Code Monkey home page Code Monkey logo

zm-sso's Introduction

Zimbra Single Sign On (Zm SSO)

Zm SSO is the Zimbra Collaboration Open Source Edition extension for single sign-on authentication to the Zimbra Web Client.
Copyright (C) 2020-present iWay Vietnam and/or its affiliates. All rights reserved.

  • Using framework: pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Supported authentication mechanisms: SAML - CAS - OpenID Connect

Building Java extension

Requirement

  • JDK 11 or newer.
  • Apache Maven 3.5 or newer for Maven build.
  • Apache Ant 1.x for Ant build.
  • rpm-build for rpm package build.

Setting up your build system

  • On Fedora or CentOS 8.x or Red Hat EL 7.x
dnf -y install java-11-openjdk java-11-openjdk-devel maven ant git make rpmdevtools rpm-build
  • On CentOS 7.x or Red Hat EL 7.x
yum -y install java-11-openjdk java-11-openjdk-devel maven ant git make rpmdevtools rpm-build
  • On Debian or Ubuntu
apt install -y openjdk-11-jdk maven ant git make

Clone code from git repository

mkdir -p ~/projects/zimbra
cd ~/projects/zimbra
git clone https://github.com/iwayvietnam/zm-sso.git

Build jar file by using Maven

cd ~/projects/zimbra/zm-sso
mvn clean package

The output should be like this:

--- maven-jar-plugin:3.0.2:jar (default-jar) @ zm-hab ---
Building jar: ~/projects/zimbra/zm-sso/target/zm-sso-1.0.0-1.jar

Build jar file by using Ant

cd ~/projects/zimbra/zm-sso
ant jar

The output should be like this:

[jar] Building jar: ~/projects/zimbra/zm-sso/dist/zm-sso-1.0.0-1.jar

Build rpm package

cd ~/projects/zimbra/zm-sso
make rpmbuild

The output should be like this:

Wrote: ~/rpmbuild/RPMS/noarch/zm-sso-1.0.0-1.el7.noarch.rpm

Installation

Install jar extension

  • Copy jar extension to zimbra server
cd ~/projects/zimbra/zm-sso
ssh [email protected] "mkdir -p /opt/zimbra/lib/ext/zm-sso"
scp target/*.jar [email protected]:/opt/zimbra/lib/ext/zm-sso
scp target/dependencies/*.jar [email protected]:/opt/zimbra/jetty_base/common/lib
scp conf/zm.sso.properties [email protected]:/opt/zimbra/conf
  • Restart mailbox to load the extension.
ssh [email protected] "su - zimbra -c '/opt/zimbra/bin/zmmailboxdctl restart'"

Install rpm package

ssh [email protected] "mkdir -p /tmp/zimbra"
scp ~/rpmbuild/RPMS/noarch/zm-sso-1.0.0-1.el7.noarch.rpm [email protected]:/tmp/zimbra
ssh [email protected] "rpm -Uvh /tmp/zimbra/zm-sso-1.0.0-1.el7.noarch.rpm"

Configuration

The settings loaded from zm.sso.properties file. The location of this file is /opt/zimbra/conf/zm.sso.properties

Default client configuration

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf. Ex: vi /opt/zimbra/conf/zm.sso.properties
  • Specify default pac4j client by setting the value for the sso.defaultClient key. Ex: sso.defaultClient = SAML2Client

Callback endpoint configuration

To handle authentication, a callback endpoint is necessary to receive callback calls from the identity server and finish the login process.

Config:

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
  • Specify callback endpoint by setting the value for the sso.callbackUrl key. The path of endpoint can be:
    • /service/extension/sso/callback (using default client. specified in sso.defaultClient). Ex: sso.callbackUrl = https://mail.zimbra-server.com/service/extension/sso/callback
    • /service/extension/saml/callback (using SAML client). Ex: saml.callbackUrl = https://mail.zimbra-server.com/service/extension/saml/callback
    • /service/extension/cas/callback (using CAS client). Ex: cas.callbackUrl = https://mail.zimbra-server.com/service/extension/cas/callback
    • /service/extension/oidc/callback (using OpenID Connect client). Ex: oidc.callbackUrl = https://mail.zimbra-server.com/service/extension/oidc/callback
  • Specify profile should be saved in session by setting the value for the sso.saveInSession key.
  • Specify multi profiles are supported by setting the value for the sso.multiProfile key.
  • Specify the session must be renewed by setting the value for the sso.renewSession key.

Logout endpoint configuration

To handle the logout, a logout endpoint is necessary to perform:

  • The local logout by removing the pac4j profiles from the session.
  • The central logout by calling the identity provider logout endpoint. This is the Single LogOut (SLO) process.

Config:

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
  • sso.localLogout: It indicates whether a local logout must be performed.
  • sso.destroySession: It defines whether we must destroy the web session during the local logout.
  • sso.centralLogout: It defines whether a central logout must be performed.
  • sso.postLogoutURL: It defines whether logout return url from idp server back to zimbra. By default at the last step of SP initiated logout user will see a blank page.

Configuration with any SAML identity provider using the SAML v2.0 protocol.

First, if you don’t have one, you need to generate a keystore for all signature and encryption operations. Ex:

keytool -genkeypair -alias samlkey -keypass samlpasswd -keystore /opt/zimbra/conf/saml/keystore.jks -storepass samlpasswd -keyalg RSA -keysize 2048 -validity 3650

Config:

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
  • saml.keystorePath: It defines the keystore resource location. It is the value of the -keystore option for the keystore generation with prefix file:. Ex: saml.keystorePath = file:/opt/zimbra/conf/saml/keystore.jks
  • saml.keystorePassword: It defines keystore password. It is the value of the -storepass option for the keystore generation.
  • saml.privateKeyPassword: It defines key password. It is the value of the -keypass option for the keystore generation.
  • saml.keystoreAlias: It defines keystore alias. It is the value of the -alias option for the keystore generation.
  • saml.identityProviderMetadataPath: It defines the resource location should point to your IdP metadata. Ex: saml.identityProviderMetadataPath = https://samltest.id/saml/idp
  • saml.serviceProviderEntityId: It defines the entity ID of your application (the Service Provider). Ex: saml.serviceProviderEntityId = https://mail.zimbra-server.com/service/extension/saml/metadata

Configuration to login with a CAS server.

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
  • cas.loginUrl: It defines the login URL of your CAS server. Ex: cas.loginUrl = https://cas.cas-server.com/cas/login
  • cas.protocol: It defines the CAS protocol you want to use. Ex: cas.protocol = CAS20

Configuration to login using the OpenID Connect protocol v1.0.

  • Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
  • oidc.discoveryUri: It defines the discovery URI for fetching OP metadata. Ex: oidc.discoveryUri = https://demo.c2id.com/.well-known/openid-configuration
  • oidc.id: It defines the OpenID client identifier.
  • oidc.secret: It defines the OpenID client secret.
  • oidc.scope: It defines the OpenID client scope.

Replace login and logout urls

  • Execute following commands with the Zimbra user for domain configuration:
# SSO login by using default client. Specified in sso.defaultClient
zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/sso/login
# or SSO login by using SAML client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/saml/login
# or SSO login by using CAS client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/cas/login
# or SSO login by using OpenID Connect client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/oidc/login
# Specified logout URL
zmprov md yourdomain.com zimbraWebClientLogoutURL https://mail.zimbra-server.com/service/extension/sso/logout
  • Execute following commands with the zimbra user for global configuration:
# SSO login by using default client. Specified in sso.defaultClient
zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/sso/login
# or SSO login by using SAML client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/saml/login
# or SSO login by using CAS client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/cas/login
# or SSO login by using OpenID Connect client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/oidc/login
# Specified logout URL
zmprov mcf zimbraWebClientLogoutURL https://mail.zimbra-server.com/service/extension/sso/logout
  • Execute the following command with the zimbra user to restart Zimbra server: zmcontrol restart

Import untrusted ssl certificate to the cacerts file

This is primarily for allowance of untrusted ssl certificates in external data sources.

  • Export untrusted ssl certificate to the file:
openssl s_client -servername idp.server.net -connect idp.server.net:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >/path/to/cert.pem
  • Execute following commands with the Zimbra user:
zmcertmgr addcacert /path/to/cert.pem
zmmailboxdctl restart

Add identity provider hostname to ignore CSRF referer check

zmprov -l mcf +zimbraCsrfAllowedRefererHosts idp.server.net
zmmailboxdctl restart

Tutorials

Licensing

Zm SSO is licensed under the GNU AFFERO GENERAL PUBLIC LICENSE, Version 3. See LICENSE for the full license text.

zm-sso's People

Contributors

nguyennv avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

zimbra-community btactic stanop hieunguyen23 aplusphilic thiennl jasoncheng7115 yoannguion young-coder-vn felixsqr sampathkumara s33k3rs cmomberg atassumer thelinuxtrainer imsilsa ceeedevops platform-libre

zm-sso's Issues

SAMLException: Error decoding HTTP-Redirect SAML message and When looking for an assertion we did not found it

Hello everybody,

Can someone help me debug this SAML setup, I got a working sign-on, but I can not get the logout to work, neither initiated by the client or from the IDP. I am using versions of the zm-sso-1.0.0-1.jar and ipsilon-3.0.4-3.fc36.noarch. I have other clients rocket.chat, nextcloud working with both sign-on and sign-out.

[Mon Oct 03 08:28:11.868392 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:406 IdpProvider.idp_initiated_logout()): IdP-initiated SAML2 logout
[Mon Oct 03 08:28:11.990792 2022] [wsgi:error] [pid 28717:tid 28827] [remote 192.168.40.14:39124] [03/Oct/2022:08:28:11]  DEBUG(ipsilon/providers/saml2idp.py:456 IdpProvider.idp_initiated_logout()): Sending initial logout request to https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true

2022-10-03 08:28:12,015 INFO  [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - SSO callback with: SAML2Client
2022-10-03 08:28:12,029 ERROR [qtp1665620686-8722:https:https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true] [] extensions - org.pac4j.saml.exceptions.SAMLException: Error decoding HTTP-Redirect SAML message


2022-10-03 08:29:41,111 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - Destroy front channel sso session
2022-10-03 08:29:41,115 INFO  [qtp1665620686-8746:https:https://mail.example.org/service/extension/sso/logout] [] extensions - SSO logout is performed

[Mon Oct 03 08:29:41.166252 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:35 Logout._handle_logout_request()): saml2: Logout request
[Mon Oct 03 08:29:41.169006 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  DEBUG(providers/saml2/logout.py:61 Logout._handle_logout_request()): saml2: SLO from https://mail.example.org/service/extension/saml/metadata with ('_7E20499B436F643441D8F044C64573DE',) sessions
[Mon Oct 03 08:29:41.180022 2022] [wsgi:error] [pid 28717:tid 28822] [remote 192.168.40.14:39332] [03/Oct/2022:08:29:41]  ERROR: SLO validation failed: <lasso.ProfileMissingAssertionError(-427): When looking for an assertion we did not found it.>

[zimbra@mail root]$ cat /opt/zimbra/conf/zm.sso.properties | grep -v "#"
sso.defaultClient = SAML2Client
sso.callbackUrl = https://mail.example.org/service/extension/sso/callback
saml.callbackUrl = https://mail.example.org/service/extension/saml/callback
sso.saveInSession = true
sso.multiProfile = true
sso.renewSession = true
sso.localLogout = true
sso.destroySession = true
sso.centralLogout = true
sso.postLogoutURL = https://mail.example.org/
saml.keystorePath = /opt/zimbra/conf/saml/keystore.jks
saml.keystorePassword = <secret>
saml.privateKeyPassword = <secret>
saml.keystoreAlias = samlkey
saml.identityProviderMetadataPath = https://saml.example.org/idp/saml2/metadata
saml.serviceProviderEntityId = https://mail.example.org/service/extension/saml/metadata
saml.spLogoutRequestBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.spLogoutResponseBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
saml.authnRequestSigned = true
saml.logoutRequestSigned = true
saml.logoutRequestSigned = true
saml.allSignatureValidationDisabled = true
saml.wantsAssertionsSigned = false

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_d60ed73e163045cd924b5a893651fc3f7c0f3b4" entityID="https://mail.example.org/service/extension/saml/metadata" validUntil="2042-10-03T01:12:03.052Z">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDdzCCAl+gAwIBAgIESUCWSjANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD VQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTIyMTAwMjE4Mzc1NloXDTMyMDkyOTE4 Mzc1NlowbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5r bm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93 bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIHiQjUBBJWkGNrE2NjGHjOuOfFtDa0T tPR3H6OUta4KXyzTyyBskPlFO7RVJtSU+X0hq40Yzr8eRbzgT1k+O+Qnn3SOXTG/361Wkp5YyqfP rfOx/XJyzKbCNcYomWLbj1ZW49vYFcMhd59oNzF37gqAyCene48zPW+5iKPl3q+gLNV8GPJJNZel LV60Ilw2YS28y4AJSSdPRqjO5yOUnn4V821a1VbsXo8bFvgBp64k3xnBAh+gA926u3HqkIcT67sI m05km/Wu8RzRoCWIaMYah34YVEyk837RcG8csp+9XEb6QT6aX21C7cVg1Ebd2vti8G1x9w0e+fAE mcxMBssCAwEAAaMhMB8wHQYDVR0OBBYEFHbJMfYpBKi9/1JiF++8hSfg5gABMA0GCSqGSIb3DQEB CwUAA4IBAQBLF2ZTXeSZR1vDLLjLbJJxPR/NtTE3uBNTJeAxY4/U3tyYrbROBZTwepI5Fq8alpqd iqo1iwDxivwKHzS+l8YrMW7QBHmC1xjpMNhTeqeGPgbEqDVR0bgCDjUpilGeFc3zgWRzVDO6TCCE /zFAKmR3chXVRW4pF9+DDCiyYI41QNCzZG4S/ziAmH+ISllDYqLM3mtHKH2g3GUKFdeQ01rDXqGe KaOXQbiouwIr7V9pi7Ba64A0OP/+5doa8jcR/V8jV+fnDF/ZCxvIq837mkqkt1DRd5DTH88BPMZy 5QK2T12Ft5iF1/KiAT0D7xXTd2CMPuB9AhXmJ+uAD70l9T9+</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client&logoutendpoint=true"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mail.example.org/service/extension/saml/callback?client_name=SAML2Client" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="2027-09-25T10:52:14.946448Z" entityID="https://saml.example.org/idp/saml2/metadata">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDJzCCAg+gAwIBAgIUEE0tOBVESVIzpYStV3wVwoWcyNwwDQYJKoZIhvcNAQEL BQAwIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1hbWFjYXNoLmxvY2FsMB4XDTIyMDky NjEwNTIxNFoXDTI3MDkyNTEwNTIxNFowIzEhMB8GA1UEAwwYaXBzaWxvbjAyLm1h bWFjYXNoLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvC9s 9ch5D2UgPR5ka62i8Maq6QDy6GK9/ZjG68jZOPpl9bnpmIDD4EgFUyBvtshnaPQc BqSBlDE2N3OKXDF9+5MCKXU1wnz0YBn02H49PG8J1TOS8lYmGuNmf88bfxX02ahg xwA4ZtHhRwbLhsIV3aRRUXvocHOg5PZbymb/JYqnQbKByXKHUnmjbzI8h3WcgmHE 848x8GwQCW1MLNA2eUITV7rUE+aN9P+UucBS9FnbjvoCCyAfzHTTuGiTh29KjRo+ 1YdYGrfYoMIQ9wAI6laW9xWqptDpumFGrzdi493sIXX6flEN2qY5+7nM6ffPZrXT PMqFMbqI3uetJJq8lQIDAQABo1MwUTAdBgNVHQ4EFgQU4ygBodjpXIYmUXZcQ0Cj vsiZJtkwHwYDVR0jBBgwFoAU4ygBodjpXIYmUXZcQ0CjvsiZJtkwDwYDVR0TAQH/ BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAD2lTKmmnVMBjaljgUTRO44sAS35E IUH1Bgp1HkL9YxSjrBOsQVttZw+ZcAzLUsSoFkokLcn74bYUvNYcMXGRffqmxF9M Z4MwaAWqOeJqDKp6CqCGpGBKxf9Usw7Lgr5WUtK6aZdlhUs29/OhqstAfTOr8olS 9C+ApTCQy7jvjQDb0mE+Lw/8MAsIR1CEwu/rvhl3QDBdYj8R8zFAf6R12ZANyDJX +XxZjWHGwpFYEaiv0V4wvVv9cM1XlNVN+v716N6tF+fgW52r9n9p010hnDITV59n 8fLf4l+r0JMIOmGnAsUhWwr8j06HhNEGwmm+Ye8sMBPnMOyX6QXAnbqBSA== </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://saml.example.org/idp/saml2/SSO/POST"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SSO/Redirect"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://saml.example.org/idp/saml2/SSO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.example.org/idp/saml2/SLO/Redirect"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

404 Not Found

Hi,

I installed the zm-sso extension like described in the README and configured the settings for OpenID, but when I access https:://server/service/extension/oidc/callback I get an 404 Not Found error.

On mailbox.log I found this:

2023-03-23 18:53:01,887 INFO  [main] [] extensions - Register saml sso handlers
2023-03-23 18:53:01,888 ERROR [main] [] extensions - com.zimbra.cs.extension.ExtensionException: No saml client found
2023-03-23 18:53:01,889 INFO  [main] [] extensions - Register cas sso handlers
2023-03-23 18:53:01,889 ERROR [main] [] extensions - com.zimbra.cs.extension.ExtensionException: No cas client found
2023-03-23 18:53:01,889 INFO  [main] [] extensions - Register oidc sso handlers
2023-03-23 18:53:01,890 ERROR [main] [] extensions - com.zimbra.cs.extension.ExtensionException: No oidc client found

It doesn't seem the like the pac4j extensions are loading. Can anyone help with this?

Issue while installing RPM

Getting below issue

[zimbra@SIDCPOSTFX02 zimbra]$ rpm -Uvh zm-sso-1.0.0-1.el8.noarch.rpm
error: Failed dependencies:
zimbra-store = 8.8.15 is needed by zm-sso-1.0.0-1.el8.noarch

zimbra multi server architecture SSO

Hi
What needs to be done if we have zimbra multi server architecture
2 * proxy server
2* Mta Server
2* Mailbox Server
2* Ldap Server in Master- Master Replication

Can you please suggest what can be process of SSO on SAML for Multi server Architecture .
TIA
Biswajit

Single Logout Response Missing RelayState

When I terminate the session from any of the service providers with multiple logins, a saml single session logout request is sent to the identity provider, single logout is initiated and the identity server makes a request to the single logout service of each service provider. When sending the request from the identity server, SAMLRequest and RelayState two parameters are sent, the identity server expects the RelayState Parameter with SAMLResponse after the service provider logs out. But after logout, only SAMLResponse returns to the identity server and since there is no RelayState Parameter on the IDP side, it causes an error and session termination is interrupted.

Is it possible to return the RelayState parameter and value sent during the request to the identity provider in the logout response?

See section 3.4.3 RelayState of the SAML bindings document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for the HTTP-Redirect binding:

3.4.3 RelayState

RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message independent of any other protections that may or may not exist during message transmission. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means. If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response. If no such value is included with a SAML request message, or if the SAML response message is being generated without a corresponding request, then the SAML responder MAY include RelayState data to be interpreted by the recipient based on the use of a profile or prior agreement between the parties

Installation problems

1- When I run the following command "make rpmbuild" I get an error.
make rpmbuild
rpmbuild --build-in-place --nodebuginfo -bb rpms/zm-sso.spec
--build-in-place: unknown option
make: *** [rpmbuild] Error 1

2 - The URL "https://gitlab.com/iway/zm-sso" It's unavailable?

3 - How do I get the "zm-sso-1.0.0-1.el7.noarch.rpm" file?

how to build for zimbra 8

Wen trying to compile zm-sso I on a zimbra centos 8 server I get a javac error

tried both:

yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel maven ant git
yum -y install java-11-openjdk java-11-openjdk-devel maven ant git

generate-buildinfo:
    [mkdir] Created dir: /root/projects/zimbra/zm-sso/build/buildinfo/com/iwayvietnam/buildinfo
    [javac] Compiling 1 source file to /root/projects/zimbra/zm-sso/build
    [javac] javac: invalid target release: 11
    [javac] Usage: javac <options> <source files>
    [javac] use -help for a list of possible options

BUILD FAILED
/root/projects/zimbra/zm-sso/build.xml:212: Compile failed; see the compiler error output for details.

# javac -version
javac 1.8.0_322

Release 8.8.15_GA_3953.RHEL8_64_20200629025823 RHEL8_64 FOSS edition, Patch 8.8.15_P33.

I first build zm-sso-1.0.0-1.jar on debian bullseye with no issues and copied the zm-sso-1.0.0-1.jar and files in the dependencies but then after zmmailboxdctl restart I got loads of java erros and it shows a network error when trying to login, if i remove the zm-sso-1.0.0-1.jar it started working again.

Please see my comment bellow:

Installation

1- When I run the following command "make rpmbuild" I get an error.
make rpmbuild
rpmbuild --build-in-place --nodebuginfo -bb rpms/zm-sso.spec
--build-in-place: unknown option
make: *** [rpmbuild] Error 1

2 - The URL "https://gitlab.com/iway/zm-sso" It's unavailable?

3 - How do I get the "zm-sso-1.0.0-1.el7.noarch.rpm" file?

Issue whule rpm build

Hi Team
Getting below issue while building rpm

error: %changelog not in descending chronological order

Error running "ant jar"

I ran the command "ant jar", but it presented several errors.

Error message:

compile:
[javac] Compiling 23 source files to /root/projects/zimbra/zm-sso/build
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/saml/SamlSloHandler.java:26: error: package org.opensaml.saml.common.xml does not exist
[javac] import org.opensaml.saml.common.xml.SAMLConstants;
[javac] ^
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:31: error: package org.dom4j does not exist
[javac] import org.dom4j.QName;
[javac] ^
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:40: error: cannot find symbol
[javac] public static QName GET_ALL_SSO_SESSIONS_REQUEST = QName.get(ZmSsoExtension.E_GET_ALL_SSO_SESSIONS_REQUEST, AdminConstants.NAMESPACE);
[javac] ^
[javac] symbol: class QName
[javac] location: class GetAllSsoSessions
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:41: error: cannot find symbol
[javac] public static QName GET_ALL_SSO_SESSIONS_RESPONSE = QName.get(ZmSsoExtension.E_GET_ALL_SSO_SESSIONS_RESPONSE, AdminConstants.NAMESPACE);
[javac] ^
[javac] symbol: class QName
[javac] location: class GetAllSsoSessions
[javac] warning: unknown enum constant ThreadingBehavior.SAFE
[javac] reason: class file for org.apache.http.annotation.ThreadingBehavior not found
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/saml/SamlSloHandler.java:58: error: cannot access LogoutRequest
[javac] final var logoutProfileHandler = client.getLogoutProfileHandler();
[javac] ^
[javac] class file for org.opensaml.saml.saml2.core.LogoutRequest not found
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/saml/SamlSloHandler.java:66: error: cannot access LogoutResponse
[javac] final var logoutResponse = saml2LogoutResponseBuilder.build(samlContext);
[javac] ^
[javac] class file for org.opensaml.saml.saml2.core.LogoutResponse not found
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/saml/SamlSloHandler.java:67: error: cannot access MessageContext
[javac] saml2LogoutResponseMessageSender.sendMessage(samlContext, logoutResponse, samlContext.getSAMLBindingContext().getRelayState());
[javac] ^
[javac] class file for org.opensaml.messaging.context.MessageContext not found
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/saml/SamlSloHandler.java:70: error: cannot find symbol
[javac] if (spLogoutResponseBindingType.equalsIgnoreCase(SAMLConstants.SAML2_POST_BINDING_URI)) {
[javac] ^
[javac] symbol: variable SAMLConstants
[javac] location: class SamlSloHandler
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:40: error: cannot access Namespace
[javac] public static QName GET_ALL_SSO_SESSIONS_REQUEST = QName.get(ZmSsoExtension.E_GET_ALL_SSO_SESSIONS_REQUEST, AdminConstants.NAMESPACE);
[javac] ^
[javac] class file for org.dom4j.Namespace not found
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:40: error: cannot find symbol
[javac] public static QName GET_ALL_SSO_SESSIONS_REQUEST = QName.get(ZmSsoExtension.E_GET_ALL_SSO_SESSIONS_REQUEST, AdminConstants.NAMESPACE);
[javac] ^
[javac] symbol: variable QName
[javac] location: class GetAllSsoSessions
[javac] /root/projects/zimbra/zm-sso/src/main/java/com/iwayvietnam/zmsso/service/GetAllSsoSessions.java:41: error: cannot find symbol
[javac] public static QName GET_ALL_SSO_SESSIONS_RESPONSE = QName.get(ZmSsoExtension.E_GET_ALL_SSO_SESSIONS_RESPONSE, AdminConstants.NAMESPACE);
[javac] ^
[javac] symbol: variable QName
[javac] location: class GetAllSsoSessions
[javac] Note: Some input files use unchecked or unsafe operations.
[javac] Note: Recompile with -Xlint:unchecked for details.
[javac] 11 errors
[javac] 1 warning

BUILD FAILED
/root/projects/zimbra/zm-sso/build.xml:212: Compile failed; see the compiler error output for details.

Central Single Logout Not working

We have integrated zimbra with NetQ IDM solution . All are working fine but SLO is not working .
If I logout from zimbra other SSO application does not logout .
zm.sso.properties have
sso.centralLogout = true

Please help
Thanks
Biswajit

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.