Hello Sagar,

What would you like to achieve? Allow users to log in to Webmail through an IDP (ADFS, Cognito, etc.), or allow users to authenticate from their email clients (Outlook, Thunderbird, business applications, etc.), as Google and Office 365 do?

I found a 2024 article, but unfortunately I couldn't find anything else: portal.smartertools.com/kb/a3708/smartermail-and-oauth-2_0.aspx

I agree with you, I think this type of integration is becoming increasingly important for maintaining a consistent and coherent IT environment.

Kind regards.

Hi Chris,

Yes, just want to have idea how Smarter mail are using these protocol as i can take OAuth 2.0 being used while we integrate one drive  ( which is worked) as the mentioned articles posted in 2024 and no further updates on OpenID connect as the authentication protocol is changing and evolving but not happening in here 

Agreed.  We are seeing a ton more vendors supporting SSO (single sign-on) and external identity management.  It would be great to see Smartermail support authenticating against Azure/Entra AD (SAML) to start, and maybe Okta too.  When I say "support", I mean as in a GUI setup option that will enable it and generate the XML file that gets uploaded to the IDP.  We've had to do some roll-your-own SAML configs (on behalf of some clients) with 3rd party portals who support SAML but haven't reached the point of generating the XML for you, and it's kind of a pain because it's error prone and you get involved with the whole manual certificate thumbprint setup.
 
 

+1

+1

Perfect. That way when a user becomes compromised, everything he logs onto is instantly comprimised.

Exactly! 

@John Quest said, Perfect. That way when a user becomes compromised, everything he logs onto is instantly comprimised.

Clients are using it for their other line of business apps and are demanding it for Webmail logins, too.  I personally do not like SSO all that much, but not for the security concern.  The risk you mentioned is mitigated significantly by enforcing Multi-Factor Authentication (MFA) at the Identity Provider level.  Use an Authenticator app as the MFA method, like the one from Microsoft which has the option of doing push notifications so you don't have to key in 6-digit codes all the time.  You can use SMS/Text but it's not as robust.  For high-value or highly paranoid entities, you can require multiple MFA.  A few examples are Authenticator + SMS/Text, or Authenticator + Security Questions, or use an RSA Token which is highly secure.

The primary reason I don't like SSO is the single point of failure (all eggs in one basket) problem.  If your Identity Provider has an outage, you lose access to everything.  Sure it's convenient and people love it.  But if your ID Provider is down, you can't log in to the most important things your business depends on.

We work with one client (over 500 employees) that eliminated all of their on-premises app servers and went with vendor-hosted cloud versions of everything.  They have roughly 30 of these external services tied to SSO, most of them mission-critical.  An SSO outage for them would be catastrophic.  Their CIO, who is a bean counter not a tech person, insisted on it because of the convenience and their belief that it's "more secure" than individual passwords for each service.