I have been looking through the forum for Zimbra and Single-Sign-On.
Most people there want to authenticate their users based on a system outside of Zimbra. As pointed out several times, this can be done with PreAuth, something that works great if this is what you are looking for.

I am looking for the opposite of PreAuth, using Zimbra to authenticate with another external application.

- You are logged in your Zimbra Account (http://zimbra.company.com)
- You want to use another app (http://app.company.com)
Upon hitting that URL, the app (lets say it's php-based) should be able to somehow let the user in with no password (no username as an option).

It might sound like OpenID or similar, but the app (or more apps) are aware of the one central authentication point.
In an OpenID world, I'd like Zimbra to be my Identity Provider (IP) as it already hosts accounts with passwords and seems ideal for the case.

Currently, all I can do is centralize username & passwords in Zimbra and external applications will just query the Zimbra server to confirm a matching username & passwords. But users have to provide user & password for each of the apps.

Other keywords like Shibboleth and SAML come to mind, but neither provide what I'm looking for (or not yet anyway).

I'm not looking for step-my-step instructions here, just wondering if someone can push me in the right direction which will get me to my goal, or just tell me that I should drop this goal and look for another solution.

Thanks in advance for any comment.

Best regards,