Results 1 to 8 of 8

Thread: SOAP auth against AuthProvider

  1. #1
    Join Date
    Jan 2011
    Posts
    25
    Rep Power
    4

    Default SOAP auth against AuthProvider

    Hey,

    I've created an AuthProvider implementation to use our authentication system.

    It's more or less working, I largely copied the ZimbraAuthProvider implementation and changed as necessary...

    I've hit a problem though: trying to auth through SOAP using our customer provider.

    I'm basing my tests on this article: » Zimbra :: Blog -- specifically the part:
    <authToken type='SAML_AUTH_PROVIDER'>b07b804c-7c29-ea16-7300-4f3d6f7928ac</authToken>

    ... I have constructed a SOAP auth request that looks like this using the LmcSoapRequest classes:
    <AuthRequest xmlns="urn:zimbraAccount"><authToken type="OUR_AUTH_PROVIDER">xxxTokenFromOurAuthSystem </authToken></AuthRequest>

    Our AuthProvider implementation checks with our signon system and validates the supplied token.

    However all the logging indicates that even though I am specifying our custom AuthProvider impl in the <authToken> type as per the blog article it is never being called ...

    If anyone has any insights they would be appreciated, maybe I'm just missing something simple?

  2. #2
    Join Date
    Jan 2011
    Posts
    25
    Rep Power
    4

    Default

    Will post a follow up infos ...

    Have done some packet inspecting and the big difference I can see is that the auth-token im sending is in the soap:body rather than the soap:header as in the example ... will investigate to see if I can get this element in the header using the Lmc* classes ... or if it at leasts works if I make a raw request with it in the header.

  3. #3
    Join Date
    Jan 2011
    Posts
    25
    Rep Power
    4

    Default

    No luck just using raw posts to the soap api either ...

    Below is a request that DOES work, using the standard auth token:

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <context xmlns="urn:zimbra">
    <authToken>...long-ass-zimbra-auth-token...</authToken>
    </context>
    </soap:Header>
    <soap:Body>
    <GetFolderRequest xmlns="urn:zimbraMail"/>
    </soap:Body>
    </soap:Envelope>

    Now the request trying to use our custom AuthProvider impl:

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <context xmlns="urn:zimbra">
    <authToken type="CUSTOM_AUTH_PROVIDER">abc-custom-authsystem-token-xyz</authToken>
    </context>
    </soap:Header>
    <soap:Body>
    <GetFolderRequest xmlns="urn:zimbraMail"/>
    </soap:Body>
    </soap:Envelope>

    This generates a 500 response:
    Code:service.AUTH_REQUIRED
    at com.zimbra.common.service.ServiceException.AUTH_RE QUIRED(ServiceException.java:296)


    ....

  4. #4
    Join Date
    Oct 2009
    Location
    Tokyo
    Posts
    113
    Rep Power
    6

    Default

    Hi arw,


    Firtst of all, can we make sure that your auth provider extension is properly loaded?
    You can chcek that from mailbox.log. Or you can log some messages in extesion's init() to mailbox.log and check that.

    Then if it is there, please check that zimbra_auth_provider setting in localconfig
    is properly done.

  5. #5
    Join Date
    Jan 2011
    Posts
    25
    Rep Power
    4

    Default

    Hi Yutaka,

    Yes zmlocalconfig value zimbra_auth_provider is correctly set to 'CUSTOM_AUTH_PROVIDER' and logging indicates the extension is loading properly. Also login calls made form the main web-client login screen (which uses SOAP) can be seen to be calling the custom auth provider.

    Thx for reply ... hope you can shed some light!

  6. #6
    Join Date
    Oct 2009
    Location
    Tokyo
    Posts
    113
    Rep Power
    6

    Default

    So basically, you said that your auth provider looks to be excuted for every auth request, but it does not look to pick up your own auth token, right?

    Hmm...

    Can we see your auth provider source code?

  7. #7
    Join Date
    Jan 2011
    Posts
    25
    Rep Power
    4

    Default

    It's called by the main login web interface which makes a soap call to the api.

    It is not called when I make a direct soap request as detailed in the blog entry, specifying my AuthProvider in the authToken 'type' attribute.

    I will try to post the source code a bit later but it is basically a carbon copy of ZimbraAuthProvider except I added an additional POST call to our SSO system to verify the token.

  8. #8
    Join Date
    Jan 2010
    Posts
    138
    Rep Power
    5

    Default

    Looks like your auth provider implementation is working only when auth cookie is present. Can you check your implementation of the authToken(Element soapCtxt, Map engineCtxt) method since that's the method that looks up the token inside the soap header context.

Similar Threads

  1. XSD/WSDL Files for the SOAP Server?
    By photoadrian in forum Developers
    Replies: 5
    Last Post: 12-23-2012, 02:32 AM
  2. Jar For Soap Client
    By wcameron in forum Developers
    Replies: 19
    Last Post: 06-03-2009, 03:04 PM
  3. zmzimletctl deploy zimbra_posixaccount.zip - ERROR -
    By todd_dsm in forum Administrators
    Replies: 0
    Last Post: 04-02-2009, 02:41 PM
  4. SOAP Authentication Failure, but LDAP ok
    By scottp in forum Administrators
    Replies: 2
    Last Post: 01-20-2008, 09:53 PM
  5. [SOLVED] NE Migration: SMTP AUTH Failure
    By markpr in forum Installation
    Replies: 14
    Last Post: 10-03-2007, 01:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •