[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zimbra preauth versus maintenance mode, expired logins, etc.

To: Rich Graves <rgraves@carleton.edu>
Subject: Re: Zimbra preauth versus maintenance mode, expired logins, etc.
From: Csillag Tamas <cstamas@digitus.itk.ppke.hu>
Date: Thu, 21 Aug 2014 12:09:52 +0200
Cc: zimbra-hied-admins <zimbra-hied-admins@sfu.ca>
In-reply-to: <1122137001.1435874.1408570302565.JavaMail.zimbra@carleton.edu>
List-help: <mailto:zimbra-hied-admins-request@sfu.ca?subject=help> (List Instructions)
List-id: <zimbra-hied-admins.sfu.ca>
List-owner: <mailto:owner-zimbra-hied-admins@sfu.ca>
List-unsubscribe: <mailto:zimbra-hied-admins-request@sfu.ca?subject=unsubscribe>
References: <1552721666.1428399.1408569462619.JavaMail.zimbra@carleton.edu> <1122137001.1435874.1408570302565.JavaMail.zimbra@carleton.edu>
Reply-to: Csillag Tamas <cstamas@digitus.itk.ppke.hu>
User-agent: Mutt/1.5.21 (2010-09-15)

Hi,

On Wed, Aug 20, 2014 at 05:31:42PM -0400, Rich Graves wrote:
> In my limited testing of ZCS 8.0.7, it appears that when I set zimbraWebClientLoginURL and zimbraWebClientLogoutURL on a virtual domain: 
> 
>     1. Hits on the virtual host redirect properly to the SSO system 
>     2. The AJAX v. HTML v. Mobile UI is chosen based on browser User-Agent 
>     3. Explicit logout from ZWC redirects to the SSO system 
> 
> Possible issues: 
> 
>     1. Is there an argument that I can pass to /service/preauth to force a specific client, like /h/ instead of /m/ on an iPad? 
>     2. Cookie timeouts, invalidated sessions, and maintenance mode seem to go to the built-in ZCS login page. This is acceptable and maybe even preferred because the SSO system can't give a specific error. Is that correct, or is this just an artifact of the test being a non-default virtual host and the nginx proxy not having been restarted since configuring the vhost? 
>     3. Is there a way to bypass SSO for specific accounts, forcing use of the internal login page? User-Agent is not the answer I'm looking for. 

I think you cannot do that. What you can do is to unset zimbraWebClientLoginURL
and somehow direct the users to the login page (maybe different domainname?)

>     4. Are there other edge cases I haven't considered? 
> 
> We are quasi-hosted so I don't think I want to use SAML, which while possibly more secure than a pre-shared key, is newer and less documented. Or does anyone here happen to use and recommend native SAML between Shibboleth 2.4.1 and ZCS 8? 

I think I sent here a description how I set up the zimbra instance at my prev
workplace to authenticate to shibboleth. In the background it also uses preauth.
(http://cstamas.hu/blog/posts/Zimbra_preauth_and_Shibboleth/)

Regards,
 Tamas
-- 
CSILLAG Tamas (cstamas) - http://cstamas.hu/

References:
- Zimbra preauth versus maintenance mode, expired logins, etc.
  - From: Rich Graves <rgraves@carleton.edu>

Prev by Date: Zimbra preauth versus maintenance mode, expired logins, etc.
Next by Date: Performance issues after upgrading to Zimbra 8.0.7
Previous by thread: Zimbra preauth versus maintenance mode, expired logins, etc.
Next by thread: Performance issues after upgrading to Zimbra 8.0.7
Index(es):
- Date
- Thread