跳转至主要内容

BlueMind

This guide explains how to configure single sign-on (SSO) between SmartLink and BlueMind using SAML 2.0 or OpenID Connect.

Prerequisites

  • BlueMind version 4.0 or higher
  • Administrative access to BlueMind
  • SSO BlueMind module enabled
  • Application configured in SmartLink with SAML2 or OpenID Connect

1. Create the application

  1. Log in to SmartLink as an administrator
  2. Go to ApplicationsAdd
  3. Create a new application:
    • Name: BlueMind
    • URL: https://bluemind.example.com
    • Description: Complete collaborative messaging
    • Icon: Choose the BlueMind icon

2. Configure SAML2

  1. In the Authentication tab
  2. Select SAML2
  3. Configure the following parameters:
    • Entity ID: https://[your-smartlink].link.vaultys.org/[appid]
    • ACS URL: https://bluemind.example.com/saml2/SSO
    • NameID Format: emailAddress
    • App ID: [appid] (automatically generated unique identifier)

3. Retrieve the metadata

Note the following URLs:

  • IdP Metadata: https://[your-smartlink].link.vaultys.org/api/saml2/[appid]/metadata
  • SSO URL: https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid]
  • SLO URL: https://[your-smartlink].link.vaultys.org/api/saml2/slo/[appid]
  • Entity ID: https://[your-smartlink].link.vaultys.org/[appid]
  • X.509 Certificate: Download from SmartLink

Configuration in BlueMind

1. Access the administration console

  1. Log in to the BlueMind administration console
  2. Go to SecurityAuthentication
  3. Click on SAML Configuration

2. Identity provider configuration

Configure the SAML parameters:

  • Entity ID: https://[your-smartlink].link.vaultys.org/[appid]
  • SSO URL: https://[your-smartlink].link.vaultys.org/api/saml2/sso/[appid]
  • SLO URL: https://[your-smartlink].link.vaultys.org/api/saml2/slo/[appid]
  • Public Certificate: Import the X.509 certificate from SmartLink

3. Attribute configuration

BlueMind AttributeSAML AttributeRequired
Emailemail
Display NamedisplayName
First NamegivenName
Last Namesn
GroupsmemberOf

Configuration with OpenID Connect

1. Configure OpenID Connect

  1. In the BlueMind application
  2. Authentication tab → OpenID Connect
  3. Note:
    • Client ID: bluemind-xxxxxx
    • Client Secret: secret-xxxxxx
    • App ID: [appid]

2. Redirection URLs

Add:

https://bluemind.example.com/auth/oidc/callback
https://bluemind.example.com/api/auth/oidc/callback

Configuration in BlueMind

  1. In SecurityAuthenticationOpenID Connect
  2. Configure:
{
  "provider": {
    "issuer": "https://[your-smartlink].link.vaultys.org",
    "discovery_url": "https://[your-smartlink].link.vaultys.org/api/oidc/[appid]/.well-known/openid-configuration",
    "client_id": "bluemind-xxxxxx",
    "client_secret": "secret-xxxxxx",
    "scopes": ["openid", "profile", "email", "groups"]
  }
}

Domain and User Configuration

Multi-Domain Management

domains:
  - name: "example.com"
    authentication: "sso"
    default_quota: "10GB"
    services:
      - email
      - calendar
      - contacts
      - chat
  
  - name: "branch.example.com"
    authentication: "sso"
    default_quota: "5GB"
    services:
      - email
      - calendar

Automatic Provisioning

{
  "provisioning": {
    "enabled": true,
    "create_on_first_login": true,
    "default_settings": {
      "mailbox_quota": "5368709120",
      "calendar_enabled": true,
      "contacts_enabled": true,
      "im_enabled": true,
      "videoconference_enabled": true
    },
    "group_mapping": {
      "smartlink-admins": "bm_admins",
      "smartlink-users": "bm_users",
      "smartlink-external": "bm_external"
    }
  }
}

BlueMind Services Configuration

Messaging

mail_settings:
  imap:
    enabled: true
    port: 143
    ssl_port: 993
  
  smtp:
    enabled: true
    port: 25
    submission_port: 587
    ssl_port: 465
  
  webmail:
    theme: "corporate"
    default_view: "conversation"
    compose_format: "html"

Calendar and Contacts

{
  "calendar": {
    "default_sharing": "free_busy",
    "working_hours": {
      "start": "09:00",
      "end": "18:00",
      "days": ["mon", "tue", "wed", "thu", "fri"]
    }
  },
  "contacts": {
    "corporate_directory": true,
    "ldap_sync": false,
    "carddav_enabled": true
  }
}

Chat and Video Conferencing

chat_settings:
  xmpp:
    enabled: true
    domain: "chat.example.com"
    conference_domain: "conference.chat.example.com"
  
  video:
    provider: "jitsi"
    jitsi_url: "https://meet.example.com"
    default_room_settings:
      require_password: false
      enable_lobby: true
      record_enabled: false

Integration with Clients

Thunderbird Configuration

<!-- Autodiscover for Thunderbird -->
<clientConfig version="1.1">
  <emailProvider id="bluemind.example.com">
    <domain>example.com</domain>
    <displayName>BlueMind - Example</displayName>
    <displayShortName>BlueMind</displayShortName>
    <incomingServer type="imap">
      <hostname>bluemind.example.com</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <authentication>OAuth2</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>bluemind.example.com</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>OAuth2</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
  </emailProvider>
</clientConfig>

Mobile Configuration (ActiveSync)

{
  "activesync": {
    "enabled": true,
    "url": "https://bluemind.example.com/Microsoft-Server-ActiveSync",
    "require_ssl": true,
    "device_policy": {
      "require_password": true,
      "min_password_length": 6,
      "require_encryption": true,
      "allow_simple_password": false,
      "max_failed_attempts": 10,
      "remote_wipe_enabled": true
    }
  }
}

BlueMind API with SSO

API Client with SSO Authentication

import requests
from datetime import datetime

class BlueMindAPI:
    def __init__(self, base_url, sso_token):
        self.base_url = base_url
        self.session = requests.Session()
        self.session.headers.update({
            'Authorization': f'Bearer {sso_token}',
            'Content-Type': 'application/json'
        })
    
    def get_user_info(self, email):
        """Retrieve user information"""
        response = self.session.get(
            f'{self.base_url}/api/user/{email}'
        )
        return response.json()
    
    def create_calendar_event(self, user_email, event_data):
        """Create a calendar event"""
        response = self.session.post(
            f'{self.base_url}/api/calendar/{user_email}/events',
            json=event_data
        )
        return response.json()
    
    def send_email(self, email_data):
        """Send an email via the API"""
        response = self.session.post(
            f'{self.base_url}/api/mail/send',
            json=email_data
        )
        return response.json()

BlueMind Webhooks

// Endpoint for BlueMind webhooks
app.post('/webhook/bluemind', async (req, res) => {
  const { event, data } = req.body;
  
  switch(event) {
    case 'user.login':
      await logUserAccess(data);
      break;
    
    case 'mail.received':
      await processIncomingMail(data);
      break;
    
    case 'calendar.event.created':
      await syncCalendarEvent(data);
      break;
    
    case 'contact.updated':
      await updateContactInCRM(data);
      break;
  }
  
  res.status(200).send('OK');
});

Configuration Testing

1. Web Connection Test

  1. Log out of BlueMind
  2. Go to https://bluemind.example.com
  3. Click on SSO Login
  4. Authenticate via SmartLink
  5. Verify access to the messaging system

2. IMAP/SMTP Test with SSO

# IMAP Test with OAuth2
openssl s_client -connect bluemind.example.com:993 -crlf
A01 AUTHENTICATE XOAUTH2 [base64_encoded_token]

# SMTP Test with OAuth2
openssl s_client -connect bluemind.example.com:587 -starttls smtp
AUTH XOAUTH2 [base64_encoded_token]

3. Client Testing

  • Thunderbird: Automatic configuration via Autodiscover
  • Outlook: ActiveSync and OAuth2 support
  • Mobile: BlueMind iOS/Android applications with SSO

Troubleshooting

Error "SAML authentication failed"

Issue: SAML authentication fails

Solution:

  1. Verify that the Entity ID is [appid]
  2. Check the X.509 certificate format
  3. Check the logs: /var/log/bluemind/core.log
  4. Test with SAML-tracer (browser extension)

Error "User not found"

Issue: SSO user not found

Solution:

  1. Ensure that automatic provisioning is enabled
  2. Make sure the email matches the BlueMind domain
  3. Check the email attribute in the SAML assertion

Group Synchronization Issue

Issue: Groups are not correctly mapped

Solution:

<!-- Correct format for SAML groups -->
<saml:Attribute Name="memberOf">
  <saml:AttributeValue>CN=bluemind-admins,OU=Groups,DC=example,DC=com</saml:AttributeValue>
  <saml:AttributeValue>CN=bluemind-users,OU=Groups,DC=example,DC=com</saml:AttributeValue>
</saml:Attribute>

ActiveSync Error with SSO

Issue: ActiveSync not working with SSO

Solution:

  1. Generate an application password for ActiveSync
  2. Use OAuth2 if supported by the client
  3. Configure modern authentication in Exchange/ActiveSync

Security

{
  "security_settings": {
    "enforce_sso": true,
    "session_timeout": "8h",
    "tls_version": "1.2",
    "cipher_suites": [
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    ],
    "antivirus": {
      "enabled": true,
      "engine": "clamav",
      "scan_on_receive": true
    },
    "antispam": {
      "enabled": true,
      "threshold": 5.0,
      "quarantine": true
    },
    "audit": {
      "log_authentication": true,
      "log_email_access": true,
      "retention": "365d"
    }
  }
}

Compliance

  • GDPR: Compliant with hosting in France
  • Encryption: TLS 1.2+ for communications
  • Legal Archiving: Native support
  • DLP: Data leak prevention rules

Resources