Page MenuHomePhorge
Files F262066

README
No OneTemporary
Actions

README
View Options

Single Sign On Authentication for Kolab
---------------------------------------
This plugin adds possibility to authenticate users via external authentication
services. Currently it supports various authentication methods based on
OAuth2 and OpenID Connect (and requires JWT token use).
Because Kolab backends do not support token authentication it is required
to use master user (sasl proxy) authentication where possible and service
user credentials in other places. See IMPLEMENTATION NOTES below for details.
Plugin requires libkolab plugin and HTTP/Request2 library.
Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library.
Supported algorithms:
- HS256, HS385, HS512 (PHP hash extension required)
- RS256, RS384, RS512 (PHP openssl extension required).
INSTALLATION
------------
Enable plugin in Roundcube's main configuration file. Make sure it is first
on the list of plugins, especially before any authentication plugin, e.g. kolab_auth.
Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso,
but not all providers support query params. To workaround this limitation you have to
define an alias URI or redirect. For example:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/roundcubemail
RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA]
For the above "alias" plugin configuration should include 'response_uri' = '/sso'
and on the provider side configured URI will be https://host/roundcubemail/sso.
IMPLEMENTATION NOTES
--------------------
Specification: https://openid.net/specs/openid-connect-core-1_0.html
Limitations:
- OpenIDC Discovery and Dynamic Client Registration is not supported,
- Authentication with Authorization Code Flow is the only one supported,
- required grant types: authorization_code, refresh_token (for token refresh),
- required claims: id_token,
- required scopes: email, openid, offline_access (for token refresh),
- endpoints used: token, authorization,
- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
- supported token endpoint auth methods: client_secret_basic, client_secret_post.
[IMAP] Because Kolab backend does not support token authentication it is required
to use master user (sasl proxy) authentication, i.e. you have to put
master user credentials in plugin's config.
[SMTP] For the same reason and also because the same master user does not work in Postfix,
you have to specify SMTP connection parameters/user+password.
[LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does
not work, neither the proxy authentication.
[Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for
now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config.
[Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube.
Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders');
Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined
storage).
TODO
----
- kolab_delegation (LDAP auth for write operation)
- Chwala+Seafile
- Chwala+WebDAV
- Freebusy auth
- Mattermost auth
- Extended token validation

File Metadata

Mime Type
text/plain
Expires
Sat, Jun 28, 7:03 PM (1 d, 55 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
201450
Default Alt Text
README (3 KB)

Event Timeline