Page 1 of 1

Zimbra preauth v. maintenance mode, session expiry, etc.

Posted: Wed Aug 20, 2014 4:54 pm
by Rich Graves
IN MY LIMITED TESTING OF ZCS 8.0.7, IT APPEARS THAT WHEN I SET "PREAUTH ZIMBRAWEBCLIENTLOGINURL AND ZIMBRAWEBCLIENTLOGOUTURL ON A VIRTUAL DOMAIN:


  • HITS ON THE VIRTUAL HOST REDIRECT PROPERLY TO THE SSO SYSTEM

  • THE AJAX V. HTML V. MOBILE UI IS CHOSEN BASED ON BROWSER USER-AGENT

  • EXPLICIT LOGOUT FROM ZWC REDIRECTS TO THE SSO SYSTEM


POSSIBLE ISSUES:


  • IS THERE AN ARGUMENT THAT I CAN PASS TO /SERVICE/PREAUTH TO FORCE A SPECIFIC CLIENT, LIKE /H/ INSTEAD OF /M/ ON AN IPAD?

  • COOKIE TIMEOUTS, INVALIDATED SESSIONS, AND MAINTENANCE MODE SEEM TO GO TO THE BUILT-IN ZCS LOGIN PAGE. THIS IS ACCEPTABLE AND MAYBE EVEN PREFERRED BECAUSE THE SSO SYSTEM CAN'T GIVE A SPECIFIC ERROR. IS THAT CORRECT, OR IS THIS JUST AN ARTIFACT OF THE TEST BEING A NON-DEFAULT VIRTUAL HOST AND THE NGINX PROXY NOT HAVING BEEN RESTARTED SINCE CONFIGURING THE VHOST?

  • IS THERE A WAY TO BYPASS SSO FOR SPECIFIC ACCOUNTS, FORCING USE OF THE INTERNAL LOGIN PAGE? USER-AGENT IS NOT THE ANSWER I'M LOOKING FOR.

  • ARE THERE OTHER EDGE CASES I HAVEN'T CONSIDERED?


WE ARE QUASI-HOSTED SO I DON'T THINK I WANT TO USE SAML, WHICH WHILE POSSIBLY MORE SECURE THAN A PRE-SHARED KEY, IS NEWER AND LESS DOCUMENTED. OR DOES ANYONE HERE HAPPEN TO USE AND RECOMMEND NATIVE SAML BETWEEN SHIBBOLETH 2.4.1 AND ZCS 8?