Re: [SOGo] Sogo - Lemonldap - Saml
Jeroen,
Thanks a lot to have taken the time.
Lots of good infos here.
I should have use the import feature instead of creating the keycloak
client manually.
Thanks to that, the option "Client Signature Required" works and I can
encrypt or not the answer too.
Alas, same error in Sogo's log.
I read somewhere you had to set the option "Force Name ID Format" to On
and select username as "Name ID Format".
I tried every possible choice (email / username / transient /
persistent), forcing or not.
I tried also to encrypt or not the assertion sent to Sogo.
I checked the content of the assertion that Sogo receives and all seems
ok. The attributes and their values are good.
But unfortunately, whatever option I tried, I always have the same error
(and I'm really fed up to see that one.. it's like 1 month I see only
that error).
And the same error with LemonLdap instead of Keycloak.
If I connect Sogo directly to Ldap, Sogo works well.
The fact that even if I succeed here, there will be the problem with
crudesaml + patched lasso or pam-saml-script to be able to use Dovecot,
and then, as MJ explained, there will be the timeout problem, we decided
to not include Sogo in our SSO at the moment.
We have Roundcube working, that will suffice for now.
Thanks again for your help.
That was very much appreciated.
Kenny
On 23/07/20 10:42, "Jeroen" (jeroen.va...@nevel.io) wrote:
> Hi Kenny,
>
> First, just know that I am by no means an expert in SOGo. I just got
> SAML to work with it and I can share what I have done :) .
>
> We have defined a SOGoUserSource (in our case, the same ldap as is
> used by Keycloak). It is still required for non-SAML endpoints such as
> ActiveSync, CardDav and CalDav. We also have set "Client Signature
> Required" to ON, so that is possible.
>
> The certificates you mentioned in the keycloak client export, are the
> certificates of your SOGo server. These are not the same ones as the
> identity provider certificates. Just to be clear in the SOGo
> configuration:
> SOGoSAML2PrivateKeyLocation --> you have to generate this yourself (e.g. with
> openssl)
> SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g.
> with openssl)
> SOGoSAML2IdpPublicKeyLocation --> see below for more details
> SOGoSAML2IdpCertificateLocation--> see below for more details
> SOGoSAML2IdpMetadataLocation --> see below for more details
> These are our work instructions to retrieve the certificates and SAML
> descriptor from Keycloak that we put in the SOGo installation:
> -
>
> SAML descriptor:
>
> * Go to the realm settings
> * General > Endpoints > SAML 2.0 Identity Provider Metadata. Make
> sure to view the source data of that page and not the parsed XML
> data, because Firefox (and possibly other browsers) will remove
> the namespace information!
>
> SAML public key and certificate:
>
> * Go to the realm settings
> * Keys > RS256 algorithm > Public key & Certificate buttons on the right
>
> --
>
> These are our work instructions we used to configure Keycloak. Please
> note that you will need to define the mappers according to your
> credentials provider.
> -
>
> Download the SOGo metadata XML from |https:///SOGo/saml2-metadata|.
>
> In Keycloak, go to Configure > Clients and follow these steps:
>
> * Click on "Create" and import the metadata XML file from SOGo.
> Click on "Save".
> * In Settings, set the "Name" to |SOGo|. Click on "Save".
> * In Client Scopes, remove |role_list| from the assigned default
> client scopes.
> * In Mappers, create the following mappers:
> o Name: |username|
> + Mapper type: |User Property|
> + Property: |username|
> + SAML Attribute Name: |username|
> + SAML Attribute NameFormat: |basic|
> o Name: |email|
> + Mapper type: |User Property|
> + Property: |email|
> + SAML Attribute Name: |email|
> + SAML Attribute NameFormat: |basic|
>
> -
>
> I hope this helps you.
> KR
> Jeroen
>
>
>
> On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\""
> (la.jo...@paquerette.org) wrote:
>
>> Hi Jeroen,
>>
>> Thanks for your help.
>>
>> I put back my keycloak test server on and tried your ideas, but no luck.
>> The Saml2 assertion includes both email & username fields with the
>> correct value.
>>
>> But I still got the same exact error.
>>
>> I see in sogo logs, when first accessing Sogo, before the redirection to
>> keycloak, this line:
>>
>> Jul 20 14:41:59 sogod [8340]: [ERROR]
>> <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
>> nobody will be able to login. Check your defaults.
>>
>>
>> This error comes from the fact I didn't define a:
>> --
>> SOGoUserSources = (
>> {
>> type = sql or ldap;
>> ...
>> --
>> Do I presume correctly that it's a normal error as I'm using saml2 and
>> not sql or ldap as userSource?
>>
>> Can I ask you to compare your
Re: [SOGo] Sogo - Lemonldap - Saml
Thanks for that Jeroen. I need to do the same and this will help.
--
Daniel Kollmer
Computer Technology Group
NIKHEF - Dutch National Institute for Sub-atomic Physics
Science Park 105 1098 XG Amsterdam
Phone: +31205922164
On 7/23/20 10:42 AM, "Jeroen" (jeroen.va...@nevel.io) wrote:
> Hi Kenny,
>
> First, just know that I am by no means an expert in SOGo. I just got
> SAML to work with it and I can share what I have done :) .
>
> We have defined a SOGoUserSource (in our case, the same ldap as is
> used by Keycloak). It is still required for non-SAML endpoints such as
> ActiveSync, CardDav and CalDav. We also have set "Client Signature
> Required" to ON, so that is possible.
>
> The certificates you mentioned in the keycloak client export, are the
> certificates of your SOGo server. These are not the same ones as the
> identity provider certificates. Just to be clear in the SOGo
> configuration:
> SOGoSAML2PrivateKeyLocation --> you have to generate this yourself (e.g. with
> openssl)
> SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g.
> with openssl)
> SOGoSAML2IdpPublicKeyLocation --> see below for more details
> SOGoSAML2IdpCertificateLocation--> see below for more details
> SOGoSAML2IdpMetadataLocation --> see below for more details
> These are our work instructions to retrieve the certificates and SAML
> descriptor from Keycloak that we put in the SOGo installation:
> -
>
> SAML descriptor:
>
> * Go to the realm settings
> * General > Endpoints > SAML 2.0 Identity Provider Metadata. Make
> sure to view the source data of that page and not the parsed XML
> data, because Firefox (and possibly other browsers) will remove
> the namespace information!
>
> SAML public key and certificate:
>
> * Go to the realm settings
> * Keys > RS256 algorithm > Public key & Certificate buttons on the right
>
> --
>
> These are our work instructions we used to configure Keycloak. Please
> note that you will need to define the mappers according to your
> credentials provider.
> -
>
> Download the SOGo metadata XML from |https:///SOGo/saml2-metadata|.
>
> In Keycloak, go to Configure > Clients and follow these steps:
>
> * Click on "Create" and import the metadata XML file from SOGo.
> Click on "Save".
> * In Settings, set the "Name" to |SOGo|. Click on "Save".
> * In Client Scopes, remove |role_list| from the assigned default
> client scopes.
> * In Mappers, create the following mappers:
> o Name: |username|
> + Mapper type: |User Property|
> + Property: |username|
> + SAML Attribute Name: |username|
> + SAML Attribute NameFormat: |basic|
> o Name: |email|
> + Mapper type: |User Property|
> + Property: |email|
> + SAML Attribute Name: |email|
> + SAML Attribute NameFormat: |basic|
>
> -
>
> I hope this helps you.
>
> KR
> Jeroen
>
>
>
> On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\""
> (la.jo...@paquerette.org) wrote:
>
>> Hi Jeroen,
>>
>> Thanks for your help.
>>
>> I put back my keycloak test server on and tried your ideas, but no luck.
>> The Saml2 assertion includes both email & username fields with the
>> correct value.
>>
>> But I still got the same exact error.
>>
>> I see in sogo logs, when first accessing Sogo, before the redirection to
>> keycloak, this line:
>>
>> Jul 20 14:41:59 sogod [8340]: [ERROR]
>> <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
>> nobody will be able to login. Check your defaults.
>>
>>
>> This error comes from the fact I didn't define a:
>> --
>> SOGoUserSources = (
>> {
>> type = sql or ldap;
>> ...
>> --
>> Do I presume correctly that it's a normal error as I'm using saml2 and
>> not sql or ldap as userSource?
>>
>> Can I ask you to compare your Sogo client configin Keycloak with mine to
>> see if there is a difference?
>> I attached the metadata of my Sogo client to the mail.
>>
>> I noticed one strange thing.
>> I must have the option "Client Signature Required: OFF" in my keycloak
>> sogo client.
>> If I set to ON, I have a "invalid query param" in keycloak logs (does
>> that mean Sogo can't sign the request?).
>>
>> Also, I'm wondering if I'm right to compose the file for the option
>> SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo
>> conf with the attribute "saml.signing.certificate" from the metadata
>> file (enclosed by "-BEGIN CERTIFICATE-" and "-END
>> CERTIFICATE-").
>> I put that in the file /etc/sogo/idp-public.key.
>>
>> Or I'm wrong to do it like that?
>>
>> I know about the next step where you can't send a saml assertion to
>> dovecot for credentials as it is.
>> You need pam-script-saml or libpam-script + lasso (patched or not, not
>> sure as the info about it is so old).
>> I already test pam-script-saml but need the first step to work
>> (connection to sogo) to be see
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Kenny,
First, just know that I am by no means an expert in SOGo. I just got SAML to
work with it and I can share what I have done :) .
We have defined a SOGoUserSource (in our case, the same ldap as is used by
Keycloak). It is still required for non-SAML endpoints such as ActiveSync,
CardDav and CalDav. We also have set "Client Signature Required" to ON, so that
is possible.
The certificates you mentioned in the keycloak client export, are the
certificates of your SOGo server. These are not the same ones as the identity
provider certificates. Just to be clear in the SOGo
configuration:SOGoSAML2PrivateKeyLocation --> you have to generate this
yourself (e.g. with openssl)
SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g. with
openssl)
SOGoSAML2IdpPublicKeyLocation --> see below for more details
SOGoSAML2IdpCertificateLocation --> see below for more details
SOGoSAML2IdpMetadataLocation --> see below for more detailsThese are our work
instructions to retrieve the certificates and SAML descriptor from Keycloak
that we put in the SOGo installation:
-
SAML descriptor:
* Go to the realm settings * General > Endpoints > SAML 2.0 Identity Provider
Metadata. Make sure to view the source data of that page and not the parsed XML
data, because Firefox (and possibly other browsers) will remove the namespace
information!
SAML public key and certificate:
* Go to the realm settings * Keys > RS256 algorithm > Public key & Certificate
buttons on the right--
These are our work instructions we used to configure Keycloak. Please note that
you will need to define the mappers according to your credentials provider.
-
Download the SOGo metadata XML from https:///SOGo/saml2-metadata.
In Keycloak, go to Configure > Clients and follow these steps:
* Click on "Create" and import the metadata XML file from SOGo. Click on
"Save". * In Settings, set the "Name" to SOGo. Click on "Save". * In Client
Scopes, remove role_list from the assigned default client scopes. * In Mappers,
create the following mappers:
* Name: username
* Mapper type: User Property * Property: username * SAML Attribute Name:
username * SAML Attribute NameFormat: basic * Name: email
* Mapper type: User Property * Property: email * SAML Attribute Name: email *
SAML Attribute NameFormat: basic- I hope this helps you.
KR
Jeroen
On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\""
(la.jo...@paquerette.org) wrote:
Hi Jeroen,
Thanks for your help.
I put back my keycloak test server on and tried your ideas, but no luck.
The Saml2 assertion includes both email & username fields with the
correct value.
But I still got the same exact error.
I see in sogo logs, when first accessing Sogo, before the redirection to
keycloak, this line:
Jul 20 14:41:59 sogod [8340]: [ERROR]
<0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
nobody will be able to login. Check your defaults.
This error comes from the fact I didn't define a:
--
SOGoUserSources = (
{
type = sql or ldap;
...
--
Do I presume correctly that it's a normal error as I'm using saml2 and
not sql or ldap as userSource?
Can I ask you to compare your Sogo client configin Keycloak with mine to
see if there is a difference?
I attached the metadata of my Sogo client to the mail.
I noticed one strange thing.
I must have the option "Client Signature Required: OFF" in my keycloak
sogo client.
If I set to ON, I have a "invalid query param" in keycloak logs (does
that mean Sogo can't sign the request?).
Also, I'm wondering if I'm right to compose the file for the option
SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo
conf with the attribute "saml.signing.certificate" from the metadata
file (enclosed by "-BEGIN CERTIFICATE-" and "-END
CERTIFICATE-").
I put that in the file /etc/sogo/idp-public.key.
Or I'm wrong to do it like that?
I know about the next step where you can't send a saml assertion to
dovecot for credentials as it is.
You need pam-script-saml or libpam-script + lasso (patched or not, not
sure as the info about it is so old).
I already test pam-script-saml but need the first step to work
(connection to sogo) to be see if it works.
Thanks,
Kenny
On 19/07/20 14:02, Jeroen van Os (jeroen.va...@nevel.io) wrote:
> Hi Kenny,
>
> I have been trying to get SAML to work with SOGo as well. In Keycloak
> the following configuration works:
>
> Client scopes: none
> Mappers: fill in "email" and "username" with information from your
> credentials provider
> Set scope to "full scope allowed"
>
> In the SOGo config file we have this line, the rest is similar to what
> you provided:
> SOGoSAML2LoginAttribute = username;
>
> Don't forget to take into account that even if you get SAML to work,
> the connection to your IMAP and SMTP server may not work. Because SOGo
> has no knowledge of the user's password, it cannot authenticate
>
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Mj,
I was sure to have seen that problem in an old post, and indeed I found
it, and it was from you :)
(https://www.mail-archive.com/users@sogo.nu/msg27428.html)
Was the solution given in the answer not good?
Thanks,
Kenny
On 19/07/20 16:51, mj (li...@merit.unu.edu) wrote:
> Hi Kenny,
>
> In the past, we also setup a PoC with SOGo / keycloak / SAML2. For
> IMAP authentication, we used:
> https://github.com/ck-ws/pam-script-saml
>
> But because of the SAML2 sessions timeing out, we went back to regular
> LDAP auth. We would like to move to SAML2, so we're following the
> recent SAML2 list threads with interest.
>
> MJ
>
> On 7/19/20 2:02 PM, Jeroen van Os (jeroen.va...@nevel.io) wrote:
>> Hi Kenny,
>>
>> I have been trying to get SAML to work with SOGo as well. In Keycloak
>> the following configuration works:
>>
>> Client scopes: none
>> Mappers: fill in "email" and "username" with information from your
>> credentials provider
>> Set scope to "full scope allowed"
>>
>> In the SOGo config file we have this line, the rest is similar to
>> what you provided:
>> SOGoSAML2LoginAttribute = username;
>>
>> Don't forget to take into account that even if you get SAML to work,
>> the connection to your IMAP and SMTP server may not work. Because
>> SOGo has no knowledge of the user's password, it cannot authenticate
>> against regular IMAP and SMTP servers that expect user credentials
>> for authorization. So you will need to find a way to authenticate
>> without knowing the user's password.
>>
>> Kind regards,
>> Jeroen
>>
>>
>> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
>> (la.jo...@paquerette.org):
>>> Going on with my attemps to connect Sogo to LemonLdap, I tried also
>>> with
>>> the SAML protocol.
>>> Few weeks ago, I first tried with Keycloak
>>> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I
>>> didn't
>>> find a solution.
>>>
>>> Unfortunately, with LemonLdap, I have the same error:
>>>
>>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
>>> |SOGo| traverse(acquire): SOGo => saml2-signon-post
>>> |SOGo| do traverse name: 'SOGo'
>>> |SOGo| do traverse name: 'saml2-signon-post'
>>> |SOGo| set clientObject:
>>> sogod[8630:8630] EXCEPTION:
>>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
>>> 'login' to dictionary INFO:{}
>>> |SOGo| request took 0.013806 seconds to execute
>>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled
>>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 -
>>> - 692K
>>>
>>>
>>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441
>>> Alas, no clue what Sogo is waiting.
>>>
>>> I attached a saml token example LemonLdap send back to Sogo.
>>> For the attribute with my mail (for the login), I tried the name mail,
>>> email & login, but same error.
>>>
>>> What is the attribute name Sogo wants for the key 'login'?
>>> Is something wrong with the Saml token Sogo is receiving from
>>> LemonLdap?
>>>
>>> Thanks,
>>> Kenny
>>>
>>>
>>> My Sogo config:
>>>
>>> SOGoProfileURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
>>> OCSFolderInfoURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
>>> OCSSessionsFolderURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
>>> OCSEMailAlarmsFolderURL =
>>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
>>> SOGoLanguage = English;
>>> SOGoAppointmentSendEMailNotifications = YES;
>>> SOGoMailingMechanism = smtp;
>>> SOGoSMTPServer = 127.0.0.1;
>>> SOGoTimeZone = UTC;
>>> SOGoSentFolderName = Sent;
>>> SOGoTrashFolderName = Trash;
>>> SOGoDraftsFolderName = Drafts;
>>> SOGoIMAPServer = "imap://localhost:143/";
>>> SOGoSieveServer = "sieve://localhost:4190/";
>>> SOGoIMAPAclConformsToIMAPExt = YES;
>>> SOGoVacationEnabled = NO;
>>> SOGoForwardEnabled = NO;
>>> SOGoSieveScriptsEnabled = NO;
>>> SOGoFirstDayOfWeek = 0;
>>> SOGoMailMessageCheck = manually;
>>> SOGoMailAuxiliaryUserAccountsEnabled = NO;
>>> SOGoMemcachedHost = 127.0.0.1;
>>>
>>> SOGoCacheCleanupInterval = 3600;
>>> SOGoAuthenticationType = saml2;
>>> NGImap4AuthMechanism = PLAIN; # tried without the option too
>>> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
>>> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
>>> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
>>> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
>>> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
>>> SOGoSAML2LoginAttribute = mail;
>>> SOGoSAML2LogoutEnabled = YES;
>>> SOGoSAML2LogoutURL = "https://;;
>>>
>>> WOWorkersCount = 10;
>>>
>>> SOGoEASDebugEnabled = YES;
>>> GCSFolderDebugEnabled = YES;
>>> GCSFolderStoreDebugEnabled = YES;
>>> LDAPDebugEnabled = YES;
>>> MySQL4DebugEnabled = YES;
>>> NGImap4DisableIMAP4Pooling = YES;
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Jeroen,
Thanks for your help.
I put back my keycloak test server on and tried your ideas, but no luck.
The Saml2 assertion includes both email & username fields with the
correct value.
But I still got the same exact error.
I see in sogo logs, when first accessing Sogo, before the redirection to
keycloak, this line:
Jul 20 14:41:59 sogod [8340]: [ERROR]
<0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
nobody will be able to login. Check your defaults.
This error comes from the fact I didn't define a:
--
SOGoUserSources = (
{
type = sql or ldap;
...
--
Do I presume correctly that it's a normal error as I'm using saml2 and
not sql or ldap as userSource?
Can I ask you to compare your Sogo client configin Keycloak with mine to
see if there is a difference?
I attached the metadata of my Sogo client to the mail.
I noticed one strange thing.
I must have the option "Client Signature Required: OFF" in my keycloak
sogo client.
If I set to ON, I have a "invalid query param" in keycloak logs (does
that mean Sogo can't sign the request?).
Also, I'm wondering if I'm right to compose the file for the option
SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo
conf with the attribute "saml.signing.certificate" from the metadata
file (enclosed by "-BEGIN CERTIFICATE-" and "-END
CERTIFICATE-").
I put that in the file /etc/sogo/idp-public.key.
Or I'm wrong to do it like that?
I know about the next step where you can't send a saml assertion to
dovecot for credentials as it is.
You need pam-script-saml or libpam-script + lasso (patched or not, not
sure as the info about it is so old).
I already test pam-script-saml but need the first step to work
(connection to sogo) to be see if it works.
Thanks,
Kenny
On 19/07/20 14:02, Jeroen van Os (jeroen.va...@nevel.io) wrote:
> Hi Kenny,
>
> I have been trying to get SAML to work with SOGo as well. In Keycloak
> the following configuration works:
>
> Client scopes: none
> Mappers: fill in "email" and "username" with information from your
> credentials provider
> Set scope to "full scope allowed"
>
> In the SOGo config file we have this line, the rest is similar to what
> you provided:
> SOGoSAML2LoginAttribute = username;
>
> Don't forget to take into account that even if you get SAML to work,
> the connection to your IMAP and SMTP server may not work. Because SOGo
> has no knowledge of the user's password, it cannot authenticate
> against regular IMAP and SMTP servers that expect user credentials for
> authorization. So you will need to find a way to authenticate without
> knowing the user's password.
>
> Kind regards,
> Jeroen
>
>
> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
> (la.jo...@paquerette.org):
>> Going on with my attemps to connect Sogo to LemonLdap, I tried also with
>> the SAML protocol.
>> Few weeks ago, I first tried with Keycloak
>> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
>> find a solution.
>>
>> Unfortunately, with LemonLdap, I have the same error:
>>
>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
>> |SOGo| traverse(acquire): SOGo => saml2-signon-post
>> |SOGo| do traverse name: 'SOGo'
>> |SOGo| do traverse name: 'saml2-signon-post'
>> |SOGo| set clientObject:
>> sogod[8630:8630] EXCEPTION:
>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
>> 'login' to dictionary INFO:{}
>> |SOGo| request took 0.013806 seconds to execute
>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled
>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 -
>> - 692K
>>
>>
>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441
>> Alas, no clue what Sogo is waiting.
>>
>> I attached a saml token example LemonLdap send back to Sogo.
>> For the attribute with my mail (for the login), I tried the name mail,
>> email & login, but same error.
>>
>> What is the attribute name Sogo wants for the key 'login'?
>> Is something wrong with the Saml token Sogo is receiving from LemonLdap?
>>
>> Thanks,
>> Kenny
>>
>>
>> My Sogo config:
>>
>> SOGoProfileURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
>> OCSFolderInfoURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
>> OCSSessionsFolderURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
>> OCSEMailAlarmsFolderURL =
>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
>> SOGoLanguage = English;
>> SOGoAppointmentSendEMailNotifications = YES;
>> SOGoMailingMechanism = smtp;
>> SOGoSMTPServer = 127.0.0.1;
>> SOGoTimeZone = UTC;
>> SOGoSentFolderName = Sent;
>> SOGoTrashFolderName = Trash;
>> SOGoDraftsFolderName = Drafts;
>> SOGoIMAPServer = "imap://localhost:143/";
>> SOGoSieveServer = "sieve://localhost:4190/";
>> SOGoIMAPAclConformsToIMAPExt = YES;
>>
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Kenny,
In the past, we also setup a PoC with SOGo / keycloak / SAML2. For IMAP
authentication, we used:
https://github.com/ck-ws/pam-script-saml
But because of the SAML2 sessions timeing out, we went back to regular
LDAP auth. We would like to move to SAML2, so we're following the recent
SAML2 list threads with interest.
MJ
On 7/19/20 2:02 PM, Jeroen van Os (jeroen.va...@nevel.io) wrote:
Hi Kenny,
I have been trying to get SAML to work with SOGo as well. In Keycloak
the following configuration works:
Client scopes: none
Mappers: fill in "email" and "username" with information from your
credentials provider
Set scope to "full scope allowed"
In the SOGo config file we have this line, the rest is similar to what
you provided:
SOGoSAML2LoginAttribute = username;
Don't forget to take into account that even if you get SAML to work, the
connection to your IMAP and SMTP server may not work. Because SOGo has
no knowledge of the user's password, it cannot authenticate against
regular IMAP and SMTP servers that expect user credentials for
authorization. So you will need to find a way to authenticate without
knowing the user's password.
Kind regards,
Jeroen
Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
(la.jo...@paquerette.org):
Going on with my attemps to connect Sogo to LemonLdap, I tried also with
the SAML protocol.
Few weeks ago, I first tried with Keycloak
(https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
find a solution.
Unfortunately, with LemonLdap, I have the same error:
|SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
|SOGo| traverse(acquire): SOGo => saml2-signon-post
|SOGo| do traverse name: 'SOGo'
|SOGo| do traverse name: 'saml2-signon-post'
|SOGo| set clientObject:
sogod[8630:8630] EXCEPTION:
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
|SOGo| request took 0.013806 seconds to execute
<0x0x563823b8f410[WOResponse]> Zipping of response disabled
127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - -
692K
I'm back to the post https://sogo.nu/bugs/view.php?id=4441
Alas, no clue what Sogo is waiting.
I attached a saml token example LemonLdap send back to Sogo.
For the attribute with my mail (for the login), I tried the name mail,
email & login, but same error.
What is the attribute name Sogo wants for the key 'login'?
Is something wrong with the Saml token Sogo is receiving from LemonLdap?
Thanks,
Kenny
My Sogo config:
SOGoProfileURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoAppointmentSendEMailNotifications = YES;
SOGoMailingMechanism = smtp;
SOGoSMTPServer = 127.0.0.1;
SOGoTimeZone = UTC;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoDraftsFolderName = Drafts;
SOGoIMAPServer = "imap://localhost:143/";
SOGoSieveServer = "sieve://localhost:4190/";
SOGoIMAPAclConformsToIMAPExt = YES;
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
SOGoFirstDayOfWeek = 0;
SOGoMailMessageCheck = manually;
SOGoMailAuxiliaryUserAccountsEnabled = NO;
SOGoMemcachedHost = 127.0.0.1;
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN; # tried without the option too
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://;;
WOWorkersCount = 10;
SOGoEASDebugEnabled = YES;
GCSFolderDebugEnabled = YES;
GCSFolderStoreDebugEnabled = YES;
LDAPDebugEnabled = YES;
MySQL4DebugEnabled = YES;
NGImap4DisableIMAP4Pooling = YES;
ImapDebugEnabled = YES;
OCSFolderManagerSQLDebugEnabled = YES;
PGDebugEnabled = YES;
SOGoDebugRequests = YES;
SOGoMailKeepDraftsAfterSend = YES;
SOGoUIxDebugEnabled = YES;
SoDebugObjectTraversal = YES;
SoSecurityManagerDebugEnabled = YES;
WODontZipResponse = YES;
WODebugZipResponse = YES;
}
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Kenny,
I have been trying to get SAML to work with SOGo as well. In Keycloak
the following configuration works:
Client scopes: none
Mappers: fill in "email" and "username" with information from your
credentials provider
Set scope to "full scope allowed"
In the SOGo config file we have this line, the rest is similar to what
you provided:
SOGoSAML2LoginAttribute = username;
Don't forget to take into account that even if you get SAML to work, the
connection to your IMAP and SMTP server may not work. Because SOGo has
no knowledge of the user's password, it cannot authenticate against
regular IMAP and SMTP servers that expect user credentials for
authorization. So you will need to find a way to authenticate without
knowing the user's password.
Kind regards,
Jeroen
Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
(la.jo...@paquerette.org):
Going on with my attemps to connect Sogo to LemonLdap, I tried also with
the SAML protocol.
Few weeks ago, I first tried with Keycloak
(https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
find a solution.
Unfortunately, with LemonLdap, I have the same error:
|SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
|SOGo| traverse(acquire): SOGo => saml2-signon-post
|SOGo| do traverse name: 'SOGo'
|SOGo| do traverse name: 'saml2-signon-post'
|SOGo| set clientObject:
sogod[8630:8630] EXCEPTION:
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
|SOGo| request took 0.013806 seconds to execute
<0x0x563823b8f410[WOResponse]> Zipping of response disabled
127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - - 692K
I'm back to the post https://sogo.nu/bugs/view.php?id=4441
Alas, no clue what Sogo is waiting.
I attached a saml token example LemonLdap send back to Sogo.
For the attribute with my mail (for the login), I tried the name mail,
email & login, but same error.
What is the attribute name Sogo wants for the key 'login'?
Is something wrong with the Saml token Sogo is receiving from LemonLdap?
Thanks,
Kenny
My Sogo config:
SOGoProfileURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoAppointmentSendEMailNotifications = YES;
SOGoMailingMechanism = smtp;
SOGoSMTPServer = 127.0.0.1;
SOGoTimeZone = UTC;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoDraftsFolderName = Drafts;
SOGoIMAPServer = "imap://localhost:143/";
SOGoSieveServer = "sieve://localhost:4190/";
SOGoIMAPAclConformsToIMAPExt = YES;
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
SOGoFirstDayOfWeek = 0;
SOGoMailMessageCheck = manually;
SOGoMailAuxiliaryUserAccountsEnabled = NO;
SOGoMemcachedHost = 127.0.0.1;
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN; # tried without the option too
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://;;
WOWorkersCount = 10;
SOGoEASDebugEnabled = YES;
GCSFolderDebugEnabled = YES;
GCSFolderStoreDebugEnabled = YES;
LDAPDebugEnabled = YES;
MySQL4DebugEnabled = YES;
NGImap4DisableIMAP4Pooling = YES;
ImapDebugEnabled = YES;
OCSFolderManagerSQLDebugEnabled = YES;
PGDebugEnabled = YES;
SOGoDebugRequests = YES;
SOGoMailKeepDraftsAfterSend = YES;
SOGoUIxDebugEnabled = YES;
SoDebugObjectTraversal = YES;
SoSecurityManagerDebugEnabled = YES;
WODontZipResponse = YES;
WODebugZipResponse = YES;
}
--
users@sogo.nu
https://inverse.ca/sogo/lists
[SOGo] Sogo - Lemonldap - Saml
Going on with my attemps to connect Sogo to LemonLdap, I tried also with
the SAML protocol.
Few weeks ago, I first tried with Keycloak
(https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
find a solution.
Unfortunately, with LemonLdap, I have the same error:
|SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
|SOGo| traverse(acquire): SOGo => saml2-signon-post
|SOGo| do traverse name: 'SOGo'
|SOGo| do traverse name: 'saml2-signon-post'
|SOGo| set clientObject:
sogod[8630:8630] EXCEPTION:
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
|SOGo| request took 0.013806 seconds to execute
<0x0x563823b8f410[WOResponse]> Zipping of response disabled
127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - - 692K
I'm back to the post https://sogo.nu/bugs/view.php?id=4441
Alas, no clue what Sogo is waiting.
I attached a saml token example LemonLdap send back to Sogo.
For the attribute with my mail (for the login), I tried the name mail,
email & login, but same error.
What is the attribute name Sogo wants for the key 'login'?
Is something wrong with the Saml token Sogo is receiving from LemonLdap?
Thanks,
Kenny
My Sogo config:
SOGoProfileURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoAppointmentSendEMailNotifications = YES;
SOGoMailingMechanism = smtp;
SOGoSMTPServer = 127.0.0.1;
SOGoTimeZone = UTC;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoDraftsFolderName = Drafts;
SOGoIMAPServer = "imap://localhost:143/";
SOGoSieveServer = "sieve://localhost:4190/";
SOGoIMAPAclConformsToIMAPExt = YES;
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
SOGoFirstDayOfWeek = 0;
SOGoMailMessageCheck = manually;
SOGoMailAuxiliaryUserAccountsEnabled = NO;
SOGoMemcachedHost = 127.0.0.1;
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN; # tried without the option too
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://;;
WOWorkersCount = 10;
SOGoEASDebugEnabled = YES;
GCSFolderDebugEnabled = YES;
GCSFolderStoreDebugEnabled = YES;
LDAPDebugEnabled = YES;
MySQL4DebugEnabled = YES;
NGImap4DisableIMAP4Pooling = YES;
ImapDebugEnabled = YES;
OCSFolderManagerSQLDebugEnabled = YES;
PGDebugEnabled = YES;
SOGoDebugRequests = YES;
SOGoMailKeepDraftsAfterSend = YES;
SOGoUIxDebugEnabled = YES;
SoDebugObjectTraversal = YES;
SoSecurityManagerDebugEnabled = YES;
WODontZipResponse = YES;
WODebugZipResponse = YES;
}
--
users@sogo.nu
https://inverse.ca/sogo/listshttps://sogo.host/SOGo/saml2-signon-post;>
https://auth.host/saml/metadata
http://www.w3.org/2000/09/xmldsig#;>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmlenc#sha256"/>
Jpeg42CvCJwD+8YdADtvlsqOhl7XcJ53Z0zjsvzOegM=
TK8miYydQ1ERBJkIMbuEEqtWTVRJfUDPMM9zwNO9J8DKN5NFVST3iqeFg6aKhnaX
jLHBB+nrYoOyagb20ylXtBugJdnW0ZJwlfis29RNPzqwJldKsBzlDZWSOwg989YY
iY1U01nnM4mAyMtHeA/A1hKCFljlBnfnxCXjYy1OMPZhkgP1OF6X8CEChTRXP6rF
4OuJp6oB/pBwVeIEfIALvCcYN72dPevkOvtdyiXqkZloi4IpY4ZQ+qBfAG9sTSBT
Gj7duF+KSdUL3hGu0TFHNGC9laz3+Q5zuRgrT+HmpSfFJefpz4m8UmcNn2qVAlkA
PlgnF1PE0bAKnR4/9Hm0KA==
xV0D8VKOdWuZWMLqPaXq4bXjJ/v1Qn8tZ2kA37KSwdT859ZE6/vQyc3RTZxnLOit
EdsqcDHC+efGYRp9zyvebi79wa+Co22TIYFAO4UpgweSQq4YjBrkT9JPEAl2uKN5
M7lk4GQfoCpT70Tggt820v3fVxazySGGFVwgiBBbedNlpk0iylmEwDbRlOG/FwxB
hGy7ri1TdkOl/ta9eKhxW6N29y+N5rLdtcIH+0A40fHlP1hkk5+iCkCekdiMeIGP
8tvmTAp26yxq+H0++cZaKQ3Y35N+nfdT0Q85pZ5AkV/g1DMd0nyjHIU5QIJHgTgG
91FezHi8PtmE/yWq7ksQuw==
AQAB
https://auth.host/saml/metadata
http://www.w3.org/2000/09/xmldsig#;>
http://www.w3.org/2001/10/xml-exc-c14n#"/>
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
