Integrate with OnlyOffice
Support level: Community
What is ONLYOFFICE?
ONLYOFFICE is an online office and productivity suite for document editing and collaboration. ONLYOFFICE Workspace adds document management, projects, CRM, mail, calendars, and an administrative control panel.
Preparation
The following placeholders are used in this guide:
onlyoffice.companyis the FQDN of the ONLYOFFICE Workspace installation.authentik.companyis the FQDN of the authentik installation.
This guide is for ONLYOFFICE Workspace server installations that include the ONLYOFFICE Control Panel. ONLYOFFICE can only be connected to one SAML identity provider at a time.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Download the ONLYOFFICE service provider metadata
- Log in to ONLYOFFICE Workspace as an administrator.
- Click the cog icon in the navigation bar, then click Control Panel in the sidebar.
- In the Control Panel tab, click SSO in the sidebar.
- Enable Single Sign-on Authentication.
- Scroll down to ONLYOFFICE SP Metadata.
- Click Download SP Metadata XML to save the ONLYOFFICE SP metadata XML file. You will upload this file to authentik in the next section.
authentik configuration
To support the integration of ONLYOFFICE Workspace with authentik, you need to create an application/provider pair in authentik.
Create an application and provider
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select SAML Provider from Metadata as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configuration:
- Metadata: select the SP metadata XML you downloaded from ONLYOFFICE Workspace during the preparation step.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
- Navigate to Applications > Providers and click the provider you created.
- Click Edit, open Advanced protocol settings, and set the following values:
- Signing Certificate: select any available certificate.
- Sign responses: enable this option.
- Click Update.
- Under Related objects > Metadata, click Copy download URL. This metadata download URL will be required in the next section.
OnlyOffice configuration
- Return to the ONLYOFFICE Control Panel and open SSO.
- Paste the metadata download URL from authentik into URL to IdP Metadata XML and click the upload button next to the field.
- Under Attribute Mapping, set the following values:
- First Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - Last Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - Email:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- First Name:
- Click Save.
Configuration verification
To confirm that authentik is properly configured with ONLYOFFICE Workspace, log out of ONLYOFFICE Workspace, open it again, and click Single Sign-on on the login page. You should be redirected to authentik to log in, then redirected back to ONLYOFFICE Workspace.