MFA (Multi Factor Authentication), SSO, and Cyrus

John Wade jwade at oakton.edu
Tue Feb 18 17:35:26 EST 2020


Hi Cyrus Users,

We are currently using Cyrus IMAP with Roundcube webmail, and are 
looking to implement both SAML or CAS Single Sign-on and Multifactor 
Authentication (MFA) for all applications.   Currently Cyrus users 
authenticate back to Active Directory via SASL ldap_auth and this 
remains one of the few applications not setup with Single Sign-On (SSO).

Has anyone looked at doing SSO and MFA with Cyrus and any available 
webmail client?     (This ignores the complexity of also offering direct 
IMAP access.)   The challenge with SAML and CAS SSO is that the SP 
application (webmail is this case) does not have access to the user's 
password.

It seems like this could theoretically be set up to work for webmail 
with proxy authentication, or with an LDAP proxy from the MFA vendor for 
MFA without SSO, but I don't see any solutions that wouldn't require 
extensive customization/rewriting.

Has anyone put a solution like this into production?  My google-fu has 
failed me on this one.

Thanks in advance,
John Wade
Oakton Community College


More information about the Info-cyrus mailing list