SOAP auth against AuthProvider

arw · Post by **arw** » Wed Mar 09, 2011 6:11 pm

Hey,
I've created an AuthProvider implementation to use our authentication system.
It's more or less working, I largely copied the ZimbraAuthProvider implementation and changed as necessary...
I've hit a problem though: trying to auth through SOAP using our customer provider.
I'm basing my tests on this article: http://blog.zimbra.com/blog/archives/20 ... imbra.html]Ã‚Â» Zimbra :: Blog -- specifically the part:

b07b804c-7c29-ea16-7300-4f3d6f7928ac
... I have constructed a SOAP auth request that looks like this using the LmcSoapRequest classes:

xxxTokenFromOurAuthSystem
Our AuthProvider implementation checks with our signon system and validates the supplied token.
However all the logging indicates that even though I am specifying our custom AuthProvider impl in the type as per the blog article it is never being called ...
If anyone has any insights they would be appreciated, maybe I'm just missing something simple?

arw · Post by **arw** » Thu Mar 10, 2011 10:11 am

Will post a follow up infos ...
Have done some packet inspecting and the big difference I can see is that the auth-token im sending is in the soap:body rather than the soap:header as in the example ... will investigate to see if I can get this element in the header using the Lmc* classes ... or if it at leasts works if I make a raw request with it in the header.

arw · Post by **arw** » Thu Mar 10, 2011 11:15 am

No luck just using raw posts to the soap api either ...
Below is a request that DOES work, using the standard auth token:
http://www.w3.org/2003/05/soap-envelope ... p-envelope">

...long-ass-zimbra-auth-token...

Now the request trying to use our custom AuthProvider impl:
http://www.w3.org/2003/05/soap-envelope ... p-envelope">

abc-custom-authsystem-token-xyz

This generates a 500 response:

Code:service.AUTH_REQUIRED

at com.zimbra.common.service.ServiceException.AUTH_REQUIRED(ServiceException.java:296)

....

10539yutaka · Post by **10539yutaka** » Thu Mar 10, 2011 4:21 pm

Hi arw,

Firtst of all, can we make sure that your auth provider extension is properly loaded?

You can chcek that from mailbox.log. Or you can log some messages in extesion's init() to mailbox.log and check that.
Then if it is there, please check that zimbra_auth_provider setting in localconfig

is properly done.

arw · Post by **arw** » Thu Mar 10, 2011 4:35 pm

Hi Yutaka,
Yes zmlocalconfig value zimbra_auth_provider is correctly set to 'CUSTOM_AUTH_PROVIDER' and logging indicates the extension is loading properly. Also login calls made form the main web-client login screen (which uses SOAP) can be seen to be calling the custom auth provider.
Thx for reply ... hope you can shed some light!

10539yutaka · Post by **10539yutaka** » Thu Mar 10, 2011 7:27 pm

So basically, you said that your auth provider looks to be excuted for every auth request, but it does not look to pick up your own auth token, right?
Hmm...
Can we see your auth provider source code?

arw · Post by **arw** » Fri Mar 11, 2011 8:57 am

It's called by the main login web interface which makes a soap call to the api.
It is not called when I make a direct soap request as detailed in the blog entry, specifying my AuthProvider in the authToken 'type' attribute.
I will try to post the source code a bit later but it is basically a carbon copy of ZimbraAuthProvider except I added an additional POST call to our SSO system to verify the token.

3244vmahajan · Post by **3244vmahajan** » Sun Mar 13, 2011 11:39 pm

Looks like your auth provider implementation is working only when auth cookie is present. Can you check your implementation of the authToken(Element soapCtxt, Map engineCtxt) method since that's the method that looks up the token inside the soap header context.