mail system sso
243 views
Skip to first unread message
moh salih
Jun 21, 2016, 5:32:29 AM6/21/16
to SimpleSAMLphp
I have Zimbra mail system working as a mail service provider ...
how can i modify the authentication mechanism in Zimbra to accept SAML assertion instead of it's own username and password ?
Peter Schober
Jun 21, 2016, 6:21:38 AM6/21/16
to SimpleSAMLphp
* moh salih <m.ali....@gmail.com> [2016-06-21 11:32]:
the web mail component is just an IMAP client to the IMAP server, then
you can't just SSO-enable the web interface, as the web interface (=
the IMAP client) then won't be able to impersonate you towards the
IMAP server by replaying your credentials (the way a web mail software
usually does).
For many years I had collected and briefly documented all the ways you
could do this (or that someone had actually implemented) I ever came
across, at this URL https://aai-wiki.univie.ac.at/Applikationen/Webmail
but that server was eventually decommissioned and sadly archive.org
does not have a cached copy (I should have verfied that before).
All of the variants are hacks, essentially, and all require deep
knowledge and understanding of the techniques and risks involved.
As you probably won't be interested in running a forked copy of Zimbra
(provided source code is even available and you can legally hack it)
the question probably comes down to what Zimbra supports or not.
That's not really a question for this list, though.
-peter
> I have Zimbra mail system working as a mail service provider ...
> how can i modify the authentication mechanism in Zimbra to accept SAML
> assertion instead of it's own username and password ?
It all depends on how the software works exactly internally. E.g. if
> how can i modify the authentication mechanism in Zimbra to accept SAML
> assertion instead of it's own username and password ?
the web mail component is just an IMAP client to the IMAP server, then
you can't just SSO-enable the web interface, as the web interface (=
the IMAP client) then won't be able to impersonate you towards the
IMAP server by replaying your credentials (the way a web mail software
usually does).
For many years I had collected and briefly documented all the ways you
could do this (or that someone had actually implemented) I ever came
across, at this URL https://aai-wiki.univie.ac.at/Applikationen/Webmail
but that server was eventually decommissioned and sadly archive.org
does not have a cached copy (I should have verfied that before).
All of the variants are hacks, essentially, and all require deep
knowledge and understanding of the techniques and risks involved.
As you probably won't be interested in running a forked copy of Zimbra
(provided source code is even available and you can legally hack it)
the question probably comes down to what Zimbra supports or not.
That's not really a question for this list, though.
-peter
Peter Schober
Jun 21, 2016, 7:44:15 AM6/21/16
to SimpleSAMLphp
* moh salih <m.ali....@gmail.com> [2016-06-21 11:32]:
> I have Zimbra mail system working as a mail service provider ...
> how can i modify the authentication mechanism in Zimbra to accept SAML
> assertion instead of it's own username and password ?
Seems Zimbra has its own proprietary SSO protocol:
> how can i modify the authentication mechanism in Zimbra to accept SAML
> assertion instead of it's own username and password ?
https://wiki.zimbra.com/wiki/Preauth
Further down that page you'll also find PHP sample code that will
generate the tokens.
That means you could create your own SAML SP (using SimpleSAMLphp),
integrate that with your SAML IDP (of whatever implementation) and on
a PHP page using the SimpleSAMLphp SP API you could generate the
Preauth token for the authenticated subject based on SAML attributes
from the SSP session on the SP.
What I don't see mentioned on that wiki page is how people accessing
Zimbra directly (not starting at your SAML SP) can make use of that
preauth functionality.
The following (otherwise unrelated, so ignore everything else) page
https://github.com/Zimbra-Community/owncloud-zimlet/wiki/Zimbra-and-ownCloud-Single-Sign-On-SSO
mentions a zimbra command that allows to set the "login" and "logout"
URL for web clients, though, which could then be set to your SSP SAML
SP for login (for logout more work would likely be needed).
In the Zimbra documentation I only found a single occurance of
"zimbraWebClientLoginURL" hidden away on their appendix for SPNEGO:
https://www.zimbra.com/docs/os/8.6.0/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=860_admin_os.Configure_ZCS.html
So it is documented somewhat, just not for use with Preauth, I guess.
That way people could access Zimbra's web UI as always, zimbra would
send unauthenticed browsers off to your SimpleSAMLphp SAML SP, that
in turn would send the browser off to the SAML IDP for authentication.
The IDP then sends you back to the SAML SP, there your own code
accesses pulls the right attribute from the SSP session and stuffs it
into a properly formatted preauth token (as per above), and finally
sends the browser off to the specified location for preauth requests.
Zimbra will then validate the token and redirect the subject back into
the application.
Logout may be issue, though. From the documentation it's not clear to
me whether Zimbra terminates its own session first before sending the
browser off to the value of zimbraWebClientLogoutURL.
If it does you simply need set that to a PHP resournce of your own on
the SSP SAML SP that will call SSP's logout method.
If it does not, OTOH, you'd need to find a way to kill off the
subject's zimbra session remotely (before/after calling SSP's
logout). Whether they provide an API for that (like they do for login,
using preauth) I don't know.
So web SSO login into zimbra seems simple after all, and requires no hacking.
Logout is either simple or might be impossible, depending on how
zimbra behaves and what APIs they provide (e.g. for adminstrative
logout, which is something else that could take care of that problem).
-peter
Janusz Ulanowski
Jun 21, 2016, 7:52:46 AM6/21/16
to simple...@googlegroups.com
Peter Schober
Jun 21, 2016, 8:01:06 AM6/21/16
to simple...@googlegroups.com
* Janusz Ulanowski <janusz.u...@heanet.ie> [2016-06-21 13:52]:
We're using the calendar of that which works (the new version's web UI
is somewhat painful to use, but most people here use it with phat
clients not the browser UI).
SSO into the web UI is possible by adding specific HTTP request
headers (easiest for me using the Shibboleth SP but mod_mellon would
also work) and configuring SOGo to look for/at those.
For webmail though I think SOGo is just an ordinary IMAP client, i.e.,
WebSSO wouldn't work unless you added more hacks to enable 2-tier
authn to the IMAP server without having access to the subject's
password. (Or sending along the actual password as SAML attribute,
which is what some people are actually doing.)
There's CrudeSAML, too, but that's won't integrate with either SOGo or
Zimbra.
-peter
We're using the calendar of that which works (the new version's web UI
is somewhat painful to use, but most people here use it with phat
clients not the browser UI).
SSO into the web UI is possible by adding specific HTTP request
headers (easiest for me using the Shibboleth SP but mod_mellon would
also work) and configuring SOGo to look for/at those.
For webmail though I think SOGo is just an ordinary IMAP client, i.e.,
WebSSO wouldn't work unless you added more hacks to enable 2-tier
authn to the IMAP server without having access to the subject's
password. (Or sending along the actual password as SAML attribute,
which is what some people are actually doing.)
There's CrudeSAML, too, but that's won't integrate with either SOGo or
Zimbra.
-peter
moh salih
Jun 23, 2016, 2:50:51 AM6/23/16
to simple...@googlegroups.com
Thank you very much , i used preauth as you said Mr.Peter and it's working
this was very helpful
-peter
--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/0bFnUmt2T1E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages