Zimbra SAML SSO

The Zimbra SAML extension provides support for the Browser/POST Profile of SAML.


The flow for a user on a browser would be:

    1. User authenticates with an IdP.
    2. The IdP redirects the browser to Zimbra SAML extension URL (<zimbra_base_url>/service/extension/samlreceiver) and passes along a SAML Response (containing a SAML Assertion).
    3. The SAML extension checks the validity of the SAML Response, and then looks up the Subject inside the SAML assertion which should be the email address corresponding to user's Zimbra account.
    4. Finally, a Zimbra cookie corresponding to that Zimbra account is returned to the browser and is redirected to the default Zimbra mail URL.
Zimbra SAML SSO

Prerequisite

      • Download and install Zimbra Network edition.


Zimbra (SP) Configuration

      • Login to Zimbra instance as a root user.


      • Copy samlextn.jar file.
          • mkdir /opt/zimbra/lib/ext/saml
          • cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/


      • As a zimbra user.
          • su zimbra


      • Update the IpPCertificate.pem (downloaded IdP certificate) to the configuration.
          • zmprov md <domain-name> zimbraMyoneloginSamlSigningCert "<IdP-certificate>"


      • (Optional) Update the login & logout URLs.
          • zmprov md <domain-name> zimbraWebClientLoginURL <copied-SSO-URL>
          • zmprov md <domain-name> zimbraWebclientLogoutURL <copied-SSO-URL>


      • Set zimbraCsrfRefererCheckEnabled to FALSE, Setting it to FALSE is preferred.
          • zmprov mcf zimbraCsrfRefererCheckEnabled FALSE


      • Restart Zimbra services.
          • zmcontrol stop; zmcontrol start [or] service zimbra restart


      • (Optional) Confirm settings.
          • zmprov gd <domain-name> zimbraMyoneloginSamlSigningCert
          • zmprov gd <domain-name> zimbraWebClientLoginURL
          • zmprov gd <domain-name> zimbraWebclientLogoutURL
          • zmprov gcf zimbraCsrfRefererCheckEnabled
          • zmprov gcf zimbraCsrfAllowedRefererHosts
          • zmlocalconfig -s zimbra_auth_provider


      • Note:
          • <domain-name> : ranmanic.in
          • <host-name> : mail.zimbra.com (Zimbra instance IP)
          • <zimbra_base_url> : https://mail.zimbra.com


      • References:
          • https://wiki.zimbra.com/wiki/Authentication/SAML
          • https://rsa.jiveon.com/docs/DOC-58976


IdP Configuration

      • Assertion Consumer Service (ACS) URL
          • https://<host-name>/service/extension/samlreceiver


      • Audience (Service Provider Entity ID)
          • https://<host-name>/service/extension/samlreceiver
            • note: typically the same as the ACS URL


      • NameID Format (User Identity)
          • EMAIL