Authentication/SAML: Difference between revisions

mNo edit summary
 
(15 intermediate revisions by the same user not shown)
Line 2: Line 2:
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
= SAML Readme =
= Zimbra Single Sign-On using SAML =
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
{{KB||{{ZCS 9.0}}|{{ZCS 10.0}}|}}
{{WIP}}
 
[[Category:Authentication]]
[[Category:Authentication]]
[[Category:Administration]]
[[Category:Administration]]
[[Category:Configuration]]
[[Category:Configuration]]


Included in Network Edition at the following location:
Did you know that Zimbra supports SAML single sign on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up SAML you can easily add Multi Factor Authentication.
 
/opt/zimbra/extensions-network-extra/saml/README.txt


<pre>
Zimbra is a SAML service provider and should work with most SAML identity providers. For a number of SAML identity providers we have provided set-up guides which can be found in the Zimlet Gallery using this link: https://gallery.zetalliance.org/extend/category/saml and below:


The Zimbra SAML extension provides support for the "Browser/POST Profile of SAML" - Section 4.1.2 of
= On prem =
http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf. Zimbra is the "Destination
Site" in the context of this section of the spec.


The flow for a user on a browser would be:
== SimpleSAMLPhp ==


1. User authenticates with an IdP which can act as a SAML Provider.
https://wiki.zimbra.com/wiki/Authentication/SimpleSAMLPhp 
2. The IdP redirects the browser to Zimbra SAML extension URL (<zimbra_base_url>/service/extension/samlreceiver) and
  passes along a SAML Response (containing a SAML Assertion).
3. The SAML extension checks the validity of the SAML Response, and then looks up the Subject inside the SAML assertion
  which should be the email address corresponding to user's Zimbra account.
4. Finally, a Zimbra cookie corresponding to that Zimbra account is returned to the browser and is redirected to the
  default Zimbra mail URL.


https://github.com/Zimbra/zimbra-auth-module-simplesamlphp/blob/main/README.md


Zimbra Setup
https://github.com/Zimbra/zimbra-auth-module-simplesamlphp/blob/main/README-EXTENDED.md
------------


- Create "saml" directory under /opt/zimbra/lib/ext; Copy samlextn.jar under it.
== Keycloak ==


- Add the SAML signing certificate to the domain:
https://github.com/Zimbra/keycloak


    zmprov md <domain> zimbraMyoneloginSamlSigningCert <saml-signing-cert-base64-data>
= Hosted =


== Google Workspaces ==


Note for SAML Provider
https://github.com/Zimbra/google-workspaces-saml
----------------------


SAML Provider must POST the SAML Response at the following URL for SSO:
== Cisco Duo ==


    <zimbra_base_url>/service/extension/samlreceiver
https://github.com/Zimbra/cisco-duo-saml


This SAML Consumer extension requires that the Subject Name Identifier inside the SAML Assertion must be the account
== JumpCloud ==
email address, so configure the Provider accordingly.


</pre>
https://wiki.zimbra.com/wiki/Authentication/JumpCloud


== Troubleshooting ==
= Zimbra FOSS SAML =
* Check /opt/zimbra/log/zmmailboxd.out for exceptions - it's more useful than mailbox.log in this case


* In 8.7.11, set zimbraCsrfRefererCheckEnabled to FALSE or add the domain to zimbraCsrfAllowedRefererHosts. Setting it to FALSE is preferred.
https://gallery.zetalliance.org/extend/items/view/zimbra-single-sign-on-saml


* Also in 8.7.11, we've seen the existing certificate stored in 'zimbraMyOneLoginSamlSigningCert' doesn't load in certain situations, especially after an upgrade. To fix this, we'll simply have to reload the certificate.
{{Article Footer|Zimbra 10|02/22/2021}}
To do this, either get a copy of the certificate, or recreate it from the output of:
zmprov gd example.com zimbraMyOneLoginSigningCert
After that, null the value:
zmprov md example.com zimbraMyOneLoginSigningCert ' '
And then set it to the new certificate.
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}

Latest revision as of 04:24, 21 September 2023

  1. Zimbra Tech Center
  2. Community Sandbox
  3. Authentication/SAML

Zimbra Single Sign-On using SAML

   KB 20404        Last updated on 2023-09-21  




5.00
(one vote)

Did you know that Zimbra supports SAML single sign on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up SAML you can easily add Multi Factor Authentication.

Zimbra is a SAML service provider and should work with most SAML identity providers. For a number of SAML identity providers we have provided set-up guides which can be found in the Zimlet Gallery using this link: https://gallery.zetalliance.org/extend/category/saml and below:

On prem

SimpleSAMLPhp

https://wiki.zimbra.com/wiki/Authentication/SimpleSAMLPhp

https://github.com/Zimbra/zimbra-auth-module-simplesamlphp/blob/main/README.md

https://github.com/Zimbra/zimbra-auth-module-simplesamlphp/blob/main/README-EXTENDED.md

Keycloak

https://github.com/Zimbra/keycloak

Hosted

Google Workspaces

https://github.com/Zimbra/google-workspaces-saml

Cisco Duo

https://github.com/Zimbra/cisco-duo-saml

JumpCloud

https://wiki.zimbra.com/wiki/Authentication/JumpCloud

Zimbra FOSS SAML

https://gallery.zetalliance.org/extend/items/view/zimbra-single-sign-on-saml

Verified Against: Zimbra 10 Date Created: 02/22/2021
Article ID: https://wiki.zimbra.com/index.php?title=Authentication/SAML Date Modified: 2023-09-21



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Retrieved from "http://wiki.zimbra.com/index.php?title=Authentication/SAML&oldid=70124"
Jump to: navigation, search