Zimbra Server as Central Point in SSO infrastructure?

[marc@ion.lu]

Hi,

I have been looking through the forum for Zimbra and Single-Sign-On.
Most people there want to authenticate their users based on a system outside of Zimbra. As pointed out several times, this can be done with PreAuth, something that works great if this is what you are looking for.

I am looking for the opposite of PreAuth, using Zimbra to authenticate with another external application.

Scenario:
- You are logged in your Zimbra Account (http://zimbra.company.com)
- You want to use another app (http://app.company.com)
Upon hitting that URL, the app (lets say it's php-based) should be able to somehow let the user in with no password (no username as an option).

It might sound like OpenID or similar, but the app (or more apps) are aware of the one central authentication point.
In an OpenID world, I'd like Zimbra to be my Identity Provider (IP) as it already hosts accounts with passwords and seems ideal for the case.

Currently, all I can do is centralize username & passwords in Zimbra and external applications will just query the Zimbra server to confirm a matching username & passwords. But users have to provide user & password for each of the apps.

Other keywords like Shibboleth and SAML come to mind, but neither provide what I'm looking for (or not yet anyway).

I'm not looking for step-my-step instructions here, just wondering if someone can push me in the right direction which will get me to my goal, or just tell me that I should drop this goal and look for another solution.

Thanks in advance for any comment.

Best regards,

MM

[yutaka]

Hi marc@ion.lu,

I think there could be a couple of ways to do that.
But I think the easiest way is to develop Identity Provider (IP) extesnsion.
It will handle auth requests which are redirected from external(consumer) app and check if the user gets authenticated with Zimbra's auth token.
If no, do authentication with username & password and give the user Zimbra's AuthToken if username & password are found in Zimbra.
If yes, redirect back the request to external app.
But this request should be handled by external app without authentication at this time.(Is it acceptable in your external app?)

I hope this reply will help you.

Thank you

[dave_kempe]

I would have just used an LDAP library in my app, and authed against zimbra ldap.

[marc@ion.lu]

Thanks for the replies.

yutaka, I will look into what I can do with the Zimbra AuthToken.

dave_kempe, LDAP as a central password database is ok, but that's only one piece in the puzzle.

Integrating OpenID seems to be the way to go.

I'll keep you posted if anything develops.