Carbonio Auth is a Carbonio component that impacts the process of accessing a Carbonio instance beginning with the Login Page, including the access mode. The access mask varies depending on the authentication backends specified, allowing the user to give their credentials via any of the backends. This is reflected in the Carbonio Auth for users as well.
Carbonio Auth allows you to handle all of Carbonio’s Authentication Strategies (user/pwd, SAML, 2FA, MobilePwd, QrCode) and Service Authorizations.
This section is broken into three major sections, which are ordered as follows. Immediately below is a description of all supported authentication methods; the next two sections are dedicated to administration tasks, which require privileged access and are mostly performed via the CLI, and everyday tasks, which can be performed by both administrators and users via the Web GUI.
Methods of Authentication Supported
Carbonio Auth is compatible with the following backends:
- Temporary Authorization Link
- Credential management through self-service
- Integration of SAML
- 2FA (using an OTP token) authentication
- CLI Credential Management
Carbonio Auth for Administrators
This section is for administrators and the tasks they may perform to administer and maintain Carbonio Auth. Administrators may discover the prerequisites for the various authentication methods, installation instructions, and credential management here.
The following prerequisites must be met in order to activate the authentication schemes offered in Carbonio.
Configuring SAML To link a SAML application with Carbonio, you must setup the SAML IDP (IDentity Provider) using the SAML SP data. In our example situation, we wish to add SAML authentication to the domain example.com, which can be accessed through the SP_URL.
it is completed at an IDP provider and then imported into Carbonio through a specialised command.
The following are the most significant setup choices. They should be configured on the SAML IDP side.
Make sure that the Name of the property used as
is set to mailPrimaryAddress in order to validate against Carbonio.
Carbonio now supports SAML application integration in two modes: automated and manual. Each strategy is described in depth in the sections that follow.
Automatically Import SAML Configuration
The SAML IDP gives a URL where you may obtain the configuration; if this URL is https://my-saml-provider.org/simplesaml/saml/idp/metadata.php, you can import the configuration with the command:
You will be sent to the SAML IDP login page after clicking it.
Manually Import SAML Configuration
If you need to manually change the SAML settings, follow this four-step process. To summarise, you must export the default SAML settings, edit them, and then save and import them again.
Step 1. Export the default SAML settings
Step 2. Modify
Step 3. Check modified
Step 4. Save the changes
Set up SAML Logout
, we can add signed logout to the settings used in the previous section.
Using SAML, you may gain access to a service.
Configure SAML on Azure as an example
Temporary Auth Link
- Click the Create a temporary link button in the user’s General Information section, in the box labelled Temporary link.
- An overlay window will appear with a URL link that may be copied by clicking on the accompanying button.
- The link may then be forwarded to the new user.
- Before the link expires, the user must access the inbox within 12 hours.
Corner Cases of 2FA
2FA is a common approach for allowing users to securely login to an infrastructure using a temporary token (often in the form of a QR code) in addition to the regular user/password combination.
Management of Credentials
- Only WebAccess should be enabled.
- allow IMAP in the absence of SMTP
- Only allow IMAP/SMTP for managed clients (pre-setup without a user).
- Create SMTP passwords that are not enabled for Web/Soap/Imap access in order to be utilised for automation or other services.