Single Sign-On (SSO) to OnlyOffice#

Follow these instructions to configure the Gluu Server and OnlyOffice for SSO.

Configure OnlyOffice#

Note

Sign in to the OnlyOffice portal with an administrative account
Navigate to the Control Panel
Click SSO (on the left menu), and select Enable Single Sign-on Authentication
Load metadata to fill the required fields automatically. Shibboleth provides the IdP metadata file at https://{shibboleth-idp-domain}/idp/shibboleth. Store the shibboleth.xml filein the local machine and upload it with the SELECT FILE button.
The Name ID format must be Transient
In the Public Certificates section, check the box for both Verify Authentication Response Signature and Verify Logout Request Signature
Inside the SP Certificates section, keep the default values for Attribute Mapping
Click the Save button
Click DOWNLOAD SP METADATA XML

Now, follow the instructions below to create a SAML Trust Relationship (TR) for OnlyOffice in the Gluu Server.

Note

Review the docs for creating SAML TRs.

Create a TR by clicking Saml, then Add Trust Relationship. Use the following fields:
- Display Name: Name the TR (e.g. OnlyOffice SSO)
- Description: Provide a description for the TR (e.g. SAML SSO TR for OnlyOffice)
- Metadata Type: Select File
Upload the OnlyOffice metadata (downloaded during OnlyOffice configuration)
Release the following attributes: TransientID and Email
Add the TR
Select Configure Relying Party
Add the following configurations:
- Select SAML2SSO
- includeAttributeStatement: Enabled
- assertionLifetime: keep the default
- assertionProxyCount: keep the default
- signResponses: conditional
- signAssertions: never
- signRequests: conditional
- encryptAssertions: conditional
- encryptNameIds: never
- Save
Click Update
Click Activate

Now, configure the NameID:

Navigate to Configure custom NameID
Click Add NameID Configuration
- Check Enabled
- For Source Attribute, select Email for the Source Attribute
- For NameId Type, select emailAddress
Click Update