Kolab Single Sign On plugin

This new plugin (kolab_sso) adds possibility to authenticate users via external authentication services. For example, if your organization has such a service, users can access webmail with a single click (if already authenticated in the service). OpenIDC/OAuth2/SAML2 are technologies widely described and used in the Internet. So, I’ll just shortly write about what we provide at the moment.

Kolab’s components have various limitations in regards to SSO. For example in cyrus-imap we have to use master user proxy authorization as there’s no token authorization. In other places we’re limited by PHP capabilities. Note, that we choose to use code-flow, so we do not expect from the SSO service to return username and password. This means that where we can’t use proxy auth, we’ll use a special (configurable) user credentials (e.g. kolab-service for accessing LDAP read-only addressbook).

In current state the functionality is limited, but some of these limitations might get solved in future. The plugin does not yet support: kolab_delegation (authentication for LDAP write operations), Files with Seafile storage, Files with WebDAV storage, Freebusy authentication.

On the UI front the plugin modifies the logon form by adding simple button(s) below the form.

kolab_sso

Currently the only supported method of authentication is OpenID Connect, but the plugin has simple driver API and it should be easy to extend it with e.g. SAML2 support. We see interest in such solution from our customers and we will be working on testing and improving it in the near future.

More information about implementation and limitations can be found in README file.