Using Keycloak as the OpenIDC Identity Provider (to Login) to Zimbra

I think by now we can see that delegating authorization using SAML or OpenIDC connect not only makes your life easier as a developer, it also makes administration easier and gives you and your users a more secure product.

Today, I am looking at using Keycloak as your identity provider for zimbra and how to setup a zimbra account in this way.

I did a bit of research and found the following resources:

Zimbra Network Edition

If you look on the zimbra downloads page – the open source version is zimbra collaboration. i might try the free trial for testing purposes.

From the initial reading it seems that Zimbra network edition is required for the SAML based SSO. Which means you would have this directory and a readme in (if you are lucky):


Unfortunately I only had this directory: /opt/zimbra/extensions-extra so I assume it is not network edition.

Luckily in that diretory there was a folder openidconsumer – which sounds very promising.

There readme.txt containing:

- Create "openidconsumer" directory under /opt/zimbra/lib/ext

- Copy "zm-openid-consumer-store-*.jar" to /opt/zimbra/lib/ext/openidconsumer directory

- Copy openid4java-1.0.0.jar and guice-2.0.jar to /opt/zimbra/jetty/common/lib directory

- Copy "formredirection.jsp" file to /opt/zimbra/jetty/webapps/zimbra/public directory

- Configure allowed OpenID Provider URLs for the domain:

    zmprov md <domain> +zimbraOpenidConsumerAllowedOPEndpointURL <op_endpoint_url>


      zmprov md <domain> +zimbraOpenidConsumerAllowedOPEndpointURL ""

- If the zimbraOpenidConsumerStatelessModeEnabled server attribute is set to FALSE (TRUE by default), setup memcached

- zmmailboxdctl restart

- To associate/link an "open id" with a user's account (to provision OpenID-based login in future) when the user is
  already logged-in into Zimbra web client, browse to:




  You should end up with a "Success" page. Essentially, this step results in the "open id" being added to account's
  zimbraForeignPrincipal attribute.

  OpenID Consumer tries to discover the OpendID Provider Endpoint URL using the user-supplied-identifier. If the
  discovery process fails to discover any endpoints then the user-supplied-identifier is assumed to be the OpenID
  Provider Endpoint URL.

- To initiate OpenID-based login (instead of the usual username/password-based login), again browse to:


Implementing the Readme Steps