|
|
(7 intermediate revisions by the same user not shown) |
Line 2: |
Line 2: |
| __FORCETOC__ | | __FORCETOC__ |
| <div class="col-md-12 ibox-content"> | | <div class="col-md-12 ibox-content"> |
| = SAML Readme = | | = Zimbra Single Sign-On using SAML with SimpleSAMLphp = |
| {{KB|{{ZCS 9.0}}|}} | | {{KB||{{ZCS 9.0}}|{{ZCS 10.0}}|}} |
| {{WIP}}
| | |
| [[Category:Authentication]] | | [[Category:Authentication]] |
| [[Category:Administration]] | | [[Category:Administration]] |
| [[Category:Configuration]] | | [[Category:Configuration]] |
|
| |
|
| = Zimbra Single Sign-On using SAML with SimpleSAMLphp =
| | Did you know that Zimbra support SAML single sign on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up your SAML portal you can easily add Multi Factor Authentication. |
|
| |
|
| Did you know that Zimbra support SAML single sign on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up your SAML portal you can easily add [[multi%20factor%20authentication|Multi Factor Authentication]].
| | == Set up Zimbra SP in SimpleSAMLphp == |
|
| |
|
| == Set up Zimbra App ==
| | See the following links that are updated regularly: |
|
| |
|
| In SAML terms applications are called Service Providers or SP’s. The service that provides your user database and takes care of yuor authentication is in SAML terms called Identity Provider or IDP. Usually you only have one IDP and as many SP’s as you have applications. In this example we will set-up Zimbra as a SAML SP and use SimpleSAMLphp as IDP. This is the configuration needed on SimpleSAMLphp:
| | https://blog.zimbra.com/2021/03/updated-saml-for-zimbra-now-supports-single-log-out/ |
|
| |
|
| <pre> $metadata['https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver'] = array(
| | https://blog.zimbra.com/2021/05/zimbra-skillz-zimbra-with-on-premises-single-sign-on-using-simplesamlphp/ |
| 'simplesaml.attributes' => true,
| |
| 'debug' => TRUE,
| |
| 'AssertionConsumerService' => 'https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver',
| |
| 'SingleLogoutService' => 'https://zm-zimbra9.barrydegraaff.tk/service/extension/samlslo',
| |
| 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
| |
| 'authproc' => array (
| |
| 10 => array(
| |
| 'class' => 'saml:AttributeNameID',
| |
| 'attribute' => 'emailAddress',
| |
| 'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
| |
| ),
| |
| )
| |
| );</pre>
| |
| You will also need to get the X.509 public certificate that is used for signing the SAML request from th IDP to Zimbra. You will need to download it and save it on your Zimbra server. This guide will assume you store your cert in <code>/tmp/idpcert.pem</code>, don’t forget to <code>chown zimbra:zimbra /tmp/idpcert.pem</code>. If you followed the SimpleSAMLphp setup guide you can find the certificate at <code>/etc/simplesamlphp/cert/server.crt</code>.
| |
|
| |
|
| === Set up Zimbra ===
| | https://blog.zimbra.com/2020/02/zimbra-and-single-sign-on-using-saml/ |
|
| |
|
| Add the file <code>/opt/zimbra/conf/saml/saml-config.properties</code> to configure SAML in Zimbra add the contents:
| | Keycloak: https://github.com/Zimbra/keycloak |
|
| |
|
| <pre> # Issuer
| | Google Workspaces: https://github.com/Zimbra/google-workspaces-saml |
| saml_sp_entity_id=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
| |
| # Login receiver for the service provider
| |
| saml_acs=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
| |
| # Name ID format for the IDP to use in the SAMLResponse
| |
| saml_name_id_format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
| |
| # Date format for issue instant
| |
| saml_date_format_instant=yyyy-MM-dd'T'HH:mm:ss'Z'
| |
| # Identity provider login endpoint for redirect method
| |
| saml_redirect_login_destination=https://saml.barrydegraaff.tk/simplesaml/saml2/idp/SSOService.php?spentityid=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
| |
| # Identity provider login endpoint for POST method
| |
| saml_post_login_destination=
| |
| # Identity provider logout endpoint for redirect method
| |
| saml_redirect_logout_destination=https://saml.barrydegraaff.tk/simplesaml/saml2/idp/SingleLogoutService.php
| |
| # Identity provider logout endpoint for POST method
| |
| saml_post_logout_destination=
| |
| # Logout redirect page if we are the landing page logout endpoint
| |
| saml_landing_logout_redirect_url=/
| |
| # Disable the audience path check
| |
| saml_skip_audience_restriction=true
| |
| # URL to send the user with error_code, error_msg query params. Default results in HTTP error code pages.
| |
| saml_error_redirect_url=
| |
| # The SAML logout document encoding, and SAML login receiver parameter encoding.
| |
| saml_document_encoding=ASCII
| |
| # Set to true to disable the audience path check.
| |
| saml_skip_audience_restriction=false
| |
| # The redirect location to send the user if their Zimbra account is not active.
| |
| saml_inactive_account_redirect_url</pre>
| |
| From the command line as user root copy the samlextn.jar and set up the IDP certificate like this:
| |
|
| |
|
| <pre>mkdir /opt/zimbra/lib/ext/saml
| | Cisco Duo: https://github.com/Zimbra/cisco-duo-saml |
| cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/
| |
| su zimbra
| |
| cat /tmp/idpcert.pem |xargs -0 zmprov md exampledomain.com zimbraMyoneloginSamlSigningCert
| |
| zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
| |
| zmmailboxdctl restart</pre>
| |
| === Create users ===
| |
|
| |
|
| Your user accounts must be manually created in Zimbra and be available in your IDP user database. It is important that the E-mail attribute in your IDP is set exactly the same as the Zimbra account name. Or the user will not be able to log-in. If it does not work run a <code>tail -f /opt/zimbra/log/*</code> while doing the authentication request and dig through to log to find out what the issue may be. Keywords to grep for: SAML, Audience and assertion.
| | == Zimbra FOSS SAML == |
|
| |
|
| | https://gallery.zetalliance.org/extend/items/view/zimbra-single-sign-on-saml |
|
| |
|
| {{Article Footer|Zimbra 9|02/22/2021}} | | {{Article Footer|Zimbra 9|02/22/2021}} |