In my limited testing of ZCS 8.0.7, it appears that when I set zimbraWebClientLoginURL and zimbraWebClientLogoutURL on a virtual domain:
- Hits on the virtual host redirect properly to the SSO system
- The AJAX v. HTML v. Mobile UI is chosen based on browser User-Agent
- Explicit logout from ZWC redirects to the SSO system
Possible issues:
- Is there an argument that I can pass to /service/preauth to force a specific client, like /h/ instead of /m/ on an iPad?
- Cookie timeouts, invalidated sessions, and maintenance mode seem to go to the built-in ZCS login page. This is acceptable and maybe even preferred because the SSO system can't give a specific error. Is that correct, or is this just an artifact of the test being a non-default virtual host and the nginx proxy not having been restarted since configuring the vhost?
- Is there a way to bypass SSO for specific accounts, forcing use of the internal login page? User-Agent is not the answer I'm looking for.
- Are there other edge cases I haven't considered?
We are quasi-hosted so I don't think I want to use SAML, which while possibly more secure than a pre-shared key, is newer and less documented. Or does anyone here happen to use and recommend native SAML between Shibboleth 2.4.1 and ZCS 8?
--
Rich Graves <rgraves@carleton.edu>
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529