Single Sign On Authentication for Kolab
---------------------------------------
This plugin adds possibility to authenticate users via external authentication
services. Currently the only supported method of authentication is OpenID Connect.
Because Kolab backends do not support token authentication it is required
to use master user (sasl proxy) authentication where possible and service
user credentials in other places. See IMPLEMENTATION NOTES below for details.
Plugin requires libkolab plugin and HTTP/Request2 library.
Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.
Supported algorithms:
- HS256, HS385, HS512 (PHP hash extension required)
- RS256, RS384, RS512 (PHP openssl extension required).
INSTALLATION
------------
Enable plugin in Roundcube's main configuration file. Make sure it is first
on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.
Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
but not all providers support query params. To workaround this limitation you have to
define an alias URI or redirect. For example:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/roundcubemail
RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]
For the above "alias" plugin configuration should include 'response_uri' = '/sso'
and on the provider side configured URI will be https://host/roundcubemail/sso.
IMPLEMENTATION NOTES
--------------------
Specification: https://openid.net/specs/openid-connect-core-1_0.html
Limitations:
- OpenIDC Discovery and Dynamic Client Registration is not supported,
- Authentication with Authorization Code Flow is the only one supported,
- required grant types: authorization_code, refresh_token (for token refresh),
- required claims: id_token,
- required scopes: email, openid, offline_access (for token refresh),
- endpoints used: token, authorization,
- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
- supported token endpoint auth methods: client_secret_basic, client_secret_post.
[IMAP] Because Kolab backend do not support token authentication it is required
to use master user (sasl proxy) authentication, i.e. you have to put
master user credentials in plugin's config.
[SMTP] For the same reason and also because the same master user does not work in Postfix,
you have to specify SMTP connection parameters/user+password.
[LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does
not work as well as proxy authentication.
[Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for
now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config.
[Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube.
Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders');
Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined
storage).
TODO
----
- kolab_delegation (LDAP auth for write operation)
- Chwala+Seafile
- Chwala+WebDAV
- Freebusy auth
- Mattermost auth
- Extended token validation
