Single Sign On
I've done a search of the forum and read the various posts I find, but I'm not seeing info specific to what I want to do, and I'm not sure if it's possible, or how to go about it. Hence the reason for my post.
Scenario: Users logon to a windows computer, authenticating against a Windows 2003 server, then then open a web browser and go to their bookmark "Zimbra Mail", their email appears on the screen.
So, what I'm looking at is a way for the currently logged on user to be logged into Zimbra automatically.
The problem as I see it is that the windows username is held in LDAP on the windows 2003 server, and the zimbra username and password is held in LDAP on the zimbra server.
Is it possible code a webpage, store it on the zimbra box so that when the page is opened, it finds out the windows username, discovers the zimbra user from that and logs them in?
We have the ability to do this with preauth. See this related thread.
Yeah, I did read that thread.
This is normally the part where I start to feel stupid and think about cutting my losses and running away. You guys know much more about this stuff than I do and I dont like looking dumb but I'm not afraid to learn new things.
I do know lots about other stuff, really, I do !
Truth is, it's far easier to learn from example. I understand the give a man a fish concept, but if someone can provide the actual solution, in full, to my question, then in the course of intergrating it into our environment and tweaking it, I will learn and understand how it functions.
I dont want everything done for me, I do want to work it out for myself, but time is a luxury and the simpler these things are to perform, the more people will use it, which is good for the zimbra userbase.
I know you guys have a retail product, and no liability to the users of the open source version, but if you can explain what needs to be done, or show a proof of concept or the entire script, then it would help me and others.
The thread you link to discusses things I just dont understand, and while I appreciate the difference between Zimbra and Exchange, it's worth noting that exchange does not make me learn a handful of new technologies in order for lan users to log into webmail automatically - it just sort of 'does it'
If this comes across as a little bit of the usual 'Linux is too damn hard so I'm sticking with windows' then I apologise, but there is a lot of truth in that statement, linux is hard, it is challenging, but I recognise that it's also appealing because of it.
The level of support in these forums by the users and the staff is nothing short of remarkable, but I cant help feeling it could be better if people take a step back to when they were new and understand the frustrations of not having decades of knowledge to draw on.
-sorry for the rant, it's from working too hard :)
In your use case there is a step missing. I don't think that you can via a bookmark/weblink pass the windows/domain user for auto-login. If you just want to authenticate against AD we have that today. Just configure External Auth in the admin UI and your users can login to Zimbra with their AD password. If you really want it to be seamless you'll need to figure out how to pass the windows/domain credentials via a weblink/bookmark which seems like an extra unnecessary hurdle when we already have direct auth with AD.
In general we want to help and try our best to give good free support here on the forums but as you can imagine we can't just do everyone's integration project for them. Network customers do get that extra level of handholding since they in the end help us pay rent and keep the lights on.
Kevin, thank you. I'll look into using authentication against AD as at least it's one less password for the users to remember.
I was thinking of making it automatic as we use a Smoothwall firewall here and there was a recent patch to that to allow NTLM authentication, which is what I was after for zimbra. Previous to that smoothwall patch, users would need to authenticate against the smoothwall in order to browse the web, now, as they have logged into windows already, the browser passes the credentials to the firewall and it accepts their connection. I was thinking if it could be done there, it may be possible here.
Please accept my apologies if my earlier post was harsh.
I'm a little bit confused about the preauth mechanism : indeed, we are implementing a great project that will permit users to access Zimbra via an RDP session (Applidis on TSE session : it's equivalent to Citrix).
Into this RDP session, the user will have to click on the Zimbra icon, and in the background, it will launch Zimbra mail URL into a standard Firefox browser.
As the user is authenticated on the Active Directory while connecting to the RDP session, I wanted to know how to replay these credentials.
In the documentation, I didn't understand how to generate the SHA1-HMAC preauth value to be passed into the Firefox URL with other preauth credentials ...
In fact, this RDP session is like a Windows session, so, what would be the best to auto open Zimbra user session by replaying Windows credentials ?
What do we develop, what do we need to install, on which device, etc ... ?
Sorry for these basic questions, but I'm not developer, and not SSO specialist !
Originally Posted by fmodola
I don't have much (read any) expereince with Zimbra NE, so it's possible that this functionality is there. If not it's good that you are a programmer.
What you basically want to do is put a ASP.net (or pick your technology) page that checks if the user has valid ActiveDirectory creds. If they do, you then want to figure out what their Zimbra Username is (from ActiveDirectory probably), and have the script generate a redirect to the Zimbra server. That redirect includes the user name to for the user, and hash of a the generated pre-auth key using SHA1-HMAC.
I understand well this, but as I said, I'm not developer, and I've few time to make Zimbra reliable for this production environment.
What I don't understand is if we need to launch a script/program to do that ?
If yes, I think that this script will launch the web browser with the good URL, wont it ?
I wonder if this ever got fully integrated? I have a realated but slightly different request. Provided every zimbra account matches the username on our employees AD accounts, can I somehow forgo authentication when that user browses to our zimbra url?
I have this setup with Squid to use winbind and take current active credentials and match against the AD catalog, if it does - no additional login and it just works. Will the preauth/external auth options in zimbra allow this kind of functionality??
We just installed an intranet, and I would like to establish SSO to that site, and have credentials carried over when clicking into a link to our zimbra mail. This would be ideal since each user has their own system and has to auth against the AD when they boot up in the morning anyway.
We implemented single sign-on too.
I created a C# "launcher" program that:
- takes the Windows username
- Does the preauthentication stuff to get the SSO URL
- Launches a locally-installed Mozilla Prism instance (the bare-bones browser used in Zimbra Desktop) directed to the Zimbra server on the LAN (with the calculated preauth info in the URL)
But you can just as easily launch the default web browser though instead of Prism.
You can find the code I used here: Webman-Notes - Zimbra :: Wiki