Zextras Auth
What is Zextras Auth
| Zextras Auth is currently under development, some of its features are only released as a public beta while others have not been implemented yet. |
Zextras Auth allows to manage all the Authentication Strategies (user/pwd, token, SAML, 2FA, MobilePwd, QrCode) and Service Authorizations. It also provides additional authentication-related features such as custom Login pages, profiling and security.
It is backward-compatible with Zimbra Custom Auth, it can manage QR Authentication form Mobile App (Team / Drive) along with multiple EAS Credential and provides a single point for the User Gateway Management (aka User Profile)
Zextras Auth provides a single entry point for:
-
Authentication
-
Authorization
-
Session Management
-
External Auth Federation
Features
| Zextras Auth is currently under development, some of its features are only released as a public beta while others have not been implemented yet. |
-
Credentials Management
-
Mobile Password Management (Beta)
-
QR Code Application Passwords (Beta)
-
-
Service Authorization (future)
-
Custom Login Page (future)
-
SAML integration (future)
Auth Zimlet
Zextras Auth features a dedicated zimlet to manage all user-side credential and features, such as the EAS Mobile Password and Mobile App QR Codes.
Data Storage
All Zextras Auth data - including passwords and tokens - is saved in a local HSQL database.
All passwords, tokens and sensitive information are stored in hashed form using the SHA256 algorithm using auto-generated keys and no credential or sensitive information is ever stored cleartext.
Credential Management
Zextras Auth’s Credential Management system allows to create dedicated passwords for different services such as Exchange ActiveSyn devices, Mobile Applications (e.g. Team and Drive) or the Zimbra WebClient itself.
All credentials generated by Zextras Auth are not bound to Zimbra’s own password policies, neither in regards of the password’s character and length limit nor in regards of password expiration.
Credential Management CLI
All Credential Management features can be accessed through the zxsuite auth credential command, and its sub-commands:
zxsuite auth credential
Add/Update/Delete/List the account credentials
add - Add a credential to the given account
zxsuite auth credential add {john@example.com} [attr1 value1 [attr2 value2...]]
list - List all credentials for the given account
zxsuite auth credential list {john@example.com}
update - List all mobile passwords for the given account
zxsuite auth credential update {john@example.com} {f51as} [attr1 value1 [attr2 value2...]]
delete - Delete credentials with the given account and id
zxsuite auth credential delete {john@example.com} {f51as}
More information of the most common usages of this command can be found in the topic-specific sections of this page.
List existing Credentials
Any user can see the list of active Mobile Passwords in the Zextras Auth Zimlet. Each entry of the list displays the label of the password, its status, the service it is valid for and its creation date.
System Administrators, on the other hand, can view an extended list of all credentials active on an account by running zxsuite auth credential list user@domain.com, e.g.
zxsuite auth credential list admin
values
generated 1
created 1603120043615
label MobilePassword 1
id 5llDP
services
service EAS
hash W6q6hvf10TcPasPL+Oy96iHWO7SrjZBDHfaldt6ZxQk=
enabled true
algorithm SHA256
generated 0
created 1603120995372
label My Label
id Fr2jM
services
service EAS
hash +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
enabled true
algorithm SHA256
For each credential, the following fields are displayed:
-
generated- whether the credential was randomly generated or not, 0 true and 1 means false -
created- the credential’s creation timestamp -
label- the credential’s label -
id- the credential’s ID, required to edit credentials viazxsuite auth credential update -
services- the services that the credential allows access to -
hash- the hashed credential itself -
enabled- whether the credential can be used to access all appropriate services or not -
algorithm- the hashing algorithm used to store the credential
Editing a Credential
While usually the credential (password) itself cannot be edited, the System Administrator can edit its label and properties using the zxsuite auth credential update command.
e.g. to change the label of a Mobile Password belonging to the user john.doe@domain.com, whose id is Fr2jM to "New Label" run:
zxsuite auth credential update john.doe@domain.com Fr2jM label "New Label"`
The system will confirm the credential update and display all credential’s information:
Credential Fr2jM updated
values
generated 0
created 1603120995372
label New Label
id Fr2jM
services
service EAS
hash +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
enabled true
algorithm SHA256
| See the "List existing Credentials" section above to find out how to obtain the credential’s ID |
Mobile Password
Mobile Passwords are one of the credentials managed by Zextras Auth, which allows to set up multiple Mobile Passwords for each account.
Creating a new Mobile Password
A new Mobile Password can be created both from the Zextras Auth Zimlet and from the Zextras CLI.
Create a Mobile Password from the Zextras Auth Zimlet
To create a new Mobile Password, open the Zextras Auth Zimlet and click on "New Password":
-
Enter an easy to remember identifier for the password in the "Password Label" field and select "Text code" as the Password Type:
-
Click "Next".
-
The new Mobile Password will be displayed:
| Mobile Passwords are randomly generated and cannot be displayed again after the creation is complete. |
-
Click on "Done" to close the Zextras Auth window. An entry for the new Mobile Password is now visible in the "Active Passwords" list of the Zextras Auth Zimlet.
Create a Mobile Password from the Zextras CLI
To create a Mobile Password from the Zextras CLI, use the zxsuite auth credential command with the following attributes:
-
password: enter the password you wish to set as the Mobile Password
-
label: enter the label for the Mobile Password
-
service: use
easto set a Mobile Password
E.g.
To add the gn89hg95hvmn59..] Mobile Password to the john.doe@domain.com account, labeled as "Personal Phone", run:
zxsuite auth credential add john.doe@domain.com password "gn89hg95hvmn59..]" label "Personal Phone" service eas
The system will confirm the success of the operation and display all the password’s information:name: value
Credential correctly added
values
generated 0
created 1603120995372
label Personal Phone
id Fr2jM
services
service EAS
hash +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
enabled true
algorithm SHA256
text_data
auth_method password
password gn89hg95hvmn59..]
user john.doe@domain.com
List existing Mobile Passwords
Any user can see the list of active Mobile Passwords in the Zextras Auth Zimlet. Each entry of the list displays the label of the password, its status, the service it is valid for and its creation date.
Specifically, all passwords valid for the "EAS" service are Mobile Passwords.
System Administrators, on the other hand, can view an extended list of all credentials, including Mobile Passwords,
Application Password (QR Code)
Zextras Auth can speed up and manage Application logins, such as those for the Team App and Drive App.
This is achieved through the creation of a QR Code in the Zimbra WebClient, which the user can then scan from the App’s login page to log in.
| QR Codes are a one-time credential only, meaning that once generated it will grant access to the app until the relevant credential itself is deleted from the account. Once generated, the QR Code can only be viewed once. |
QR Code Requirements
The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:
-
zimbraPublicServiceHostname -
zimbraPublicServicePort -
zimbraPublicServiceProtocol
Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.
Creating a new QR Code Credential
While, as all credentials, QR Codes can be created from both the Zextras Auth Zimlet and Zextras CLI, only the former allows the user to use the QR code itself so the latter will not be taken into consideration in this guide.
Creating a QR Code Credential from the Zextras Auth Zimlet
o create a new QR Code, open the Zextras Auth Zimlet and click on "New Password":
-
Enter an easy to remember identifier for the password in the "Password Label" field and select "QR code" as the Password Type:
-
Click "Next".
-
The new QR Code will be displayed:
| QR Codes are randomly generated and cannot be displayed again after the creation is complete. |
-
Click on "Done" to close the Zextras Auth window. An entry for the new Mobile Password is now visible in the "Active Passwords" list of the Zextras Auth Zimlet.
CLI
zxsuite auth
| Name | Description | Usage |
|---|---|---|
doStartService |
start a given service |
zxsuite auth doStartService {service_name} |
doStopService |
stop a given service |
zxsuite auth doStopService {service_name} |
getServices |
show current status of all services for this module |
zxsuite auth getServices |
doRestartService |
restart a given service |
zxsuite auth doRestartService {service_name} |
saml |
saml configuration |
zxsuite auth saml |
credential |
Add/Update/Delete/List the account credentials |
zxsuite auth credential |
loginPage |
Manage login page attributes from CLI |
zxsuite auth loginPage |
policy |
Manage policies from CLI |
zxsuite auth policy |
token |
Manage token authorization and expiration |
zxsuite auth token |
doDeployAuthZimlet |
Deploy ZeXtras Suite Auth zimlet to handle new credentials. |
zxsuite auth doDeployAuthZimlet |