Zm SSO is the Zimbra Collaboration Open Source Edition extension for single sign-on authentication to the Zimbra Web Client.
Copyright (C) 2020-present iWay Vietnam and/or its affiliates. All rights reserved.
- Using framework: pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
- Supported authentication mechanisms: SAML - CAS - OpenID Connect
- JDK 11 or newer.
- Apache Maven 3.5 or newer for Maven build.
- Apache Ant 1.x for Ant build.
- rpmbuild for rpm package build.
- On Fedora or CentOS 8.x or Red Hat EL 7.x
dnf -y install java-11-openjdk java-11-openjdk-devel maven ant git rpmbuild
- On CentOS 7.x or Red Hat EL 7.x
yum -y install java-11-openjdk java-11-openjdk-devel maven ant git rpmbuild
- On Debian or Ubuntu
apt install -y openjdk-11-jdk maven ant git
mkdir -p ~/projects/zimbra
cd ~/projects/zimbra
git clone https://github.com/iwayvietnam/zm-sso.git
cd ~/projects/zimbra/zm-sso
mvn clean package
The output should be like this:
--- maven-jar-plugin:3.0.2:jar (default-jar) @ zm-hab ---
Building jar: ~/projects/zimbra/zm-sso/target/zm-sso-1.0.0-1.jar
cd ~/projects/zimbra/zm-sso
ant jar
The output should be like this:
[jar] Building jar: ~/projects/zimbra/zm-sso/dist/zm-sso-1.0.0-1.jar
cd ~/projects/zimbra/zm-sso
make rpmbuild
The output should be like this:
Wrote: ~/rpmbuild/RPMS/noarch/zm-sso-1.0.0-1.el7.noarch.rpm
- Copy jar extension to zimbra server
cd ~/projects/zimbra/zm-sso
ssh root@zimbra.server "mkdir -p /opt/zimbra/lib/ext/zm-sso"
scp target/*.jar root@zimbra.server:/opt/zimbra/lib/ext/zm-sso
scp target/dependencies/*.jar root@zimbra.server:/opt/zimbra/jetty_base/common/lib
scp conf/zm.sso.properties root@zimbra.server:/opt/zimbra/conf
- Restart mailbox to load the extension.
ssh root@zimbra.server "su - zimbra -c '/opt/zimbra/bin/zmmailboxdctl restart'"
ssh root@zimbra.server "mkdir -p /tmp/zimbra"
scp ~/rpmbuild/RPMS/noarch/zm-sso-1.0.0-1.el7.noarch.rpm root@zimbra.server:/tmp/zimbra
ssh root@zimbra.server "rpm -Uvh /tmp/zimbra/zm-sso-1.0.0-1.el7.noarch.rpm"
The settings loaded from zm.sso.properties file. The location of this file is /opt/zimbra/conf/zm.sso.properties
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf. Ex:
vi /opt/zimbra/conf/zm.sso.properties
- Specify default pac4j client by setting the value for the sso.defaultClient key. Ex:
sso.defaultClient = SAML2Client
To handle authentication, a callback endpoint is necessary to receive callback calls from the identity server and finish the login process.
Config:
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
- Specify callback endpoint by setting the value for the sso.callbackUrl key. The path of endpoint can be:
- /service/extension/sso/callback (using default client. specified in sso.defaultClient). Ex:
sso.callbackUrl = https://mail.zimbra-server.com/service/extension/sso/callback
- /service/extension/saml/callback (using SAML client). Ex:
saml.callbackUrl = https://mail.zimbra-server.com/service/extension/saml/callback
- /service/extension/cas/callback (using CAS client). Ex:
cas.callbackUrl = https://mail.zimbra-server.com/service/extension/cas/callback
- /service/extension/oidc/callback (using OpenID Connect client). Ex:
oidc.callbackUrl = https://mail.zimbra-server.com/service/extension/oidc/callback
- /service/extension/sso/callback (using default client. specified in sso.defaultClient). Ex:
- Specify profile should be saved in session by setting the value for the sso.saveInSession key.
- Specify multi profiles are supported by setting the value for the sso.multiProfile key.
- Specify the session must be renewed by setting the value for the sso.renewSession key.
To handle the logout, a logout endpoint is necessary to perform:
- The local logout by removing the pac4j profiles from the session.
- The central logout by calling the identity provider logout endpoint. This is the Single LogOut (SLO) process.
Config:
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
- sso.localLogout: It indicates whether a local logout must be performed.
- sso.destroySession: It defines whether we must destroy the web session during the local logout.
- sso.centralLogout: It defines whether a central logout must be performed.
- sso.postLogoutURL: It defines whether logout return url from idp server back to zimbra. By default at the last step of SP initiated logout user will see a blank page.
First, if you don’t have one, you need to generate a keystore for all signature and encryption operations. Ex:
keytool -genkeypair -alias samlkey -keypass samlpasswd -keystore /opt/zimbra/conf/saml/keystore.jks -storepass samlpasswd -keyalg RSA -keysize 2048 -validity 3650
Config:
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
- saml.keystorePath: It defines the keystore resource location. It is the value of the -keystore option for the keystore generation with prefix file:.
Ex:
saml.keystorePath = file:/opt/zimbra/conf/saml/keystore.jks
- saml.keystorePassword: It defines keystore password. It is the value of the -storepass option for the keystore generation.
- saml.privateKeyPassword: It defines key password. It is the value of the -keypass option for the keystore generation.
- saml.keystoreAlias: It defines keystore alias. It is the value of the -alias option for the keystore generation.
- saml.identityProviderMetadataPath: It defines the resource location should point to your IdP metadata.
Ex:
saml.identityProviderMetadataPath = https://samltest.id/saml/idp
- saml.serviceProviderEntityId: It defines the entity ID of your application (the Service Provider).
Ex:
saml.serviceProviderEntityId = https://mail.zimbra-server.com/service/extension/saml/metadata
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
- cas.loginUrl: It defines the login URL of your CAS server. Ex:
cas.loginUrl = https://cas.cas-server.com/cas/login
- cas.protocol: It defines the CAS protocol you want to use. Ex:
cas.protocol = CAS20
- Using a text editor to open zm.sso.properties in /opt/zimbra/conf.
- oidc.discoveryUri: It defines the discovery URI for fetching OP metadata. Ex:
oidc.discoveryUri = https://demo.c2id.com/.well-known/openid-configuration
- oidc.id: It defines the OpenID client identifier.
- oidc.secret: It defines the OpenID client secret.
- oidc.scope: It defines the OpenID client scope.
- Execute following commands with the Zimbra user for domain configuration:
# SSO login by using default client. Specified in sso.defaultClient
zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/sso/login
# or SSO login by using SAML client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/saml/login
# or SSO login by using CAS client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/cas/login
# or SSO login by using OpenID Connect client
# zmprov md yourdomain.com zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/oidc/login
# Specified logout URL
zmprov md yourdomain.com zimbraWebClientLogoutURL https://mail.zimbra-server.com/service/extension/sso/logout
- Execute following commands with the
zimbra
user for global configuration:
# SSO login by using default client. Specified in sso.defaultClient
zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/sso/login
# or SSO login by using SAML client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/saml/login
# or SSO login by using CAS client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/cas/login
# or SSO login by using OpenID Connect client
# zmprov mcf zimbraWebClientLoginURL https://mail.zimbra-server.com/service/extension/oidc/login
# Specified logout URL
zmprov mcf zimbraWebClientLogoutURL https://mail.zimbra-server.com/service/extension/sso/logout
- Execute the following command with the
zimbra
user to restart Zimbra server:zmcontrol restart
This is primarily for allowance of untrusted ssl certificates in external data sources.
- Export untrusted ssl certificate to the file:
openssl s_client -servername idp.server.net -connect idp.server.net:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >/path/to/cert.pem
- Execute following commands with the Zimbra user:
zmcertmgr addcacert /path/to/cert.pem
zmmailboxdctl restart
zmprov -l mcf +zimbraCsrfAllowedRefererHosts idp.server.net
zmmailboxdctl restart
- Single sign on with WSO2 Identity Server (WSO2 IS)
- Single sign on with Keycloak
- Single sign on with Azure AD B2C
- Single sign on with Apereo Central Authentication Service (CAS)
Zm SSO is licensed under the GNU AFFERO GENERAL PUBLIC LICENSE, Version 3. See LICENSE for the full license text.