Skip to content

Single Sign-On (SSO) to OnlyOffice#

Follow these instructions to configure the Gluu Server and OnlyOffice for SSO.

Configure OnlyOffice#

Note

Review the docs for configuring OnlyOffice SSO.

  1. Sign in to the OnlyOffice portal with an administrative account

  2. Navigate to the Control Panel

    image

  3. Click SSO (on the left menu), and select Enable Single Sign-on Authentication

    image

  4. Load metadata to fill the required fields automatically. Shibboleth provides the IdP metadata file at https://{shibboleth-idp-domain}/idp/shibboleth. Store the shibboleth.xml filein the local machine and upload it with the SELECT FILE button.

  5. The Name ID format must be Transient

    image

  6. In the Public Certificates section, check the box for both Verify Authentication Response Signature and Verify Logout Request Signature

    image

  7. Inside the SP Certificates section, keep the default values for Attribute Mapping

    image

  8. Click the Save button

  9. Click DOWNLOAD SP METADATA XML

Configure Gluu Server#

Now, follow the instructions below to create a SAML Trust Relationship (TR) for OnlyOffice in the Gluu Server.

Note

Review the docs for creating SAML TRs.

Trust Relationship#

  1. Create a TR by clicking Saml, then Add Trust Relationship. Use the following fields:
    • Display Name: Name the TR (e.g. OnlyOffice SSO)
    • Description: Provide a description for the TR (e.g. SAML SSO TR for OnlyOffice)
    • Metadata Type: Select File
  2. Upload the OnlyOffice metadata (downloaded during OnlyOffice configuration)
  3. Release the following attributes: TransientID and Email
  4. Add the TR
  5. Select Configure Relying Party
  6. Add the following configurations:
    • Select SAML2SSO
    • includeAttributeStatement: Enabled
    • assertionLifetime: keep the default
    • assertionProxyCount: keep the default
    • signResponses: conditional
    • signAssertions: never
    • signRequests: conditional
    • encryptAssertions: conditional
    • encryptNameIds: never
    • Save
  7. Click Update
  8. Click Activate

    image

NameID#

Now, configure the NameID:

  1. Navigate to Configure custom NameID
  2. Click Add NameID Configuration

    • Check Enabled
    • For Source Attribute, select Email for the Source Attribute
    • For NameId Type, select emailAddress

    image

  3. Click Update

Testing#

  • Attempt to access the Only Office dashboard.
  • Click the button Single Sign-On
  • Enter your credentials in Gluu and login
  • You will be redirected back to the OnlyOffice dashboard with an active session