Authentication/SAML: Difference between revisions
(Created page with "Category:Authentication Category:Administration Category:Configuration = SAML Readme = Included in Network Edition at the following location: /opt/zimbra/extensi...") |
No edit summary |
||
Line 6: | Line 6: | ||
Included in Network Edition at the following location: | Included in Network Edition at the following location: | ||
/opt/zimbra/extensions-network-extra/saml/README.txt | /opt/zimbra/extensions-network-extra/saml/README.txt | ||
Revision as of 19:00, 9 April 2013
SAML Readme
Included in Network Edition at the following location:
/opt/zimbra/extensions-network-extra/saml/README.txt
The Zimbra SAML extension provides support for the "Browser/POST Profile of SAML" - Section 4.1.2 of http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf. Zimbra is the "Destination Site" in the context of this section of the spec. The flow for a user on a browser would be: 1. User authenticates with an IdP which can act as a SAML Provider. 2. The IdP redirects the browser to Zimbra SAML extension URL (<zimbra_base_url>/service/extension/samlreceiver) and passes along a SAML Response (containing a SAML Assertion). 3. The SAML extension checks the validity of the SAML Response, and then looks up the Subject inside the SAML assertion which should be the email address corresponding to user's Zimbra account. 4. Finally, a Zimbra cookie corresponding to that Zimbra account is returned to the browser and is redirected to the default Zimbra mail URL. Zimbra Setup ------------ - Create "saml" directory under /opt/zimbra/lib/ext; Copy samlextn.jar under it. - Add the SAML signing certificate to the domain: zmprov md <domain> zimbraMyoneloginSamlSigningCert <saml-signing-cert-base64-data> Note for SAML Provider ---------------------- SAML Provider must POST the SAML Response at the following URL for SSO: <zimbra_base_url>/service/extension/samlreceiver This SAML Consumer extension requires that the Subject Name Identifier inside the SAML Assertion must be the account email address, so configure the Provider accordingly.