Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac OS X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution.

Zimbra can be connected with SAML protocol which is the recommended way, but this requires Zimbra Network Edition.

Zimbra can also use a specific preauthentication protocol to provide SSO on its application. This protocol is implemented in an LL::NG specific Handler and is available in Zimbra Open Source Edition.


On LemonLDAP::NG side

Create a new SAML SP and use this metadata content:

<?xml version="1.0"?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        index="1" />

Replace zimbrasaml.example.com by your ZimbraPublicHostname.

Enable IDP SSO Initiated option.

Create Email exported attribute, which must return the user email.

Export the SAML signature certificate in a file, for example lemonsaml.cert that must be copied on Zimbra server.

On Zimbra side

Copy the SAML plugin (available only with Zimbra NE):

mkdir /opt/zimbra/lib/ext/saml
cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/samlextn.jar

Import certificate:

su - zimbra
cat /tmp/lemonsaml.crt |xargs -0 zmprov md exampledomain.com zimbraMyoneloginSamlSigningCert

Configure SAML properties:

zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
zmprov md exampledomain.com zimbraWebClientLoginURL "https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=https://zimbrasaml.example.com/service/extension/samlreceiver"
zmprov md exampledomain.com zimbraWebClientLogoutURL "https://auth.example.com/saml/singleLogout"
zmmailboxdctl restar

To check for errors:

tail -f /opt/zimbra/log/zmmailboxd.ou

Zimbra PreAuth Handler


This method is no more recommended.

The integration with LL::NG is the following:

  • A special URL is declared in application menu (like http://zimbra.example.com/zimbrasso)

  • A Zimbra Handler is called

  • Handler build the preauth request and redirect user on Zimbra preauth URL

  • Then Zimbra do the SSO by setting a cookie in user’s browser

Zimbra preauth key

You need to get a preauth key from Zimbra server.

See how to do this on Zimbra wiki.

Zimbra application in menu

Choose for example http://zimbra.example.com/zimbrasso as SSO URL and set it in application menu.

Zimbra virtual host

You just have to set “Type: ZimbraPreAuth” in virtualhost options and reload configuration in this handler.

Zimbra Handler parameters

Zimbra parameters are the following:

  • Preauthentication key: the one you grab from zmprov command

  • Account session key: session field used as Zimbra user account (by default: uid)

  • Account type: for Zimbra this can be name, id or foreignKey (by default: id)

  • Preauthentication URL: Zimbra preauthentication URL, either with full URL (ex: http://zimbra.lan/service/preauth), either only with path (ex: /service/preauth) (by default: /service/preauth)

  • Local SSO URL pattern: regular expression to match the SSO URL (by default: ^/zimbrasso$)


Due to Handler API change in 1.9, you need to set these attributes in lemonldap-ng.ini and not in Manager, for example:

zimbraPreAuthKey = XXXX
zimbraAccountKey = uid
zimbraBy =id
zimbraUrl = /service/preauth
zimbraSsoUrl = ^/zimbrasso$

Multi-domain issues

Some organizations have multiple zimbra domains:

  1. foo@domain1.com

  2. bar@domain2.com

However, the zimbra preauth key is:

  • generated for one zimbra domain only

  • declared globally for every LemonLDAP::NG virtual hosts.

Thus, if domain1 has been registered on LemonLDAP::NG, user bar won’t be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:

We are going to use the first key (the domain1 one) for every domain. On Zimbra machine, generate the keys:

zmprov generateDomainPreAuthKey domain1.com
preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c

zmprov generateDomainPreAuthKey domain2.com
preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c

Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job). Take care to connect with the super admin and password account.

  • Expand the branch “dc=com”, then click the “dc=domain1” branch

  • Get the value of zimbraPreAuthKey

  • Expand the branch “dc=com”, then click the “dc=domain2” branch

  • Replace the value of zimbraPreAuthKey you have previously copied

  • Wait for all Zimbra servers to update, or restart the zcs server

That’s it, all zimbra servers will be able to decipher the hmac because they share the same key!