SOAP auth against AuthProvider

[arw]

Hey,

I've created an AuthProvider implementation to use our authentication system.

It's more or less working, I largely copied the ZimbraAuthProvider implementation and changed as necessary...

I've hit a problem though: trying to auth through SOAP using our customer provider.

I'm basing my tests on this article: » Zimbra :: Blog -- specifically the part:
<authToken type='SAML_AUTH_PROVIDER'>b07b804c-7c29-ea16-7300-4f3d6f7928ac</authToken>

... I have constructed a SOAP auth request that looks like this using the LmcSoapRequest classes:
<AuthRequest xmlns="urn:zimbraAccount"><authToken type="OUR_AUTH_PROVIDER">xxxTokenFromOurAuthSystem </authToken></AuthRequest>

Our AuthProvider implementation checks with our signon system and validates the supplied token.

However all the logging indicates that even though I am specifying our custom AuthProvider impl in the <authToken> type as per the blog article it is never being called ...

If anyone has any insights they would be appreciated, maybe I'm just missing something simple?

[arw]

Will post a follow up infos ...

Have done some packet inspecting and the big difference I can see is that the auth-token im sending is in the soap:body rather than the soap:header as in the example ... will investigate to see if I can get this element in the header using the Lmc* classes ... or if it at leasts works if I make a raw request with it in the header.

[arw]

No luck just using raw posts to the soap api either ...

Below is a request that DOES work, using the standard auth token:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<authToken>...long-ass-zimbra-auth-token...</authToken>
</context>
</soap:Header>
<soap:Body>
<GetFolderRequest xmlns="urn:zimbraMail"/>
</soap:Body>
</soap:Envelope>

Now the request trying to use our custom AuthProvider impl:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<authToken type="CUSTOM_AUTH_PROVIDER">abc-custom-authsystem-token-xyz</authToken>
</context>
</soap:Header>
<soap:Body>
<GetFolderRequest xmlns="urn:zimbraMail"/>
</soap:Body>
</soap:Envelope>

This generates a 500 response:
Code:service.AUTH_REQUIRED
at com.zimbra.common.service.ServiceException.AUTH_RE QUIRED(ServiceException.java:296)


....

[yutaka]

Hi arw,


Firtst of all, can we make sure that your auth provider extension is properly loaded?
You can chcek that from mailbox.log. Or you can log some messages in extesion's init() to mailbox.log and check that.

Then if it is there, please check that zimbra_auth_provider setting in localconfig
is properly done.

[arw]

Hi Yutaka,

Yes zmlocalconfig value zimbra_auth_provider is correctly set to 'CUSTOM_AUTH_PROVIDER' and logging indicates the extension is loading properly. Also login calls made form the main web-client login screen (which uses SOAP) can be seen to be calling the custom auth provider.

Thx for reply ... hope you can shed some light!

[yutaka]

So basically, you said that your auth provider looks to be excuted for every auth request, but it does not look to pick up your own auth token, right?

Hmm...

Can we see your auth provider source code?

[arw]

It's called by the main login web interface which makes a soap call to the api.

It is not called when I make a direct soap request as detailed in the blog entry, specifying my AuthProvider in the authToken 'type' attribute.

I will try to post the source code a bit later but it is basically a carbon copy of ZimbraAuthProvider except I added an additional POST call to our SSO system to verify the token.

[vmahajan]

Looks like your auth provider implementation is working only when auth cookie is present. Can you check your implementation of the authToken(Element soapCtxt, Map engineCtxt) method since that's the method that looks up the token inside the soap header context.