Micke/roundcubemail-plugins-kolab
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
roundcubemail-plugins-kolab/plugins/kolab_sso
History
Aleksander Machniak 0abee6c0f0 SSO + Chwala, and some improvements 
Requires:
https://github.com/roundcube/roundcubemail/commit/edd9c31d6c69f4f
https://git.kolab.org/rC76f9b695c55cb118e317d760965c6e23b44dff86
2018-11-23 15:45:30 +00:00
..
drivers Kolab SSO plugin - initial commit 2018-11-19 13:28:23 +01:00
lib/Firebase/JWT Kolab SSO plugin - initial commit 2018-11-19 13:28:23 +01:00
localization Kolab SSO plugin - initial commit 2018-11-19 13:28:23 +01:00
composer.json Kolab SSO plugin - initial commit 2018-11-19 13:28:23 +01:00
config.inc.php.dist SSO + SMTP 2018-11-19 14:31:46 +00:00
kolab_sso.php SSO + Chwala, and some improvements 2018-11-23 15:45:30 +00:00
LICENSE Kolab SSO plugin - initial commit 2018-11-19 13:28:23 +01:00
README SSO + Chwala, and some improvements 2018-11-23 15:45:30 +00:00

README 

Single Sign On Authentication for Kolab
---------------------------------------

This plugin adds possibility to authenticate users via external authentication
services. Currently the only supported method of authentication is OpenID Connect.

Because Kolab backends do not support token authentication it is required
to use master user (sasl proxy) authentication where possible and service
user credentials in other places. See IMPLEMENTATION NOTES below for details.

Plugin requires libkolab plugin and HTTP/Request2 library.
Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.

Supported algorithms:
- HS256, HS385, HS512 (PHP hash extension required)
- RS256, RS384, RS512 (PHP openssl extension required).


INSTALLATION
------------

Enable plugin in Roundcube's main configuration file. Make sure it is first
on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.

Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
but not all providers support query params. To workaround this limitation you have to
define an alias URI or redirect. For example:

RewriteEngine On
RewriteCond %{REQUEST_URI}  ^/roundcubemail
RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]

For the above "alias" plugin configuration should include 'response_uri' = '/sso'
and on the provider side configured URI will be https://host/roundcubemail/sso.


IMPLEMENTATION NOTES
--------------------

[IMAP] Because Kolab backend do not support token authentication it is required
to use master user (sasl proxy) authentication, i.e. you have to put
master user credentials in plugin's config.

[SMTP] For the same reason and also because the same master user does not work in Postfix,
you have to specify SMTP connection parameters/user+password.

[Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for
now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config.

[Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube.
Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders');
Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined
storage with saved password).


TODO
----

- LDAP addressbook
- kolab_delegation (LDAP auth)
- Chwala+Seafile
- Chwala+WebDAV
- Freebusy auth
- Mattermost auth
- Extended token validation