IN MY LIMITED TESTING OF ZCS 8.0.7, IT APPEARS THAT WHEN I SET "PREAUTH ZIMBRAWEBCLIENTLOGINURL AND ZIMBRAWEBCLIENTLOGOUTURL ON A VIRTUAL DOMAIN:
HITS ON THE VIRTUAL HOST REDIRECT PROPERLY TO THE SSO SYSTEM
THE AJAX V. HTML V. MOBILE UI IS CHOSEN BASED ON BROWSER USER-AGENT
EXPLICIT LOGOUT FROM ZWC REDIRECTS TO THE SSO SYSTEM
POSSIBLE ISSUES:
IS THERE AN ARGUMENT THAT I CAN PASS TO /SERVICE/PREAUTH TO FORCE A SPECIFIC CLIENT, LIKE /H/ INSTEAD OF /M/ ON AN IPAD?
COOKIE TIMEOUTS, INVALIDATED SESSIONS, AND MAINTENANCE MODE SEEM TO GO TO THE BUILT-IN ZCS LOGIN PAGE. THIS IS ACCEPTABLE AND MAYBE EVEN PREFERRED BECAUSE THE SSO SYSTEM CAN'T GIVE A SPECIFIC ERROR. IS THAT CORRECT, OR IS THIS JUST AN ARTIFACT OF THE TEST BEING A NON-DEFAULT VIRTUAL HOST AND THE NGINX PROXY NOT HAVING BEEN RESTARTED SINCE CONFIGURING THE VHOST?
IS THERE A WAY TO BYPASS SSO FOR SPECIFIC ACCOUNTS, FORCING USE OF THE INTERNAL LOGIN PAGE? USER-AGENT IS NOT THE ANSWER I'M LOOKING FOR.
ARE THERE OTHER EDGE CASES I HAVEN'T CONSIDERED?
WE ARE QUASI-HOSTED SO I DON'T THINK I WANT TO USE SAML, WHICH WHILE POSSIBLY MORE SECURE THAN A PRE-SHARED KEY, IS NEWER AND LESS DOCUMENTED. OR DOES ANYONE HERE HAPPEN TO USE AND RECOMMEND NATIVE SAML BETWEEN SHIBBOLETH 2.4.1 AND ZCS 8?
Zimbra preauth v. maintenance mode, session expiry, etc.
-
- Outstanding Member
- Posts: 687
- Joined: Fri Sep 12, 2014 10:24 pm