Zimbra Single Sign-On using SAML

Dear Zimbra Friends & Colleagues,

Today’s post is from Barry de Graaff, Channel Evangelist at Synacor. He may be a relatively new addition to the Synacor global team, but he has been a vital part of the Zimbra ecosystem for over a decade! Barry is an expert in Zimlet development and third-party product integrations. He co-founded the Zeta Alliance, and he has a long history working in the information technology and services industry. At Synacor, Barry is helping partners to grow their business by embracing new technologies.

Did you know that Zimbra supports SAML single sign-on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up your SAML portal you can easily add Multi Factor Authentication.

Set up Zimbra App

In SAML terms applications are called Service Providers or SPs. The service that provides your user database and takes care of your authentication is in SAML terms called Identity Provider or IDP. Usually, you only have one IDP and as many SPs as you have applications. You will need to use the following settings for using Zimbra as a SAML SP:

Setting Value Description
RelayState empty
Audience https://yourzimbraserver.com/service/extension/samlreceiver The “Audience” is a string that is passed from IDP to Zimbra. Zimbra compares the Audience string with the Zimbra public service URL, port and the location of samlreceiver. If they are not the same, you will get a Java exception assertion is not targeted for this application.
Recipient https://yourzimbraserver.com/ The recipient is the URL to your Zimbra server.
ACS (Consumer) URL Validator* https://yourzimbraserver.com/service/extension/samlreceiver$
ACS (Consumer) URL* https://yourzimbraserver.com/service/extension/samlreceiver Full URL to Zimbra SAML extension.
Single Logout URL https://yourzimbraserver.com/?loginOp=logout Zimbra does not support SAML SLO, so we just redirect to the logout page.

You will also need to get the X.509 public certificate that is used for signing the SAML request from the IDP to Zimbra. You will need to download it and save it on your Zimbra server. This guide will assume you store your cert in /tmp/idpcert.pem, don’t forget to chown zimbra:zimbra /tmp/idpcert.pem.

 

Set up Zimbra

From the command line as user root configure SAML like this:

mkdir /opt/zimbra/lib/ext/saml
cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/samlextn.jar
su zimbra
cat /tmp/idpcert.pem |xargs -0 zmprov md exampledomain.com zimbraMyoneloginSamlSigningCert
zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
zmmailboxdctl restart

 

Create users

Your user accounts must be manually created in Zimbra and be available in your IDP user database. It is important that the E-mail attribute in your IDP is set exactly the same as the Zimbra account name. Or the user will not be able to log-in. If it does not work run a tail -f /opt/zimbra/log/* while doing the authentication request and dig through to log to find out what the issue may be. Keywords to grep for: SAML, Audience and assertion.

Thank you,

Barry de Graaff
Channel Evangelist
Zimbra | A Synacor Product

, , , , , , , ,

No comments yet.

Leave a Reply