Zarafa webaccess with Shibboleth SSO (saml2) authentication

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
(New page: == Prerequisites == A working installation of: * Zarafa (tested with 6.40.2 on RHEL5) * Apache * Shibboleth IDP & SP (tested with IDP 2.1 and SP 2.3.1) == Setup == * This setup assumes t...)
(Setup)
Line 7: Line 7:
== Setup ==
== Setup ==
-
* This setup assumes that you release the uid attribute after a successful login
+
* This setup assumes that you release the REMOTE_USER attribute after a successful login, if not sure test it with phpinfo();
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
Line 25: Line 25:
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
-
 
-
* Replace the ''REMOTE_USER'' variable in ''/usr/share/zarafa-webaccess/index.php'' with the uid attribute released by shibboleth.
 
-
 
-
Change:
 
-
<pre>if( ! $_POST && $_SERVER && array_key_exists("REMOTE_USER", $_SERVER)) {
 
-
    $_SESSION["username"] = utf8_to_windows1252($_SERVER['REMOTE_USER']);</pre>
 
-
 
-
To:
 
-
<pre>if( ! $_POST && $_SERVER && array_key_exists("uid", $_SERVER)) {
 
-
    $_SESSION["username"] = utf8_to_windows1252($_SERVER['uid']);</pre>
 

Revision as of 08:20, 3 November 2010

Prerequisites

A working installation of:

  • Zarafa (tested with 6.40.2 on RHEL5)
  • Apache
  • Shibboleth IDP & SP (tested with IDP 2.1 and SP 2.3.1)

Setup

  • This setup assumes that you release the REMOTE_USER attribute after a successful login, if not sure test it with phpinfo();
  • Add the needed shibboleth lines to the zarafa webacces config in /etc/httpd/conf.d/zarafa-webaccess.conf

This is an example of the configuration within Apache. There are other places where you can shibboleth your application

Alias /webaccess /usr/share/zarafa-webaccess
<Directory /usr/share/zarafa-webaccess/>
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks
    AllowOverride Options
    Order allow,deny
    Allow from all
    AuthType shibboleth
    ShibRequireSession On
    ShibExportAssertion On
    require valid-user
</Directory>
  • Alter the zarafa server.cfg and add the apache user to the local_admin_users. Example: local_admin_users = root vmail apache
Personal tools