diff --git a/plugins/kolab_sso/README b/plugins/kolab_sso/README index 0e7d8309..aa39db5c 100644 --- a/plugins/kolab_sso/README +++ b/plugins/kolab_sso/README @@ -1,80 +1,80 @@ Single Sign On Authentication for Kolab --------------------------------------- This plugin adds possibility to authenticate users via external authentication services. Currently it supports various authentication methods based on OAuth2 and OpenID Connect (and requires JWT token use). Because Kolab backends do not support token authentication it is required to use master user (sasl proxy) authentication where possible and service user credentials in other places. See IMPLEMENTATION NOTES below for details. Plugin requires libkolab plugin and HTTP/Request2 library. Plugin contains BSD-licensed https://github.com/firebase/php-jwt (v5.0.0) library. Supported algorithms: - HS256, HS385, HS512 (PHP hash extension required) - RS256, RS384, RS512 (PHP openssl extension required). INSTALLATION ------------ Enable plugin in Roundcube's main configuration file. Make sure it is first on the list of plugins, especially before any authentication plugin, e.g. kolab_auth. Default return-URL for Auth Provider is https://host.roundcube?_task=login&_action=sso, but not all providers support query params. To workaround this limitation you have to define an alias URI or redirect. For example: RewriteEngine On RewriteCond %{REQUEST_URI} ^/roundcubemail RewriteRule "^sso" "/roundcubemail/?_task=login&_action=sso" [L,QSA] For the above "alias" plugin configuration should include 'response_uri' = '/sso' and on the provider side configured URI will be https://host/roundcubemail/sso. IMPLEMENTATION NOTES -------------------- Specification: https://openid.net/specs/openid-connect-core-1_0.html Limitations: - OpenIDC Discovery and Dynamic Client Registration is not supported, - Authentication with Authorization Code Flow is the only one supported, - required grant types: authorization_code, refresh_token (for token refresh), - required claims: id_token, - required scopes: email, openid, offline_access (for token refresh), - endpoints used: token, authorization, - supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512. - supported token endpoint auth methods: client_secret_basic, client_secret_post. -[IMAP] Because Kolab backend do not support token authentication it is required +[IMAP] Because Kolab backend does not support token authentication it is required to use master user (sasl proxy) authentication, i.e. you have to put master user credentials in plugin's config. [SMTP] For the same reason and also because the same master user does not work in Postfix, you have to specify SMTP connection parameters/user+password. [LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does -not work as well as proxy authentication. +not work, neither the proxy authentication. [Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config. [Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube. Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders'); Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined storage). TODO ---- - kolab_delegation (LDAP auth for write operation) - Chwala+Seafile - Chwala+WebDAV - Freebusy auth - Mattermost auth - Extended token validation