> I have Zimbra mail system working as a mail service provider ...
> how can i modify the authentication mechanism in Zimbra to accept SAML
> assertion instead of it's own username and password ?
Seems Zimbra has its own proprietary SSO protocol:
https://wiki.zimbra.com/wiki/Preauth
Further down that page you'll also find PHP sample code that will
generate the tokens.
That means you could create your own SAML SP (using SimpleSAMLphp),
integrate that with your SAML IDP (of whatever implementation) and on
a PHP page using the SimpleSAMLphp SP API you could generate the
Preauth token for the authenticated subject based on SAML attributes
from the SSP session on the SP.
What I don't see mentioned on that wiki page is how people accessing
Zimbra directly (not starting at your SAML SP) can make use of that
preauth functionality.
The following (otherwise unrelated, so ignore everything else) page
https://github.com/Zimbra-Community/owncloud-zimlet/wiki/Zimbra-and-ownCloud-Single-Sign-On-SSO
mentions a zimbra command that allows to set the "login" and "logout"
URL for web clients, though, which could then be set to your SSP SAML
SP for login (for logout more work would likely be needed).
In the Zimbra documentation I only found a single occurance of
"zimbraWebClientLoginURL" hidden away on their appendix for SPNEGO:
https://www.zimbra.com/docs/os/8.6.0/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=860_admin_os.Configure_ZCS.html
So it is documented somewhat, just not for use with Preauth, I guess.
That way people could access Zimbra's web UI as always, zimbra would
send unauthenticed browsers off to your SimpleSAMLphp SAML SP, that
in turn would send the browser off to the SAML IDP for authentication.
The IDP then sends you back to the SAML SP, there your own code
accesses pulls the right attribute from the SSP session and stuffs it
into a properly formatted preauth token (as per above), and finally
sends the browser off to the specified location for preauth requests.
Zimbra will then validate the token and redirect the subject back into
the application.
Logout may be issue, though. From the documentation it's not clear to
me whether Zimbra terminates its own session first before sending the
browser off to the value of zimbraWebClientLogoutURL.
If it does you simply need set that to a PHP resournce of your own on
the SSP SAML SP that will call SSP's logout method.
If it does not, OTOH, you'd need to find a way to kill off the
subject's zimbra session remotely (before/after calling SSP's
logout). Whether they provide an API for that (like they do for login,
using preauth) I don't know.
So web SSO login into zimbra seems simple after all, and requires no hacking.
Logout is either simple or might be impossible, depending on how
zimbra behaves and what APIs they provide (e.g. for adminstrative
logout, which is something else that could take care of that problem).
-peter