Zimbra preauth v. maintenance mode, session expiry, etc.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Rich Graves
Outstanding Member
Outstanding Member
Posts: 687
Joined: Fri Sep 12, 2014 10:24 pm

Zimbra preauth v. maintenance mode, session expiry, etc.

Postby Rich Graves » Wed Aug 20, 2014 4:54 pm

IN MY LIMITED TESTING OF ZCS 8.0.7, IT APPEARS THAT WHEN I SET "PREAUTH ZIMBRAWEBCLIENTLOGINURL AND ZIMBRAWEBCLIENTLOGOUTURL ON A VIRTUAL DOMAIN:


  • HITS ON THE VIRTUAL HOST REDIRECT PROPERLY TO THE SSO SYSTEM

  • THE AJAX V. HTML V. MOBILE UI IS CHOSEN BASED ON BROWSER USER-AGENT

  • EXPLICIT LOGOUT FROM ZWC REDIRECTS TO THE SSO SYSTEM


POSSIBLE ISSUES:


  • IS THERE AN ARGUMENT THAT I CAN PASS TO /SERVICE/PREAUTH TO FORCE A SPECIFIC CLIENT, LIKE /H/ INSTEAD OF /M/ ON AN IPAD?

  • COOKIE TIMEOUTS, INVALIDATED SESSIONS, AND MAINTENANCE MODE SEEM TO GO TO THE BUILT-IN ZCS LOGIN PAGE. THIS IS ACCEPTABLE AND MAYBE EVEN PREFERRED BECAUSE THE SSO SYSTEM CAN'T GIVE A SPECIFIC ERROR. IS THAT CORRECT, OR IS THIS JUST AN ARTIFACT OF THE TEST BEING A NON-DEFAULT VIRTUAL HOST AND THE NGINX PROXY NOT HAVING BEEN RESTARTED SINCE CONFIGURING THE VHOST?

  • IS THERE A WAY TO BYPASS SSO FOR SPECIFIC ACCOUNTS, FORCING USE OF THE INTERNAL LOGIN PAGE? USER-AGENT IS NOT THE ANSWER I'M LOOKING FOR.

  • ARE THERE OTHER EDGE CASES I HAVEN'T CONSIDERED?


WE ARE QUASI-HOSTED SO I DON'T THINK I WANT TO USE SAML, WHICH WHILE POSSIBLY MORE SECURE THAN A PRE-SHARED KEY, IS NEWER AND LESS DOCUMENTED. OR DOES ANYONE HERE HAPPEN TO USE AND RECOMMEND NATIVE SAML BETWEEN SHIBBOLETH 2.4.1 AND ZCS 8?


Return to “Administrators”

Who is online

Users browsing this forum: kwitkow and 6 guests