Authentication/SAML: Difference between revisions
No edit summary |
|||
| Line 51: | Line 51: | ||
</pre> | </pre> | ||
== Troubleshooting == | |||
* Check /opt/zimbra/log/zmmailboxd.out for exceptions - it's more useful than mailbox.log in this case | |||
* In 8.7.11, set zimbraCsrfRefererCheckEnabled to FALSE or add the domain to zimbraCsrfAllowedRefererHosts. Setting it to FALSE is preferred. | |||
* Also in 8.7.11, we've seen the existing certificate stored in 'zimbraMyOneLoginSamlSigningCert' doesn't load in certain situations, especially after an upgrade. To fix this, we'll simply have to reload the certificate. | |||
To do this, either get a copy of the certificate, or recreate it from the output of: | |||
zmprov gd example.com zimbraMyOneLoginSigningCert | |||
After that, null the value: | |||
zmprov md example.com zimbraMyOneLoginSigningCert ' ' | |||
And then set it to the new certificate. | |||
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}} | {{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}} | ||
Revision as of 10:32, 20 December 2017
SAML Readme
- This article is a Work in Progress, and may be unfinished or missing sections.
Included in Network Edition at the following location:
/opt/zimbra/extensions-network-extra/saml/README.txt
The Zimbra SAML extension provides support for the "Browser/POST Profile of SAML" - Section 4.1.2 of
http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf. Zimbra is the "Destination
Site" in the context of this section of the spec.
The flow for a user on a browser would be:
1. User authenticates with an IdP which can act as a SAML Provider.
2. The IdP redirects the browser to Zimbra SAML extension URL (<zimbra_base_url>/service/extension/samlreceiver) and
passes along a SAML Response (containing a SAML Assertion).
3. The SAML extension checks the validity of the SAML Response, and then looks up the Subject inside the SAML assertion
which should be the email address corresponding to user's Zimbra account.
4. Finally, a Zimbra cookie corresponding to that Zimbra account is returned to the browser and is redirected to the
default Zimbra mail URL.
Zimbra Setup
------------
- Create "saml" directory under /opt/zimbra/lib/ext; Copy samlextn.jar under it.
- Add the SAML signing certificate to the domain:
zmprov md <domain> zimbraMyoneloginSamlSigningCert <saml-signing-cert-base64-data>
Note for SAML Provider
----------------------
SAML Provider must POST the SAML Response at the following URL for SSO:
<zimbra_base_url>/service/extension/samlreceiver
This SAML Consumer extension requires that the Subject Name Identifier inside the SAML Assertion must be the account
email address, so configure the Provider accordingly.
Troubleshooting
- Check /opt/zimbra/log/zmmailboxd.out for exceptions - it's more useful than mailbox.log in this case
- In 8.7.11, set zimbraCsrfRefererCheckEnabled to FALSE or add the domain to zimbraCsrfAllowedRefererHosts. Setting it to FALSE is preferred.
- Also in 8.7.11, we've seen the existing certificate stored in 'zimbraMyOneLoginSamlSigningCert' doesn't load in certain situations, especially after an upgrade. To fix this, we'll simply have to reload the certificate.
To do this, either get a copy of the certificate, or recreate it from the output of:
zmprov gd example.com zimbraMyOneLoginSigningCert
After that, null the value:
zmprov md example.com zimbraMyOneLoginSigningCert ' '
And then set it to the new certificate.
