<div target="img1_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Active SSO usando el conmutador <b>Activar Autenticación Single Sign-on</b> and paste the link to the Shibboleth IdP into the <b>URL to Idp Metadata XML</b> field.
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img2_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_2.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img2_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_2.png")%>" />
|
||
<div target="img2_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Pulse el botón con la flecha hacia arriba para cargar los metadatos IdP. El formulario <b>Ajustes de ONLYOFFICE SP</b> se llenará automáticamente con sus datos del Shibboleth IdP.
|
||
<p>As we disabled SLO when executing the install.sh script by specifying the <code>--no_slo</code> parameter, the <b>IdP Single Logout Endpoint URL</b> field will be empty.</p>
|
||
</li>
|
||
<li>En el campo <b>Texto personalizado para botón de acceso</b> Usted puede introducir cualquier texto en vez del estándar (<em>Single Sign-on</em>). Este texto se mostrará en el botón usado para acceso al portal con el servicio Single Sign-on en la página de autenticación de ONLYOFFICE.
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img113_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/adfs_4-1.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img113_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/adfs_4-1.png")%>" />
|
||
<div target="img113_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Now you need to create self-signed certificates or add any other certificates in the <b>SP Certificates</b> section.
|
||
<div class="notehelp nh_important"><span class="important_notice_label">Important!</span>In the <b>Use for</b> list, choose the <b>signing and encrypt</b> option as your Shibboleth IdP is automatically configured with the install.sh script to verify that data is digitally signed and encrypted.</div>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img3_1_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide94/onelogin_11.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img3_1_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide94/onelogin_11.png")%>" />
|
||
<div target="img3_1_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
<p>You should get nearly the same result:</p>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img3_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_3.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img3_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_3.png")%>" />
|
||
<div target="img3_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>En la sección <b>Mapeo de Atributos</b> indique la correspondencia de los campos en el módulo Personas ONLYOFFICE para los atributos de usuario que serán devueltos del Shibboleth IdP.
|
||
<table class="table_parameters">
|
||
<tbody>
|
||
<tr>
|
||
<th>First Name</th>
|
||
<td><span class="param-type">urn:oid:2.5.4.42</span></td>
|
||
</tr>
|
||
<tr>
|
||
<th>Last Name</th>
|
||
<td><span class="param-type">urn:oid:2.5.4.4</span></td>
|
||
</tr>
|
||
<tr>
|
||
<th>Email</th>
|
||
<td><span class="param-type">urn:oid:0.9.2342.19200300.100.1.3</span></td>
|
||
</tr>
|
||
<tr>
|
||
<th>Location</th>
|
||
<td><span class="param-type">urn:oid:2.5.4.7</span></td>
|
||
</tr>
|
||
<tr>
|
||
<th>Title</th>
|
||
<td><span class="param-type">urn:oid:2.5.4.12</span></td>
|
||
</tr>
|
||
<tr>
|
||
<th>Phone</th>
|
||
<td><span class="param-type">urn:oid:0.9.2342.19200300.100.1.41</span></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img5_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_5.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img5_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_5.png")%>" />
|
||
<div target="img5_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Haga clic en el botón <b>Guardar</b>.</li>
|
||
<li>La sección <b>Metadatos de ONLYOFFICE SP</b> debe abrirse.</li>
|
||
<li>Verifique que nuestros ajustes están disponibles al público pulsando el botón <b>Descargar XML de Metadatos de SP</b>. El contenido del archivo XML debe ser mostrado.
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img6_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_6.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img6_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_6.png")%>" />
|
||
<div target="img6_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
<p>This xml file is usually used to configure Shibboleth IDP, but because the install.sh script enables <code>DynamicHTTPMetadataProvider</code>, we do not need to do that (Shibboleth IDP will download this xml file at the first request for the login).</p>
|
||
</li>
|
||
</ol>
|
||
<%--<h2 id="RegisterONLYOFFICE">Registro de ONLYOFFICE como un Proveedor de Servicios de confianza en el Shibboleth IdP</h2>
|
||
<ol>
|
||
<li>Configure ONLYOFFICE SP como una parte que confía en Shibboleth.
|
||
<ol style="list-style-type: lower-alpha;">
|
||
<li>Obtenga el archivo con metadatos de su portal ONLYOFFICE y guárdelo como un archivo XML. Para recibir el archivo con metadatos regístrese en el <b>Panel de Control</b> de ONLYOFFICE como un Administrador y haga clic en la pestaña <b>SSO</b>. Pulse el botón <b>DESCARGAR XML DE METADATOS DE SP</b> y guarde los datos como el archivo <b>sp-ONLYOFFICE.xml</b>.</li>
|
||
<li>Añada ONLYOFFICE como un Proveedor de Servicios de confianza en Shibboleth especificando un elemento nuevo <code>MetadataProvider</code> en el archivo <code>SHIBBOLETH_HOME/conf/metadata-providers.xml</code>. Para hacerlo, añada el siguiente fragmento del código al elemento raíz <code>MetadataProvider</code>. Proporciona la ruta al archivo XML con metadatos de su organización (archivo que Usted ha guardado en el paso anterior <b>a</b>:</li>
|
||
</ol>
|
||
<pre class="prettyprint source linenums"><code><MetadataProvider id="ONLYOFFICESP" xsi:type="FilesystemMetadataProvider" metadataFile="<PATH_TO_THE_SAVED_METADATA>/metadata/sp-ONLYOFFICE.xml"/></code></pre>
|
||
</li>
|
||
<li>Configure atributos de usuario que serán devueltos del Shibboleth IdP.
|
||
<ol style="list-style-type: lower-alpha;">
|
||
<li>Edite el archivo <code>SHIBBOLETH_HOME/conf/attribute-resolver.xml</code>. Comente o elimine todas las definiciones existentes de los atributos y conectores de datos.</li>
|
||
<li>Añada la siguiente entrada de atributos a la sección <code>resolver:AttributeResolver</code>.</li>
|
||
</ol>
|
||
<pre class="prettyprint source linenums"><code><resolver:AttributeResolver
|
||
xmlns:resolver="urn:mace:shibboleth:2.0:resolver"
|
||
xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc"
|
||
xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad"
|
||
xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc"
|
||
xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder"
|
||
xmlns:sec="urn:mace:shibboleth:2.0:security"
|
||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
|
||
urn:mace:shibboleth:2.0:resolver:pc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-pc.xsd
|
||
urn:mace:shibboleth:2.0:resolver:ad http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-ad.xsd
|
||
urn:mace:shibboleth:2.0:resolver:dc http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd
|
||
urn:mace:shibboleth:2.0:attribute:encoder http://shibboleth.net/schema/idp/shibboleth-attribute-encoder.xsd
|
||
urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
|
||
<!-- ========================================== -->
|
||
<!-- Attribute Definitions -->
|
||
<!-- ========================================== -->
|
||
<!-- Schema: Core schema attributes-->
|
||
<resolver:AttributeDefinition id="email" xsi:type="ad:Simple" sourceAttributeID="mail">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
<resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
<resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
<resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
<resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
<resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
|
||
<resolver:Dependency ref="myLDAP" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
|
||
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
|
||
</resolver:AttributeDefinition>
|
||
</resolver:AttributeResolver></code></pre>
|
||
<ol style="list-style-type: lower-alpha;">
|
||
<li value="3">Configure los atributos para incluir en el Proveedor de Servicios. Edite el archivo <code>SHIBBOLETH_HOME/conf/attribute-filter.xml</code> y añada el siguiente código:</li>
|
||
</ol>
|
||
<pre class="prettyprint source linenums"><code><AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
|
||
xmlns="urn:mace:shibboleth:2.0:afp"
|
||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
|
||
<!-- Release some attributes to an SP. -->
|
||
<AttributeFilterPolicy id="ONLYOFFICESP">
|
||
<PolicyRequirementRule xsi:type="OR">
|
||
<Rule xsi:type="Requester" value="https://{portal-domain}/sso/metadata" />
|
||
</PolicyRequirementRule>
|
||
<AttributeRule attributeID="mail">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
<AttributeRule attributeID="surname">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
<AttributeRule attributeID="givenName">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
<AttributeRule attributeID="mobileNumber">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
<AttributeRule attributeID="title">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
<AttributeRule attributeID="locality">
|
||
<PermitValueRule xsi:type="ANY" />
|
||
</AttributeRule>
|
||
</AttributeFilterPolicy>
|
||
</AttributeFilterPolicyGroup></code></pre>
|
||
<div class="notehelp">Reemplace <code>{portal-domain}</code> por el nombre de dominio de su portal.</div>
|
||
</li>
|
||
<li>Edite el archivo <code>SHIBBOLETH_HOME/conf/relying-party.xml</code>.
|
||
<ol style="list-style-type: lower-alpha;">
|
||
<li>Copie el siguiente código y péguelo en los elementos <code>shibboleth.RelyingPartyOverrides</code> para sobrescribir los ajustes predeterminados para el Shibboleth IdP:</li>
|
||
</ol>
|
||
<pre class="prettyprint source linenums"><code><util:list id="shibboleth.RelyingPartyOverrides">
|
||
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://{portal-domain}/sso/metadata">
|
||
<property name="profileConfigurations">
|
||
<list>
|
||
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
|
||
<bean parent="SAML2.SSO" p:encryptAssertions="true" p:postAuthenticationFlows="attribute-release" />
|
||
<bean parent="SAML2.Logout" />
|
||
</list>
|
||
</property>
|
||
</bean></code></pre>
|
||
<div class="notehelp">Reemplace <code>{portal-domain}</code> por el nombre de dominio de su portal.</div>
|
||
</li>
|
||
<li>Reinicie el agente de programa (Linux) o servicio (Windows) de Shibboleth.</li>
|
||
</ol>--%>
|
||
<h2 id="CheckWork">Verificación del funcionamiento del ONLYOFFICE SP con el Shibboleth IdP</h2>
|
||
<p>The install.sh script created 4 users which can be used for testing the work of the ONLYOFFICE SP with the Shibboleth IdP.</p>
|
||
<table class="table_parameters">
|
||
<thead>
|
||
<tr>
|
||
<th>Email</th>
|
||
<th>Username</th>
|
||
<th>Password</th>
|
||
<th>Comment</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<th>student1@{your_idp_domain}</th>
|
||
<td>student1</td>
|
||
<td>password</td>
|
||
<td>Standard</td>
|
||
</tr>
|
||
<tr>
|
||
<th>student2@{your_idp_domain}</th>
|
||
<td>student2</td>
|
||
<td>password</td>
|
||
<td>Without givenName</td>
|
||
</tr>
|
||
<tr>
|
||
<th>student3@{your_idp_domain}</th>
|
||
<td>student3</td>
|
||
<td>password</td>
|
||
<td>With umlauts</td>
|
||
</tr>
|
||
<tr>
|
||
<th>staff1@{your_idp_domain}</th>
|
||
<td>staff1</td>
|
||
<td>password</td>
|
||
<td>Obligatory fields only</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
|
||
<h5>Acceso al ONLYOFFICE en el lado de SP</h5>
|
||
<ol>
|
||
<li>Vaya a la página de Autenticación de ONLYOFFICE (por ejemplo, <span class="param-type">https://myportal-address.com/Auth.aspx</span>).</li>
|
||
<li>Haga clic en el botón <b>Single sign-on</b> (el nombre del botón puede variar si Usted ha especificado su propio texto al configurar ONLYOFFICE SP). Si el botón está desaparecido, esto significa que SSO no está activado.
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img112_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide95/authenticationpage.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img112_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide95/authenticationpage.png")%>" />
|
||
<div target="img112_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Si todos los parámetros de SP y IdP están correctamente configurados, nos redirigirá al formulario de acceso en Shibboleth IdP:
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img7_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_7.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img7_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_7.png")%>" />
|
||
<div target="img7_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Introduzca el login y la contraseña de la cuenta en Shibboleth IdP (username: <span class="param-type">student1</span>, password: <span class="param-type">password</span>) y marque la casilla <b>Don't Remember Login</b>.</li>
|
||
<li>Si las credenciales son correctas, se abrirá la nueva ventana. Permita la prestación de información al servicio haciendo clic en el botón <b>Accept</b>.
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img11_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_7-1.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img11_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_7-1.png")%>" />
|
||
<div target="img11_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
<li>Si todo es correcto, nos redirigirá a la página principal del portal (si no hay tal usuario en el portal, él se creará automáticamente, o si los datos han sido modificados en el IDP, ellos se actualizarán).
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img17_2_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide94/startpage.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img17_2_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide94/startpage.png")%>" />
|
||
<div target="img17_2_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
</li>
|
||
</ol>
|
||
<h5>Perfiles de usuarios añadidos con autenticación SSO</h5>
|
||
<p>La posibilidad de editar perfiles de usuarios creados usando la autenticación SSO está restringida. Los campos del perfil de usuario recibidos del IdP están desactivados para edición (como <code>Nombre</code>, <code>Apellido</code>, <code>Correo</code>, <code>Posición</code> y <code>Ubicación</code>). Usted puede editar estos campos sólo en su cuenta IdP.</p>
|
||
<p>La imagen debajo muestra el menú "Acciones" para un usuario SSO:</p>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img8_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_8.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img8_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_8.png")%>" />
|
||
<div target="img8_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
<p>La imagen siguiente muestra el perfil de un usuario SSO abierto para edición:</p>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img9_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_9.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img9_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_9.png")%>" />
|
||
<div target="img9_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
<p>Los usuarios creados usando la autenticación SSO están marcados con el icono <span class="sso_icon">SSO</span> en la lista de usuarios para los administradores del portal:</p>
|
||
<div class="screen_block">
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" target="img10_eventcom_guides" class="screenphoto screen_guides" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/small/guide93/shibboleth_10.png")%>" />
|
||
<img alt="How to configure Shibboleth v2.x - 3.x IdP and ONLYOFFICE SP" id="img10_eventcom_guides" class="bigphoto_screen" src="<%=VirtualPathUtility.ToAbsolute("~/images/Help/Guides/big/guide93/shibboleth_10.png")%>" />
|
||
<div target="img10_eventcom_guides" class="screenphoto magnifier"></div>
|
||
</div>
|
||
<p>Para desconectarse del Shibboleth IdP (si Usted no ha marcado la casilla <b>Don't Remember Login</b> al iniciar la sesión), siga el enlace que tiene el siguiente aspecto: <span class="param-type">https://{shibboleth-idp-domain}/idp/profile/Logout</span></p>
|
||
</div>
|
||
</div>
|