Zimbra SSO Questions

[jherington]

Hello,
I am in the process of setting up a central Ldap server that will serve as a central authentication (username/password) repository. I have been looking for a simple way to enable a SSO solution that Zimbra and several other portal applications (all can use Ldap) can use in order to provide the end-user with a single sign-on experience.

My current idea is to simply pass login/password credentials to zimbra (before loading zimbra into a portal tab) - zimbra would accept this login/password programmatically and then envolk a logon command against an external Ldap server. The user would then be redirected to a zimbra session (within the tab) that is logged in and ready to use.

My question is whether or not this seems feasible: I already have a portal environment that includes custom tabs for all applications including zimbra. I can envolk any sort of zimbra provided webservices when the user clicks on the tab (prior to redirecting the tab contents to the zimbra session). I can query the Ldap server for the current user and get the assoicated logon credentials and pass those within said webservice request.

1) Please provide assistance in how I could envolk the zimbra login programatically, preferably via webservices, but also via any PHP/Java script, ect would also be fine.

2) I believe I would also be responsible for maintaining password sync between the local zimbra ldap and the central ldap and would also be responsible for adding and removing users to the local zimbra ldap...is this a correct assumption?

3) If all my applications can utilize the central ldap server and I do not have need for a Microsoft or other domain, is there a better way to enable SSO apart from CAS?

4) Possibly where zimbra (for example) queries the cental portal for the current user (I could provide a webservice) and then authenticates against the external ldap...this is just a twist on the original model. Again what zimbra authentication function could be called (that would accept the username and password provided by the external ldap query)?

Basically I am just hoping that I might enlist some advise as I set out on this process.

I would be happy to share my experiece and methods with the community if that is helpful and not too odd of a solution for central sso.

Thanks!

[jholder]

Well, your best bet is preauth.

Take a look at the wiki article. You won't be able to use your portal's cookie to auth with Zimbra (or vise versa)

Preauth - Zimbra :: Wiki

[jherington]

Thanks J I believe Preauth will send me in the right direction.

Just to clairify, I was not intending to use any sort of pre-built portal cookie but in stead was looking for a mechanisim within zimbra (like a function) that I could pass user credentials to. This function would take those user credentials (clear text username and password) and process a normal zimbra login.

For example what is being called by: 'https://server/service/preauth?isredirect=1&authtoken={...}'

This must be calling some function within zimbra? Is there a way to apply a clear text username and password. PS I work within SSL so I don't have a great concern about passing clear text info via a local domain webservice.

Thanks!