Announcements

SecurID® Integrations

Zimbra integration with RSA Via Access

You should be able to use the SAML template to connect to Zimbra.  It's been a while since I've set this up, but here are the basics:

 

 

In the Access Administration Console:  Applications > Application Catalog > Create from Template > SAML Direct

 

  • Connection URL:  Enter the URL of the protected resource at the service provider that will initiate the SAMLRequest.  For example:  https://mailbox.mycompany.com
    • You'll need to specify your own BenefitFocus PartnerIdpId and URL-encoded BenefitFocus URL as the TargetResource
  • SP-initiated
  • Binding Method for SAML Request:  POST (default)
    • Request not signed (default)
  • Identity Provider URL:  Use the default, such as  https://portal.sso.example.com/IdPServlet?idp_id=1q2w3e4r5t6y7
  • Issuer Entity ID:  Use default, such as  1q2w3e4r5t6y7
  • Upload the private.key to sign the SAMLResponse, and the corresponding cert.pem
    • Zimbra doesn't need us to include the certificate in the outgoing assertion
  • Service Provider
  • User Identity
    • NameID Identifier Type:  Subject
      • Select the attribute containing the Zimbra ID (for example, the AD ‘mail')

 

On the Zimbra side, you'll need to configure it according to current Zimbra product documentation, but it will be something like this:

 

Login to your Zimbra server and follow the Zimbra Documentation to configure SAML:  Authentication/SAML - Zimbra :: Tech Center 

  1. As the 'root' user:
    • mkdir /opt/zimbra/lib/ext/saml
    • cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/
  2. As the 'zimbra' user:
    • add the cert.pem (from the SAML certificate bundle zip file) to the configuration: 
      • cat cert.pem |xargs -0 zmprov md mailbox.mycompany.com zimbraMyoneloginSamlSigningCert
    • specify the login & logout URLs: 
    • Restart Zimbra services: 
      • zmcontrol stop; zmcontrol start
    • Confirm settings:
      • zmprov gd mailbox.mycompany.com
        • You should see the zimbraWebClientLoginURL, zimbraWebClientLogoutURL, and zimbraMyoneloginSamlSigningCert settings configured with the values specified, above.

 

This document was generated from the following discussion: Zimbra integration with RSA Via Access

Labels (1)
No ratings
Version history
Last update:
‎2016-09-16 11:37 AM
Updated by:
Contributors
Article Dashboard