When I go to https://<onlyoffice.mydomain.com>/controlpanel/rebranding/, I found that the description text of dark theme logo is "light":

That's because they use the same variable LogoDarkAbout.

By the way, you may have noticed that the text of LogoDarkAbout is "light". The root cause is the incorrect text in the resource file:

Maybe a lot of Dark/Light related variables also have to be swapped, to resolve this issue completely...

While trying to solve problem with fulltext search in CS (ONLYOFFICE/Docker-CommunityServer#113),
on suggestion of @Carazyda I tried to install controlpanel. I have dificulty making it connect to existing installation of document & community server. (everything runs in docker)

I suspect the problem might be that control panel is trying to connect to community server through http while it is running on https (thus won't return json).

root@controlpanel:/var/www/onlyoffice/controlpanel# cat /var/log/onlyoffice/web.controlpanel.12-31.log

2020-12-31 06:38:09 - error: http://onlyoffice.fritz.box/api/2.0/settings/controlpanel.json Unexpected token in JSON at position 0
2020-12-31 06:38:09 - error: http://onlyoffice.fritz.box/api/2.0/portal.json Unexpected token in JSON at position 0

(the correct address is https://.....) - when I try through web browser it returns html "access denied" on http:// and correct json data on https://.
Is there a way how to explain to control panel that community server is running on https? The run script obviously expects http :-(
root@controlpanel:/var/www/onlyoffice/controlpanel# cat run-controlpanel.sh

...
sed 's/http://onlyoffice-community-server/http://'${ONLYOFFICE_COMMUNITYSERVER_HOST}'/' -i www/config/production.json;
...

other issue you might want to know about is that there is error in doc on page
https://helpcenter.onlyoffice.com/installation/groups-install-docker.aspx:

...
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-control-panel
-v /var/run/docker.sock:/var/run/docker.sock
-v /app/onlyoffice/CommunityServer/data:/app/onlyoffice/CommunityServer/data
-v /app/onlyoffice/ControlPanel/data:/var/www/onlyoffice-controlpanel/Data
-v /app/onlyoffice/ControlPanel/logs:/var/log/onlyoffice-controlpanel
onlyoffice/controlpanel
...

^ the server expects mountpoints /var/www/onlyoffice/Data & /var/log/onlyoffice, not -controlpanel (I had to dig into the container to find the correct paths)

Generally works. Not done yet:

• Logging out
• mapping Location, Phone and Title

Keycloak

Settings:

• client ID: https://<domain>/sso/metadata
• name: OnlyOffice
• root url: https://<domain>/sso/acs
• home url: https://<domain>/sso/acs
• Valid redirect URIs: https://<domain>/sso/acs
• Valid post logout redirect URIs: https://<domain>/sso/slo/callback
• Name ID format: email
• Force POST binding: on (else it seems not to work)
• Sign documents: on
• Sign assertions: on
• Signature algorithm: RSA_SHA256 (or RSA_SHA512)

Keys:

• Client signature required: off
• Encrypt assertions: generate. Use the public key (shown) and private key (automatically downloaded) for the "SP Certificates" of OnlyOffice. Possibly a key generated by OnlyOffice might also work, but did not test this. Leave this off initially, to check if the rest works!

Client Scopes:

• go to https://<domain>/sso/metadata-dedicated
• Add these predefined mappers: email, givenName and surName.
• Set the "SAML Attribute NameFormat" of each mapper to "URI reference". Using basic names seemingly does not work.

OnlyOffice

• Load metadata from https://<keycloak-base>/realms/master/protocol/saml/descriptor
• Optionally change the bindings to POST. Watch out: OnlyOffice empties what's filled in!
• Change NameID format to email
• Default Signature Verification Algorithm: rsa-sha256 (same as configured in Keycloak)
• Use SP Certificates (public and private key) generated by Keycloak. Leave this off initially, to check if the rest works!
  • Be sure to add the -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----, -----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----`, else OnlyOffice will not accept.
  • Pick "rsa-sha1" and "aes256-cbc" - others might also work - I noticed that I could just change "aes128-cbc" to "aes256-cbc" and everything kept working.
  • Select "signing and encrypt"
• Attribute mapping. These can also be copied from Keycloak. Using basic names did not work for me.
  • First name: urn:oid:2.5.4.42
  • Last name: urn:oid:2.5.4.4
  • Email: urn:oid:1.2.840.113549.1.9.1
  • Empty Location, Phone and Title

Debugging

In onlyoffice-community-server you'll find the only interesting logging:

tail -n 50 -f /var/log/onlyoffice/web.sso..log

Feedback welcome on:

• How to get log-out working
• How to do mapping with Simple names
• General improvements of the above

This issue is unique.

• I have used the search tool and did not find an issue describing my bug.

Operating System of DocumentServer

Docker

Version information

7.3.3.50

Expected Behavior

in previous versions I have updated without any problem

Actual Behavior

I downloaded the

update but when I click on install it fails to install it and nothing happens

Reproduction Steps

No response

Additional information

No response

Having the Google Cloud integration enabled and doing backup on ControlPanel tries to put objects in the bucket with allUsers object level permission.

Tried different setups, didn't work.

• Cloud Storage Bucket with Public Access Prevention enabled - Failed with the following error.

Google.Apis.Requests.RequestError The member bindings allUsers and allAuthenticatedUsers are not allowed since public access prevention is enforced. [412] Errors [ Message[The member bindings allUsers and allAuthenticatedUsers are not allowed since public access prevention is enforced.] Location[If-Match - header] Reason[conditionNotMet] Domain[global] ]

• Cloud Storage Bucket with Uniform Access Control and Public Access Prevention enabled - Failed with the following error.

Google.Apis.Requests.RequestError Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access [400] Errors [ Message[Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access] Location[ - ] Reason[invalid] Domain[global] ]

The only way it works is to disable the Public Access prevention on the bucket and have Fine Grained Access Control enabled, but this results in objects being accessible over the Internet, which is not secure.

Suggesting to remove the allUsers and allAuthenticatedUsers object level permissions if there is one in the object ACL when OnlyOffice tries to upload the image to the bucket.

My Setup

• OnlyOffice Community Server - v12.5.2.1848
• Control panel - v3.5.0.516
• Document Server - v7.5.1.1