roundcubemail-plugins-kolab

History

Aleksander Machniak a2fdf05f79 Update localization		2021-10-11 11:04:38 +02:00
..
drivers	SSO: Fix PHP Fatal error: Call to undefined method kolab_sso_openidc::get_maram()	2019-10-24 14:14:51 +02:00
lib/Firebase/JWT	Kolab SSO plugin - initial commit	2018-11-19 13:28:23 +01:00
localization	Update localization	2021-10-11 11:04:38 +02:00
composer.json	Bump version number to 3.5.4	2020-03-02 12:16:53 +01:00
config.inc.php.dist	SSO: Add some more documentation	2018-11-27 11:03:10 +01:00
kolab_sso.php	Kolab SSO: Fixed charset encoding issues in logon form	2018-12-10 09:23:28 +01:00
LICENSE	Kolab SSO plugin - initial commit	2018-11-19 13:28:23 +01:00
README	Fix typos	2019-10-10 09:08:43 +02:00

README

Single Sign On Authentication for Kolab
---------------------------------------

This plugin adds possibility to authenticate users via external authentication
services. Currently it supports various authentication methods based on
OAuth2 and OpenID Connect (and requires JWT token use).

Because Kolab backends do not support token authentication it is required
to use master user (sasl proxy) authentication where possible and service
user credentials in other places. See IMPLEMENTATION NOTES below for details.

Plugin requires libkolab plugin and HTTP/Request2 library.
Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.

Supported algorithms:
- HS256, HS385, HS512 (PHP hash extension required)
- RS256, RS384, RS512 (PHP openssl extension required).


INSTALLATION
------------

Enable plugin in Roundcube's main configuration file. Make sure it is first
on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.

Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
but not all providers support query params. To workaround this limitation you have to
define an alias URI or redirect. For example:

RewriteEngine On
RewriteCond %{REQUEST_URI}  ^/roundcubemail
RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]

For the above "alias" plugin configuration should include 'response_uri' = '/sso'
and on the provider side configured URI will be https://host/roundcubemail/sso.


IMPLEMENTATION NOTES
--------------------

Specification: https://openid.net/specs/openid-connect-core-1_0.html

Limitations:
- OpenIDC Discovery and Dynamic Client Registration is not supported,
- Authentication with Authorization Code Flow is the only one supported,
- required grant types: authorization_code, refresh_token (for token refresh),
- required claims: id_token,
- required scopes: email, openid, offline_access (for token refresh),
- endpoints used: token, authorization,
- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
- supported token endpoint auth methods: client_secret_basic, client_secret_post.

[IMAP] Because Kolab backend does not support token authentication it is required
to use master user (sasl proxy) authentication, i.e. you have to put
master user credentials in plugin's config.

[SMTP] For the same reason and also because the same master user does not work in Postfix,
you have to specify SMTP connection parameters/user+password.

[LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does
not work, neither the proxy authentication.

[Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for
now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config.

[Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube.
Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders');
Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined
storage).


TODO
----

- kolab_delegation (LDAP auth for write operation)
- Chwala+Seafile
- Chwala+WebDAV
- Freebusy auth
- Mattermost auth
- Extended token validation