AD FS IdP

Introduction

Single Sign-on (SSO) is a technology that allows users to sign in only once and then get access to multiple applications/services without re-authentication.

If a web portal includes several large independent sections (forum, chat, blogs etc.), a user can undergo the authentication procedure within one of the services and automatically get access to all other services without entering credentials several times.

SSO is always ensured by the joint operation of two applications: an Identity Provider and a Service Provider (also called as "IdP" and "SP"). ONLYOFFICE SSO implements the SP only. A lot of different providers can act as an IdP, but this article considers the Active Directory Federation Services (AD FS) implementation.

Preparing AD FS for the SSO setup

Install the latest AD DS (Active Directory Domain Service) version with all official updates and patches.
Install the latest AD FS version with all official updates and patches.
To deploy AD FS from scratch you can use the following instructions.
Verify that the link to the AD FS metadata is publicly available. To do that,
1. In the Server Manager, open Tools -> AD FS Management,
2. Go to AD FS \ Service \ Endpoints,
3. Find the row with the Federation Metadata type in the table. The link to the IdP metadata is constructed under the following scheme:
```
https://{ad-fs-domain}/{path-to-FederationMetadata.xml}
```
  Alternatively, you can use the following PowerShell command:
```
PS C:\Users\Administrator> (Get-ADFSEndpoint | Where {$_.Protocol -eq "FederationMetadata" -or $_.Protocol -eq "Federation Metadata"}).FullUrl.ToString()
```
  As a result you should get a link that looks like this:
```
https://myportal-address.com/FederationMetadata/2007-06/FederationMetadata.xml
```
4. To verify that AD FS has been started correctly, open the received link in a web browser. The xml should be displayed or downloaded.
  Copy the link to the metadata xml: it will be required at the next step. Make sure that you are signed in as an Administrator to your ONLYOFFICE DocSpace. Open the Settings -> Integration -> Single Sign-On page.

Configuring ONLYOFFICE SP

Enable SSO using the Enable Single Sign-on Authentication switcher and paste the link copied from the AD FS into the URL to Idp Metadata XML field.
Press the button with the upward arrow to load the IdP metadata. The ONLYOFFICE SP Settings form will be automatically filled in with your data from the AD FS IdP.
In the NameID Format selector, choose the following value: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
In the IdP Public Certificates \ Advanced settings section, uncheck the Verify Logout Response Signature option, as AD FS does not require that by default.
Now you need to add certificates to the SP Certificates section. You can generate self-signed certificates or add any other certificates.
Importantin the New Certificate window, switch the Use for selector to the Signing and encryption option, as AD FS IdP is automatically configured to verify digital signatures and encrypt data.
In the SP Certificates \ Advanced settings, uncheck the Sign Logout Responses option, as AD FS does not require that by default.
It is not necessary to adjust the Attribute Mapping form, as we will set these parameters in the AD FS IdP later.
Click the Save button.
The ONLYOFFICE SP Metadata section should be opened.
Verify that our settings are publicly available by clicking the Download SP Metadata XML button. The XML file contents should be displayed.
Copy the link to the ONLYOFFICE SP metadata from the SP Entity ID (link to metadata XML) field and go to the machine where AD FS is installed.

Configuring AD FS IdP

In the Server Manager, open Tools -> AD FS Management,
In the AD FS Management panel, select the Trust Relationships > Relying Party Trusts. Click the Add Relying Party Trust... option on the right. The Add Relying Party Trust Wizard opens,
In the wizard window, select the Import data about the relying party published online or on a local network radio button, paste the previously copied link to the ONLYOFFICE SP metadata into the Federation metadata address (host name or URL) field and click the Next button,
In the Display name field, specify any name and click the Next button,
Select the Permit everyone option and click the Next button,
Check the resulting settings and click the Next button,
Leave the default option unchanged and click the Close button,
A new window opens. At the Edit Claim Issuance Policy tab, click the Add Rule... button,
Select the Send LDAP Attributes as Claims option from the Claim rule template list and click the Next button,
Type in any name in the Claim rule name field. Select the Active Directory option from the Attribute store list and fill in the Mapping of LDAP attributes to outgoing claim types form according to the table below. When ready, click Finish.
LDAP Attribute (Select or type to add more) Outgoing Claim Type (Select or type to add more)
Given-Name givenName
Surname sn
E-Mail-Addresses mail
In the Edit Claim Rules window, click the Add Rule... button once again, select the Transform an Incoming Claim option from the Claim rule template list and click the Next button,
Type in any name in the Claim rule name field and select the following options from the lists:
- Incoming claim type: mail,
- Outgoing claim type: Name ID,
- Outgoing name ID format: Email
When ready, click the Finish button.

LDAP Attribute (Select or type to add more)	Outgoing Claim Type (Select or type to add more)
Given-Name	givenName
Surname	sn
E-Mail-Addresses	mail

If logout from AD FS does not work, it's recommended to add a Custom Claim Rule replacing {portal-domain} with your SP domain and changing {ad-fs-domain} to your IdP domain:

c:[Type == "mail"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://{ad-fs-domain}/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://{portal-domain}/sso/metadata");

How to configure ONLYOFFICE SP and AD FS IdP

Click the OK button,
Open the properties of the created relying party trust and switch to the Advanced tab,
Select the SHA-1 option in the Secure hash algorithm list.

Host ONLYOFFICE DocSpace on your own server or use it in the cloud

Get it now Use in the cloud