Zarafa webaccess with Shibboleth SSO (saml2) authentication

From Zarafa wiki

(Difference between revisions)
Jump to: navigation, search
(Setup)
(Setup)
 
(4 intermediate revisions not shown)
Line 2: Line 2:
A working installation of:
A working installation of:
-
* Zarafa (tested with 6.40.2 on RHEL5)
+
* Zarafa (tested with 6.40.3 on RHEL5)
* Apache
* Apache
-
* Shibboleth IDP & SP (tested with IDP 2.1 and SP 2.3.1)
+
* Shibboleth IDP & SP (tested with IDP 2.2 and SP 2.3.1)
== Setup ==
== Setup ==
-
* This setup assumes that you release the REMOTE_USER attribute after a successful login, if not sure test it with phpinfo();
+
* This setup assumes that you release the ''REMOTE_USER'' attribute after a successful login, if not sure test it with phpinfo();
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
* Add the needed shibboleth lines to the zarafa webacces config in ''/etc/httpd/conf.d/zarafa-webaccess.conf''
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
This is an example of the configuration within Apache. There are other places where you can shibboleth your application
Line 18: Line 18:
     Order allow,deny
     Order allow,deny
     Allow from all
     Allow from all
 +
     AuthType shibboleth
     AuthType shibboleth
     ShibRequireSession On
     ShibRequireSession On
Line 25: Line 26:
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
* Alter the zarafa ''server.cfg'' and add the apache user to the ''local_admin_users''. Example: ''local_admin_users'' = root vmail apache
 +
 +
* Alter the file config.php in /usr/share/zarafa-webaccess and change ''LOGINNAME_STRIP_DOMAIN'' to 'true' (single company assumed)

Latest revision as of 08:23, 3 November 2010

Prerequisites

A working installation of:

  • Zarafa (tested with 6.40.3 on RHEL5)
  • Apache
  • Shibboleth IDP & SP (tested with IDP 2.2 and SP 2.3.1)

Setup

  • This setup assumes that you release the REMOTE_USER attribute after a successful login, if not sure test it with phpinfo();
  • Add the needed shibboleth lines to the zarafa webacces config in /etc/httpd/conf.d/zarafa-webaccess.conf

This is an example of the configuration within Apache. There are other places where you can shibboleth your application

Alias /webaccess /usr/share/zarafa-webaccess
<Directory /usr/share/zarafa-webaccess/>
    DirectoryIndex index.php
    Options -Indexes +FollowSymLinks
    AllowOverride Options
    Order allow,deny
    Allow from all

    AuthType shibboleth
    ShibRequireSession On
    ShibExportAssertion On
    require valid-user
</Directory>
  • Alter the zarafa server.cfg and add the apache user to the local_admin_users. Example: local_admin_users = root vmail apache
  • Alter the file config.php in /usr/share/zarafa-webaccess and change LOGINNAME_STRIP_DOMAIN to 'true' (single company assumed)
Personal tools