Zarafa webaccess with Shibboleth SSO (saml2) authentication

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
(New page: == Prerequisites == A working installation of: * Zarafa (tested with 6.40.2 on RHEL5) * Apache * Shibboleth IDP & SP (tested with IDP 2.1 and SP 2.3.1) == Setup == * This setup assumes t...)
(Setup)
 
(5 intermediate revisions not shown)
Line 2: Line 2:
A working installation of:
A working installation of:
-
* Zarafa (tested with 6.40.2 on RHEL5)
+
* Zarafa (tested with 6.40.3 on RHEL5)
* Apache
* Apache
-
* Shibboleth IDP & SP (tested with IDP 2.1 and SP 2.3.1)
+
* Shibboleth IDP & SP (tested with IDP 2.2 and SP 2.3.1)
== Setup ==
== Setup ==
-
* This setup assumes that you release the uid attribute after a successful login
+
* This setup assumes that you release the ''REMOTE_USER'' attribute after a successful login, if not sure test it with phpinfo();
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
Line 18: Line 18:
     Order allow,deny
     Order allow,deny
     Allow from all
     Allow from all
 +
     AuthType shibboleth
     AuthType shibboleth
     ShibRequireSession On
     ShibRequireSession On
Line 26: Line 27:
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
-
* Replace the ''REMOTE_USER'' variable in ''/usr/share/zarafa-webaccess/index.php'' with the uid attribute released by shibboleth.
+
* Alter the file config.php in /usr/share/zarafa-webaccess and change ''LOGINNAME_STRIP_DOMAIN'' to 'true' (single company assumed)
-
 
+
-
Change:
+
-
<pre>if( ! $_POST && $_SERVER && array_key_exists("REMOTE_USER", $_SERVER)) {
+
-
    $_SESSION["username"] = utf8_to_windows1252($_SERVER['REMOTE_USER']);</pre>
+
-
 
+
-
To:
+
-
<pre>if( ! $_POST && $_SERVER && array_key_exists("uid", $_SERVER)) {
+
-
    $_SESSION["username"] = utf8_to_windows1252($_SERVER['uid']);</pre>
+

Latest revision as of 08:23, 3 November 2010

Prerequisites

A working installation of:

  • Zarafa (tested with 6.40.3 on RHEL5)
  • Apache
  • Shibboleth IDP & SP (tested with IDP 2.2 and SP 2.3.1)

Setup

  • This setup assumes that you release the REMOTE_USER attribute after a successful login, if not sure test it with phpinfo();
  • Add the needed shibboleth lines to the zarafa webacces config in /etc/httpd/conf.d/zarafa-webaccess.conf

This is an example of the configuration within Apache. There are other places where you can shibboleth your application 

Alias /webaccess /usr/share/zarafa-webaccess
<Directory /usr/share/zarafa-webaccess/>
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks
    AllowOverride Options
    Order allow,deny
    Allow from all

    AuthType shibboleth
    ShibRequireSession On
    ShibExportAssertion On
    require valid-user
</Directory>
  • Alter the zarafa server.cfg and add the apache user to the local_admin_users. Example: local_admin_users = root vmail apache
  • Alter the file config.php in /usr/share/zarafa-webaccess and change LOGINNAME_STRIP_DOMAIN to 'true' (single company assumed)
Retrieved from "http://www.zarafa.com/wiki/index.php/Zarafa_webaccess_with_Shibboleth_SSO_(saml2)_authentication"
Personal tools