MFA (Multi Factor Authentication), SSO, and Cyrus
John Wade
jwade at oakton.edu
Tue Feb 18 17:35:26 EST 2020
Hi Cyrus Users,
We are currently using Cyrus IMAP with Roundcube webmail, and are
looking to implement both SAML or CAS Single Sign-on and Multifactor
Authentication (MFA) for all applications. Currently Cyrus users
authenticate back to Active Directory via SASL ldap_auth and this
remains one of the few applications not setup with Single Sign-On (SSO).
Has anyone looked at doing SSO and MFA with Cyrus and any available
webmail client? (This ignores the complexity of also offering direct
IMAP access.) The challenge with SAML and CAS SSO is that the SP
application (webmail is this case) does not have access to the user's
password.
It seems like this could theoretically be set up to work for webmail
with proxy authentication, or with an LDAP proxy from the MFA vendor for
MFA without SSO, but I don't see any solutions that wouldn't require
extensive customization/rewriting.
Has anyone put a solution like this into production? My google-fu has
failed me on this one.
Thanks in advance,
John Wade
Oakton Community College
More information about the Info-cyrus
mailing list