Carbonio Auth

Carbonio Auth is the Carbonio component that influences the process of accessing a Carbonio instance from the Login Page onwards, including the access modality. Depending on the authentication backends configured, the access mask changes, to allow user to provide their credentials using any of the backends. This also is reflected in the Carbonio Auth for users.

Carbonio Auth allows to manage all the Authentication Strategies (user/pwd, SAML, 2FA, MobilePwd, QrCode) and Service Authorizations supported by Carbonio.

This section is divided in three main parts and organised as follows. Immediately below, you can find the description of all supported authentication methods; the next two sections are dedicated to administration tasks, which require privileged access and are mostly carried out from the CLI, and everyday’s task, which can be carried out from the Web GUI by both administrators and users, respectively. Finally, the list of all CLI commands is given as a reference, with link to each command.

Supported Authentication Methods

Carbonio Auth supports the following backends:

  • Temporary Auth link

  • Self service credentials management

    • Mobile password management

    • Application password

  • SAML integration

  • 2FA Authentication (using OTP token)

  • Credential Management by CLI

Self Service Credentials Management

Self-service credential management allows every user to create new passwords and QR codes for third-parties—​for example team members, personal assistants—​accessing her/his email account and Carbonio Applications from mobile devices.

QR Codes in particular can be used to access Mobile Apps, currently Carbonio Chats and Carbonio Files.

More information and step by step guidelines can be found in Section Carbonio Auth for users.

SAML

The Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication information. It enables web-based authentication and authorization scenarios including cross-domain Single Sign-On (SSO), which allows the use of the same credentials to access different applications.

SAML implementation in Carbonio relies on an external IDentity Provider (IDP), to which a user identifies; the IDP then passes authorization credentials to a service providers (SP). SAML authentication is the process of verifying the user’s identity and credentials. In Carbonio, SAML requires little configuration, because an administrator can generate the SAML configuration by importing SAML metadata from the ISP. Each domain can have a different SAML endpoint and both SDP and IDP SAML authentication is supported.

These are the key concepts of SAML authentication:

Service Provider

(SP) is the entity providing the service.

Identity Provider

(IdP) is the entity providing the identities.

SAML Request

is generated by the Service Provider to “request” an authentication.

SAML Response

is generated by the Identity Provider and contains the assertion of the authenticated user.

Moreover, the Assertion Consumer Service (ACS) endpoint is a location to which the SSO tokens are sent, according to partner requirements.

Directions on how to configure SAML and integrate other applications in Carbonio is described in Section Setting up SAML Configuration.

Two Factor Authentication

Two Factor Authentication (usually spelled as 2FA) adds a security layer to the login phase, making unwanted accesses less likely to take place. In Carbonio, this additional layer is given by an One Time Password (OTP), which can be read as a QR code on mobile devices.

When 2FA is configured on a Carbonio domain, it is mandatory to have an OTP to be able to login: providing only username and password will fail. Moreover, the attribute zimbraAuthMech must be configured on the domain with for 2FA to work properly.

2FA applies only to those protocols or apps supporting it, for example HTTP and HTTPS but not to IMAP and SMTP, and can be configured at either device, IP, or IP range level, by means of the trusted_device or trusted_ip parameter. When an IP or IP range is trusted, 2FA will be successful for any login originating from there, while the trusted_device requires that the same browser or app be used, otherwise it will fail: if a 2FA login is carried out on Chrome, accessing the same page with Firefox will require a new login.

In order to use the OTP, a domain must be configured (see Section Requirements) by the site admin, while users can configure it from their Auth settings.

Carbonio Auth for Admins

This section is dedicated to administrators and the activities they can carry out to manage and maintain Carbonio Auth. Here administrators can find the requirements for the various authentication methods, then the installation instructions and finally the credential management.

Requirements

In order to enable the authentication strategies available in Carbonio, the following requirements need to be satisfied.

Note

It is not necessary to enable all of them, simply configure the one you need in your infrastructure.

QR Code Requirements

The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:

  • zimbraPublicServiceHostname

  • zimbraPublicServicePort

  • zimbraPublicServiceProtocol

Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.

2FA Requirements

In order to properly have 2FA set up, the zimbraAuthMech attribute bust be configured at domain level:

zmprov modifyDomain example.com zimbraAuthMech custom:zx

To enable 2FA it is also necessary to:

  • Enter the addresses of all mailbox and MTAs as ZimbraMailTrustedIp, using the command zmprov to add either a single IP Address or a whole subnet as follows:

    zmprov mcf +zimbramailtrustedip IP_ADDRESS/32
zmprov mcf +zimbramailtrustedip IP_SUBNET/NETMASK

  • A trusted ip range must be defined for all services

  • For all services the ip_can_change attribute must be validated on true and 2fa_policy = 1

Warning

2FA requires a specific zimbraAuthMech and this makes it not compatible with other mechanism such as ldap, ad or kerberos5

SAML Requirements

Before enabling SAML login, it is necessary to modify the Backend processing, because these header attributes are required to compose the complete URL request: Protocol X and X-Port.

The files affected by this change are the templates:

  • nginx.conf.web.http.default.template

  • nginx.conf.web.http.template

  • nginx.conf.web.https.default.template

  • nginx.conf.web.https.template

In each of them, the location ^~ /zx/ code should be changed.

location ^~ /zx/
  {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_pass ${web.upstream.zx};
  }

Setting up SAML Configuration

To integrate a SAML application into Carbonio, you need to configure the SAML IDP (IDentity Provider) using the SAML SP data. In our sample scenario, we want to add SAML authentication to our domain example.com, accessible at SP_URL.

The SAML configuration is carried out at an IDP provider, then imported in Carbonio using a dedicated command.

The most important configuration options are the following. You should configure them on the SAML IDP side.

sp.entityid

https://SP_URL/zx/auth/samlMetadata?domain=example.com

sp.assertion_consumer_service.url

https://SP_URL/zx/auth/saml

sp.nameidformat

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

In order to validate against Carbonio, make sure that the Name of the attribute that is used as NameID is set to mailPrimaryAddress.

You can now integrate a SAML application in Carbonio in two ways, either automatic or manual. The following sections describe each method in detail.

Import SAML Configuration Automatically

The SAML IDP provides a URL from which to download the configuration; assuming that this URL is https://my-saml-provider.org/simplesaml/saml/idp/metadata.php, you can import the configuration using the command:

zxsuite auth saml import example.com URL  https://my-saml-provider.org/simplesaml/saml/idp/metadata.php

Note

The URL supplied by the SAML IDP for an unsecured connection may be slight different from the previous one, like in our example.

zxsuite auth saml import example.com url https://localidp.local.loc/app/xxxxxxxxxxxxxxx/sso/saml/metadata allow_unsecure true

You are now DONE! You can see the LOGIN SAML button on the login page.

../_images/saml-login.png

Fig. 1 Login page with enabled SAML.

By clicking it, you will be redirect to the SAML IDP login page.

Import SAML Configuration Manually

If you need to manually edit the SAML configuration, you need to follow this 4-step procedure. In a nutshell, you need to export the default SAML settings, modify them, then save and import them back.

Step 1. Export the default SAML settings

In order to export the default SAML setting, use

zxsuite auth saml get example.com export_to /tmp/saml.json

Step 2. Modify /tmp/saml.json

Open the resulting file /tmp/saml.json in any editor and modify the requested attributes:

  • entityid

  • assertion_consumer_service.url

  • nameidformat

Step 3. Check modified /tmp/saml.json

The /tmp/saml.json` file should look similar to this one:

{
  "sp.entityid":"https://SP_URL/zx/auth/samlMetadata?domain=example.com",
  "sp.assertion_consumer_service.url":"https://SP_URL/zx/auth/saml",
  "sp.nameidformat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "sp.assertion_consumer_service.binding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
  "sp.single_logout_service.url":"https://SP_URL/?loginOp=logout",
  "sp.single_logout_service.binding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
  "sp.x509cert":"aabbcc",

  "idp.entityid":"https://IDP-URL/simplesamlphp/saml2/idp/metadata.php",
  "idp.x509cert":"xxyyzz",
  "idp.single_sign_on_service.url":"https://IDP-URL/simplesamlphp/saml2/idp/SSOService.php",
  "idp.single_sign_on_service.binding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
  "idp.single_logout_service.binding":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",

  "organization.name":"ACME, INC.",
  "organization.displayname":"Example",
  "organization.url":"https://www.example.com/",

  "security.requested_authncontextcomparison":"exact",
  "security.requested_authncontext":"urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
  "security.signature_algorithm":"http://www.w3.org/2000/09/xmldsig#rsa sha1",
  "security.logoutresponse_signed":"false",
  "security.want_nameid_encrypted":"false",
  "security.want_assertions_encrypted":"false",
  "security.want_assertions_signed":"false","debug":"true",
  "security.want_messages_signed":"false",
  "security.authnrequest_signed":"false",
  "security.want_xml_validation":"true",
  "security.logoutrequest_signed":"false"
}

Values appearing in the above code excerpt are taken from the example in the previous section. Certificates must be valid, they are omitted for clarity.

Step 4. Save the changes

The final step is to save the changes made to the file and import it into Carbonio using the command:

zxsuite auth saml import example.com /tmp/saml.json

Hint

It is also possible to view or edit single attributes by using the zxsuite auth saml get and zxsuite auth saml set command options.