Zextras Auth

What is Zextras Auth

Zextras Auth is currently under development, some of its features are only released as a public beta while others have not been implemented yet.

Zextras Auth allows to manage all the Authentication Strategies (user/pwd, token, SAML, 2FA, MobilePwd, QrCode) and Service Authorizations. It also provides additional authentication-related features such as custom Login pages, profiling and security.

It is backward-compatible with Zimbra Custom Auth, it can manage QR Authentication form Mobile App (Team / Drive) along with multiple EAS Credential and provides a single point for the User Gateway Management (aka User Profile)

Zextras Auth provides a single entry point for:

  • Authentication

  • Authorization

  • Session Management

  • External Auth Federation

Features

Zextras Auth is currently under development, some of its features are only released as a public beta while others have not been implemented yet.
  • Credentials Management

    • Mobile Password Management (Beta)

    • QR Code Application Passwords (Beta)

  • Service Authorization (future)

  • Custom Login Page (future)

  • SAML integration (future)

Auth Zimlet

Zextras Auth features a dedicated zimlet to manage all user-side credential and features, such as the EAS Mobile Password and Mobile App QR Codes.

Installing the Zextras Auth Zimlet

To deploy the Zextras Auth Zimlet, simply run zxsuite auth doDeployAuthZimlet as the zimbra user on any mailbox server of your infrastructure.

Zextras Auth Zimlet overview

The Zextras Auth Zimlet can be accessed from the "Zimlets" section of the Zimbra Web Client.

zextras_auth_overview.png

From here, the user can add new credentials ("New Password"), deleting existing ones and check on the status of all existing credentials.

Data Storage

All Zextras Auth data - including passwords and tokens - is saved in a local HSQL database.

All passwords, tokens and sensitive information are stored in hashed form using the SHA256 algorithm using auto-generated keys and no credential or sensitive information is ever stored cleartext.

Credential Management

Zextras Auth’s Credential Management system allows to create dedicated passwords for different services such as Exchange ActiveSyn devices, Mobile Applications (e.g. Team and Drive) or the Zimbra WebClient itself.

All credentials generated by Zextras Auth are not bound to Zimbra’s own password policies, neither in regards of the password’s character and length limit nor in regards of password expiration.

Credential Management CLI

All Credential Management features can be accessed through the zxsuite auth credential command, and its sub-commands:

zxsuite auth credential

Add/Update/Delete/List the account credentials

  add                      - Add a credential to the given account
                             zxsuite auth credential add {john@example.com} [attr1 value1 [attr2 value2...]]

  list                     - List all credentials for the given account
                             zxsuite auth credential list {john@example.com}

  update                   - List all mobile passwords for the given account
                             zxsuite auth credential update {john@example.com} {f51as} [attr1 value1 [attr2 value2...]]

  delete                   - Delete credentials with the given account and id
                             zxsuite auth credential delete {john@example.com} {f51as}

More information of the most common usages of this command can be found in the topic-specific sections of this page.

List existing Credentials

Any user can see the list of active Mobile Passwords in the Zextras Auth Zimlet. Each entry of the list displays the label of the password, its status, the service it is valid for and its creation date.

System Administrators, on the other hand, can view an extended list of all credentials active on an account by running zxsuite auth credential list user@domain.com, e.g.

zxsuite auth credential list admin

        values

                generated                                                   1
                created                                                     1603120043615
                label                                                       MobilePassword 1
                id                                                          5llDP
                services

                        service                                                             EAS
                hash                                                        W6q6hvf10TcPasPL+Oy96iHWO7SrjZBDHfaldt6ZxQk=
                enabled                                                     true
                algorithm                                                   SHA256

                generated                                                   0
                created                                                     1603120995372
                label                                                       My Label
                id                                                          Fr2jM
                services

                        service                                                             EAS
                hash                                                        +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
                enabled                                                     true
                algorithm                                                   SHA256

For each credential, the following fields are displayed:

  • generated - whether the credential was randomly generated or not, 0 true and 1 means false

  • created - the credential’s creation timestamp

  • label - the credential’s label

  • id - the credential’s ID, required to edit credentials via zxsuite auth credential update

  • services - the services that the credential allows access to

  • hash - the hashed credential itself

  • enabled - whether the credential can be used to access all appropriate services or not

  • algorithm - the hashing algorithm used to store the credential

Editing a Credential

While usually the credential (password) itself cannot be edited, the System Administrator can edit its label and properties using the zxsuite auth credential update command.

e.g. to change the label of a Mobile Password belonging to the user john.doe@domain.com, whose id is Fr2jM to "New Label" run:

zxsuite auth credential update john.doe@domain.com Fr2jM label "New Label"`

The system will confirm the credential update and display all credential’s information:

Credential Fr2jM updated

        values
            generated                                               0
            created                                                 1603120995372
            label                                                   New Label
            id                                                      Fr2jM
            services

                    service                                                         EAS
            hash                                                    +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
            enabled                                                 true
            algorithm                                               SHA256
See the "List existing Credentials" section above to find out how to obtain the credential’s ID

Mobile Password

Mobile Passwords are one of the credentials managed by Zextras Auth, which allows to set up multiple Mobile Passwords for each account.

Creating a new Mobile Password

A new Mobile Password can be created both from the Zextras Auth Zimlet and from the Zextras CLI.

Create a Mobile Password from the Zextras Auth Zimlet

To create a new Mobile Password, open the Zextras Auth Zimlet and click on "New Password":

  • Enter an easy to remember identifier for the password in the "Password Label" field and select "Text code" as the Password Type:

zextras_auth_mobilepass1.png

  • Click "Next".

  • The new Mobile Password will be displayed:

zextras_auth_mobilepass2.png

Mobile Passwords are randomly generated and cannot be displayed again after the creation is complete.
  • Click on "Done" to close the Zextras Auth window. An entry for the new Mobile Password is now visible in the "Active Passwords" list of the Zextras Auth Zimlet.

zextras_auth_mobilepass3.png

Create a Mobile Password from the Zextras CLI

To create a Mobile Password from the Zextras CLI, use the zxsuite auth credential command with the following attributes:

  • password: enter the password you wish to set as the Mobile Password

  • label: enter the label for the Mobile Password

  • service: use eas to set a Mobile Password

E.g. To add the gn89hg95hvmn59..] Mobile Password to the john.doe@domain.com account, labeled as "Personal Phone", run:

zxsuite auth credential add john.doe@domain.com password "gn89hg95hvmn59..]" label "Personal Phone" service eas

The system will confirm the success of the operation and display all the password’s information:name: value

Credential correctly added

        values
            generated                                               0
            created                                                 1603120995372
            label                                                   Personal Phone
            id                                                      Fr2jM
            services

                    service                                                         EAS
            hash                                                    +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
            enabled                                                 true
            algorithm                                               SHA256
        text_data
            auth_method                                             password
            password                                                gn89hg95hvmn59..]
            user                                                    john.doe@domain.com

List existing Mobile Passwords

Any user can see the list of active Mobile Passwords in the Zextras Auth Zimlet. Each entry of the list displays the label of the password, its status, the service it is valid for and its creation date.

Specifically, all passwords valid for the "EAS" service are Mobile Passwords.

System Administrators, on the other hand, can view an extended list of all credentials, including Mobile Passwords,

Editing a Mobile Password

While a Mobile Password itself cannot be edited, the System Administrator can edit its label and properties using the zxsuite auth credential update command

Application Password (QR Code)

Zextras Auth can speed up and manage Application logins, such as those for the Team App and Drive App.

This is achieved through the creation of a QR Code in the Zimbra WebClient, which the user can then scan from the App’s login page to log in.

QR Codes are a one-time credential only, meaning that once generated it will grant access to the app until the relevant credential itself is deleted from the account. Once generated, the QR Code can only be viewed once.

QR Code Requirements

The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:

  • zimbraPublicServiceHostname

  • zimbraPublicServicePort

  • zimbraPublicServiceProtocol

Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.

Creating a new QR Code Credential

While, as all credentials, QR Codes can be created from both the Zextras Auth Zimlet and Zextras CLI, only the former allows the user to use the QR code itself so the latter will not be taken into consideration in this guide.

Creating a QR Code Credential from the Zextras Auth Zimlet

o create a new QR Code, open the Zextras Auth Zimlet and click on "New Password":

  • Enter an easy to remember identifier for the password in the "Password Label" field and select "QR code" as the Password Type:

zextras_auth_qrcode1.png

  • Click "Next".

  • The new QR Code will be displayed:

zextras_auth_qrcode2.png

QR Codes are randomly generated and cannot be displayed again after the creation is complete.
  • Click on "Done" to close the Zextras Auth window. An entry for the new Mobile Password is now visible in the "Active Passwords" list of the Zextras Auth Zimlet.

zextras_auth_qrcode3.png

CLI

zxsuite auth

Table 1. Zextras Auth CLI
Name Description Usage

doStartService

start a given service

zxsuite auth doStartService {service_name}

doStopService

stop a given service

zxsuite auth doStopService {service_name}

getServices

show current status of all services for this module

zxsuite auth getServices

doRestartService

restart a given service

zxsuite auth doRestartService {service_name}

saml

saml configuration

zxsuite auth saml

credential

Add/Update/Delete/List the account credentials

zxsuite auth credential

loginPage

Manage login page attributes from CLI

zxsuite auth loginPage

policy

Manage policies from CLI

zxsuite auth policy

token

Manage token authorization and expiration

zxsuite auth token

doDeployAuthZimlet

Deploy ZeXtras Suite Auth zimlet to handle new credentials.

zxsuite auth doDeployAuthZimlet