What exactly is Zextras Auth?
Zextras Auth is a Zextras Suite module that affects the process of accessing a Zextras instance beginning with the Login Page, including:
- The mode of access. The access mask varies depending on the authentication backends specified, allowing the user to give their credentials via any of the backends. This is also mirrored in the ZxAuth (Auth Zimlet) for users.
- Customisations. Define the appearance of the login page. A list of configurable things may be found in the special section Custom Login Page.
Zextras Auth allows you to handle all of Zextras’ Authentication Strategies (user/pwd, SAML, 2FA, MobilePwd, QrCode) and Service
This section is broken into three major sections, which are ordered as follows. Immediately below is a description of all supported authentication methods; the following two sections are dedicated to administration tasks, which require privileged access and are mostly performed via the CLI, and everyday tasks, which can be performed by both administrators and users via the Web GUI. Finally, a reference list of all CLI commands is provided, with links to each command.
Methods of Authentication Supported
Zextras Auth is compatible with the following backends:
- Credential management through self-service
- Password management on mobile devices
- Application security code
- Personalised login page
- Integration of SAML
- OTP token authentication for two-factor authentication
- CLI Credential Management
Management of Self-Service Credentials
Self-service credential management enables each user to generate fresh passwords and QR codes for third-party users who access her/his email account and Zextras Applications via mobile devices, such as team members and personal assistants.
QR Codes, in particular, may be used to gain access to Zextras Apps, which are currently Team and Drive.
More details and step-by-step instructions may be found in Section ZxAuth for users (Auth Zimlet).
Personalised Login Page
All Zextras functionality is accessible upon login through the Zextras login page, which may be personalised in numerous ways, such as adding the company’s logo or other components of the company’s corporate identity.
This functionality is implemented through the CLI and so requires administrator rights; further information and recommendations may be found in the section Custom Login Page.
SAML (Security Assertion Markup Language) SAML (Security Assertion Markup Language) is an XML-based open standard data format for communicating authentication information. It supports web-based authentication and authorization situations like as cross-domain Single Sign-On (SSO), which allows users to use the same credentials to access several apps.
In Zextras, SAML implementation is based on an external IDentity Provider (IDP) that a user identifies with; the IDP then gives authorization credentials to a service provider (SP). The method of authenticating the user’s identity and credentials is known as SAML authentication. SAML requires less configuration in Zextras Suite since an administrator may construct the SAML configuration by importing SAML information from the ISP. Each domain can have its own SAML endpoint, and SDP and IDP SAML authentication are also supported.
The following are the fundamental elements of SAML authentication:
The entity that provides the service is known as the Service Provider (SP).
The entity that provides the identities is known as the Identity Provider (IdP).
The Service Provider generates a SAML Request to “request” authentication.
The Identity Provider generates the SAML Response, which contains the authorised user’s assertion.
Furthermore, the Assertion Consumer Service (ACS) endpoint is a site where SSO tokens are supplied based on partner needs.
Section Setting up SAML Configuration describes how to establish SAML and integrate other apps in Zextras Suite.
Two Factor Authentication (also known as 2FA) adds a security layer to the login step, making it less likely that unauthorised access will occur. This additional layer of Zextras is provided via a One Time Password (OTP), which may be read as a QR code on mobile devices.
When 2FA is enabled on a Zextras domain, an OTP is required to login; supplying merely the username and password will fail. Furthermore, for 2FA to operate effectively, the property zimbraAuthMech must be enabled on the domain.
2FA is only applicable to protocols or apps that enable it, such as HTTP and HTTPS, but not IMAP and SMTP, and may be configured at the device, IP, or IP range level using the trusted_device or trusted_ip parameters. When an IP or IP range is trusted, 2FA will work for any login that originates from that IP or IP range, however the trusted_device needs that the same browser or app be used, otherwise it will fail: if a 2FA login is performed on Chrome, viewing the same page with Firefox will require a new login.
To utilise the OTP, the site admin must setup a domain (see QR Code Requirements), while users can configure it using the Auth Zimlet.
ZxAuth for Administrators
This section is for administrators and the tasks they may perform to administer and maintain Zextras Auth. Administrators may discover the prerequisites for the various authentication methods, as well as installation instructions, on this page. Following that is credential management, with the opportunity to modify the login screen at the conclusion.
Requirements for QR Code Requirements
To be effective, the QR Code Application Password feature requires the following domain-level parameters to be set:
If one or more of the attributes are not set, an email will be sent to the administrator informing them of the affected domains and their missing properties.
To correctly install 2FA, the zimbraAuthMech property must be specified at the domain level:
To activate 2FA, you must also do the following:
- Using the command: ZimbraMailTrustedIp, enter the addresses of all mailboxes and MTAs.
- For all services, a trustworthy IP range must be specified.
- For all services, the ip_can_change property must be set to true, and 2fa_policy must be set to 1.
Before enabling SAML login, the Zextras Backend processing must be modified since the following header fields are required to assemble the entire URL request: X-Port and Protocol X.
The following files are impacted by this change:
The /zx/ code position should be modified in each of them.
Activating the Login Page
Changing the Login Page
Image File Sizes and Locations
Title of the Login Page
- Using zxsuite auth loginPage setTitle global at the global level
- zxsuite auth loginPage setTitle domain at the domain level
Configuring Policy Management for 2F
- be set to activate or disable 2FA
- possesses its own Trusted Networks
Creating the SAML Configuration
Automatically Import SAML Configuration
Manually Import SAML Configuration
Set up SAML Logout
- Make a fresh X509 certificate and enrol it in the SAML IDP. To create one using openssl, execute a command identical to the one below.
- Add the certificate as sp.x509cert and the private key as sp.privatekey to the configuration file (lines 8 and 9).
- Set security by enabling signature creation.line 30: set logoutrequest_signed to true
- By configuring security, you may also enable the signature for the login request.line 32: set authnrequest_signed to true
Using SAML, you may gain access to a service.
- Log in to the IDP site and navigate to the resource you wish to use.
- Navigate to the service’s web page and click the SAML LOGIN button, which is located near the login and password boxes.
- Use the direct URL to the service’s SAML authentication. For example, if you have a Suite installation (the Service) at mail.example.com and are already connected to the IDP, you may access the mailbox by visiting https://mail.example.com/zx/auth/startSamlWorkflow?redirectUrl=https://mail.example.com/suite/mails.
Temporary Authorization Link
- Click the Create a temporary link button in the user’s General Information section, in the box labelled Temporary link.
- An overlay window will appear with a URL link that may be copied by clicking on the accompanying button.
- The link may then be forwarded to the new user.
- Before the link expires, the user must access the inbox within 12 hours.
Users can utilise ZxAuth (Auth Zimlet).
Overview of Zextras Auth Zimlet
- Change the current logged-in user’s password
- Add new credentials using the relevant pages, which may be accessed by selecting Exchange ActiveSync, Mobile Apps, or OTP Authentication.
- Examine the status and other details for any Exchange ActiveSync and Mobile Apps credentials that have been established. Entries in the list in each part indicate the label of the password, its status, the service it is valid for, and its creation date.
- Examine the status and other details for each One Time Password established. Each item includes a description, status, unsuccessful attempts, and the date it was created.
- Control 2FA access. Unless it has been enabled or deactivated at the COS, domain, or global level, each user can decide whether to enforce access via 2FA.
- Delete any credentials that have been generated
EAS Create New Credentials
Make a New Credential: OTP
Management of Credentials
Create new credentials
- Create a password and a label for the user firstname.lastname@example.org who will be able to access service eas (mobile password).
- produced – if the credential was generated at random or not, 0 indicates true and 1 means false
- created – the time of creation
- label – a label that can be used to recall the purpose or user of the credentials.
- id – the unique ID required to alter or update the credentials.
- services – services to which access is granted
- hash – the credential that has been hashed
- enabled – whether or not the credential may be used
- algorithm – the hashing algorithm that is employed
- password – the password that was issued or created at random. As previously stated, the administrator can only view a user’s password on this instance.
- Make a password for email@example.com that is exclusively valid for Web Access (both ClassicUI and Zextras). Page of Login
- Make a password for firstname.lastname@example.org that is only valid for IMAP and POP3 downloads (no SMTP).
- Make a password for email@example.com/SMTP_Service_Password.An external client’s SMTP can be enabled using a credential.