Zimbra

Print Friendly, PDF & Email

The purpose of this document is to provide instructions on how to configure and manage Zimbra to enable SAML integration.

Prerequisites

  • Integrate with Seqrite ZTNA
    To add the SaaS application follow these steps:

    1. Log into Seqrite ZTNA admin console.
    2. Navigate to the Applications section.
    3. Navigate to the SaaS Applications tab and click.
    4. To add Zimbra application click Browse SaaS Application Catalog.
    5. Click Add + of Zimbra application card.
    6. Enter the Application Name. Provide the Application Description and Logo if any.
    7. Add the ACS URL, Entity ID, and External Address as per the Zimbra Server Configurations. For Example:
      • ACS URL: https://zimbra.domain.com/service/extension/samlreceiver
      • Entity ID: https://zimbra.domain.com/service/extension/samlreceiver

      Ensure your Zimbra Domain is substituted in place of zimbra.domain.com in both URLs.

      Also, enter the Zimbra Domain in the External Address field. For example, use http://zimbra-domain.com/.

    8. Select the following checkboxes as appropriate to control access from managed laptops, desktops, or mobile devices.
      • Allow access from registered Seqrite ZTNA-compliant devices:
        Only users with registered Seqrite ZTNA-compliant devices (on which the Seqrite ZTNA agent is installed and active), including both desktops and laptops, can access the applications.
      • Allow access from Seqrite Workspace:
        Mobile users are able to access applications only through the Workspace. To know more about accessing SaaS application through Seqrite Workspace, see Seqrite EMM Documentation.
        Note: iOS is not supported, iOS users can access applications outside the Workspace also.
    9. Click Add to add the application.
  • Navigate to Zimbra Server
    Access your Zimbra server to configure SAML settings for integration.

Step 1: Configure Zimbra Server

  1. Create Configuration Directory and File:
    mkdir -p /opt/zimbra/conf/saml
    vi /opt/zimbra/conf/saml/saml-config.properties
    

    Add the following content to saml-config.properties:
    Zimbra Step 2
    Zimbra Step 3
    Zimbra Setup
    Copy the SAML Login URL from the ZTNA application's SAML Settings above into the saml_redirect_login_destination and saml_post_login_destination fields in the Zimbra saml-config Properties file as specified below:
    The saml_redirect_logout_destination and saml_post_logout_destination fields can be left empty.

    # Issuer
    saml_sp_entity_id=https://zimbra.domain.com/service/extension/samlreceiver
    # Login receiver for the service provider
    saml_acs=https://zimbra.domain.com/service/extension/samlreceiver
    # Name ID format for the IDP to use in the SAMLResponse
    saml_name_id_format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    # Date format for issue instant
    saml_date_format_instant=yyyy-MM-dd'T'HH:mm:ss'Z'
    # Identity provider login endpoint for redirect method
    saml_redirect_login_destination=Saml Login URL from ZTNA Zimbra Application SAML Settings
    # Identity provider login endpoint for POST method
    saml_post_login_destination=Saml Login URL from ZTNA Zimbra Application SAML Settings
    # Identity provider logout endpoint for redirect method
    saml_redirect_logout_destination=
    # Identity provider logout endpoint for POST method
    saml_post_logout_destination=
    # Logout redirect page if we are the landing page logout endpoint
    saml_landing_logout_redirect_url=/
    # Disable the audience path check
    saml_skip_audience_restriction=true
    # URL to send the user with error_code, error_msg query params. Default results in HTTP error code pages.
    saml_error_redirect_url=
    # The SAML logout document encoding, and SAML login receiver parameter encoding.
    saml_document_encoding=ASCII
    # The redirect location to send the user if their Zimbra account is not active.
    saml_inactive_account_redirect_url
    
  2. Copy SAML Certificate: Copy the SAML certificate from ZTNA Admin Console to /tmp/idpcert.pem on the Zimbra server.
    cp /tmp/idpcert.pem /opt/zimbra/lib/ext/saml/idpcert.pem
    
  3. Set Up IDP Certificate:
    mkdir /opt/zimbra/lib/ext/saml
    cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/
    su zimbra
    cat /tmp/idpcert.pem | xargs -0 zmprov md zimbra.domain.com zimbraMyoneloginSamlSigningCert
    
  4. Configure Zimbra Settings:
    zmprov mcf zimbraCsrfAllowedRefererHosts *.ztnacertificatedomain
    zmprov md zimbra.domain.com zimbraVirtualHostName zimbra.domain.com
    /opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie=""
    zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
    zmmailboxdctl restart
    

Step 2: Configure Zimbra Admin Console

  1. Global Settings:
    • Open Zimbra Admin Console.
    • Navigate to Home > Configure > Global Settings > Authentication.
    • Add the SAML Login URL from ZTNA Zimbra SaaS Application under SAML Settings as Web Client Login Redirect URL.
  2. Domain Settings:
    • Navigate to Home > Configure > Domains > zimbra.domain.com > Authentication.
    • Add https://zimbra.com as Web Client Login Redirect URL.
  3. Additional Settings:
    • Navigate to Home > Configure > Global Settings.
    • Add the Web Client Login URL and Web Client Logout URL as per your configuration.


  4. Save Changes:
    • Click on Save after configuring each section.

Step 3: Testing

  • Try accessing Zimbra from a browser. It should redirect to the ZTNA SSO page for authentication.
  • After successful authentication via ZTNA, users should be able to access Zimbra as SAML SSO.

Notes:

  • Zimbra logout will only work after the user logs out from the ZTNA user portal.
  • Ensure all URLs and certificates are correctly configured and updated as per your specific environment settings.
Was this page helpful?