Configuring SSO (Single Sign-on) on IceWarp Cloud

Question: Does the Linux version of IceWarp Support SSO (Single Sign-on)?

SSO grants a user logged on a computer joined to Active Directory domain access to IceWarp services without the need to re-authenticate again. 

Solution: Yes, it does. Please follow these instructions to set it up.

The IceWarp server uses the following ports to communicate with Active Directory during the SSO process. These ports must be available to the IceWarp server.

Do the following on both the domain controller and IceWarp Server: 

- On your DNS server, create a type A record with the name "mail" and point it to your IceWarp Cloud's IP address. 

Add-DnsServerResourceRecordA -Name "mail" -ZoneName "icewarpdemo.com" `
-AllowUpdateAny -IPv4Address "130.119.216.247"

- Create a User in the Users container. In the example below, we use PowerShell 7, but any user-creation utility will work. Name the UserPrincipalName value to something recognizable; it will link the ServicePrincipalName with IceWarp to the type of SSO service, in this case, webmail.

New-ADUser -Name "http_sso" -UserPrincipalName "http_sso@icewarpdemo.com" `
-Path "CN=Users,DC=iw,DC=inc"-AccountPassword(Read-Host-AsSecureString "Input Password") `
-Enabled $true-Passwordneverexpires $true

The above command creates the user account, enables it, and sets the password never to expire.

- Link the user to the SSO service with the ktpass utility. The syntax is case sensitive and MUST match the example below. The command below creates a keytab file and places it in the directory specified by the "out" parameter, in this case, the C: directory.

ktpass out c:\HTTP#mail.icewarpdemo.com@ICEWARPDEMO.COM `
-princ HTTP/mail.icewarpdemo.com@ICEWARPDEMO.COM -mapUser http_sso@icewarpdemo.com ` 
mapOp set pass * -ptype KRB5_NT_PRINCIPAL

3 - Configure IceWarp to allow SSO

3a - Domain Directory settings. Since IceWarp Cloud is Linux-based, the Manage Keytabs button is greyed out. You'll need to create the _keytabs directory and place the keytab file in it.  

3b - Web > Access > SSO. 

3c - Web > Access > SSO

Do the following on the client-side browser: 

• Add webmail URL to trusted sites, in our case "mail.icewarpdemo.com."
  • In Firefox, type "about:config" in the address bar and search for "network.negotiate-auth.trusted-uris" and add the webmail URL there. 

• In MSIE, open the Internet Options dialog > Security tab > Trusted sites add the webmail URL as a Trusted Site. Additionally, the Integrated Windows Authentication feature must be allowed (it is the default and will enable Kerberos)

That is it. A user logged on to a computer in an Active Directory domain can launch Firefox and type "https://mail.icewarpdemo.com/webmail/sso" in the address bar will automatically be logged into IceWarp webmail. The user may need to log out and in to the domain from their computer for the change to take effect. 

Credits:

https://support.icewarp.com/hc/en-us/articles/115001316087-Configuring-SSO-Single-Sign-on-