80 lines
3.2 KiB
Text
80 lines
3.2 KiB
Text
Single Sign On Authentication for Kolab
|
|
---------------------------------------
|
|
|
|
This plugin adds possibility to authenticate users via external authentication
|
|
services. Currently it supports various authentication methods based on
|
|
OAuth2 and OpenID Connect (and requires JWT token use).
|
|
|
|
Because Kolab backends do not support token authentication it is required
|
|
to use master user (sasl proxy) authentication where possible and service
|
|
user credentials in other places. See IMPLEMENTATION NOTES below for details.
|
|
|
|
Plugin requires libkolab plugin and HTTP/Request2 library.
|
|
Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.
|
|
|
|
Supported algorithms:
|
|
- HS256, HS385, HS512 (PHP hash extension required)
|
|
- RS256, RS384, RS512 (PHP openssl extension required).
|
|
|
|
|
|
INSTALLATION
|
|
------------
|
|
|
|
Enable plugin in Roundcube's main configuration file. Make sure it is first
|
|
on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.
|
|
|
|
Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
|
|
but not all providers support query params. To workaround this limitation you have to
|
|
define an alias URI or redirect. For example:
|
|
|
|
RewriteEngine On
|
|
RewriteCond %{REQUEST_URI} ^/roundcubemail
|
|
RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]
|
|
|
|
For the above "alias" plugin configuration should include 'response_uri' = '/sso'
|
|
and on the provider side configured URI will be https://host/roundcubemail/sso.
|
|
|
|
|
|
IMPLEMENTATION NOTES
|
|
--------------------
|
|
|
|
Specification: https://openid.net/specs/openid-connect-core-1_0.html
|
|
|
|
Limitations:
|
|
- OpenIDC Discovery and Dynamic Client Registration is not supported,
|
|
- Authentication with Authorization Code Flow is the only one supported,
|
|
- required grant types: authorization_code, refresh_token (for token refresh),
|
|
- required claims: id_token,
|
|
- required scopes: email, openid, offline_access (for token refresh),
|
|
- endpoints used: token, authorization,
|
|
- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
|
|
- supported token endpoint auth methods: client_secret_basic, client_secret_post.
|
|
|
|
[IMAP] Because Kolab backend does not support token authentication it is required
|
|
to use master user (sasl proxy) authentication, i.e. you have to put
|
|
master user credentials in plugin's config.
|
|
|
|
[SMTP] For the same reason and also because the same master user does not work in Postfix,
|
|
you have to specify SMTP connection parameters/user+password.
|
|
|
|
[LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does
|
|
not work, neither the proxy authentication.
|
|
|
|
[Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for
|
|
now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config.
|
|
|
|
[Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube.
|
|
Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders');
|
|
Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined
|
|
storage).
|
|
|
|
|
|
TODO
|
|
----
|
|
|
|
- kolab_delegation (LDAP auth for write operation)
|
|
- Chwala+Seafile
|
|
- Chwala+WebDAV
|
|
- Freebusy auth
|
|
- Mattermost auth
|
|
- Extended token validation
|