Re: [SOGo] Re: SAML2 authentication requirements
On Sat, Jun 29, 2013 at 6:13 AM, Ludovic Marcotte lmarco...@inverse.cawrote: On 2013-06-29 1:57 AM, Stephen Ingram wrote: The makefile in SoObjects/SOGo (line 149) indicates the presence of this metadata file, but there is none. The code in SOGoSAML2Session also appears to look for this file (SOGoSAML2Metadata.xml). Does this need to be added before compiling? I've tried adding it to the WebserverResources directory, but SOGo still doesn't pick it up. Try placing it in /usr/sbin/Resources/sogod/Resources/ (adjust depending on where your sogod binary is located and create the Resources directory). That is just to some brain damage in the bundle loading code. That doesn't work, but it did give me a hint as to where it should be. The magic location is /usr/lib/GNUstep/Frameworks/SOGo.framework/Resources/. I can now see the metadata when browsing to https://webmail.4test.net/SOGo/saml2-metadata. If I try to login at https://webmail.4test.net/SOGo I am correctly re-directed to the IdP for authentication. I still don't have a working system as once authenticating at the IdP, SOGo apparently doesn't receive what it's looking for and tries to login with nothing: EXCEPTION: NSException: 0xb9b535fc NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{} which results in a proxy error: The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /SOGo/saml2-signon-post. Looking at the code, I see that SOGo maybe only wants either the uid or mail attributes encoded in a SAML2NameID format. I'm not sure if the endpoint /SOGo/saml2-signon-post is correct or not as I gleaned it from error logs listing typical SOGo requests. Are /SOGo/saml2-metadata and /SOGo/saml2-signon-post the only two endpoints? Steve -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
On 2013-06-29 1:57 AM, Stephen Ingram wrote: The makefile in SoObjects/SOGo (line 149) indicates the presence of this metadata file, but there is none. The code in SOGoSAML2Session also appears to look for this file (SOGoSAML2Metadata.xml). Does this need to be added before compiling? I've tried adding it to the WebserverResources directory, but SOGo still doesn't pick it up. Try placing it in /usr/sbin/Resources/sogod/Resources/ (adjust depending on where your sogod binary is located and create the Resources directory). That is just to some brain damage in the bundle loading code. -- Ludovic Marcotte lmarco...@inverse.ca :: +1.514.755.3630 :: http://inverse.ca Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org) -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
On 2013-06-17 4:53 PM, Stephen Ingram wrote: Maybe you've made some changes since in the nightlies, but even trying to retrieve the metadata didn't work for me with version 2.0.5a. Going to http://hostname/SOGo/saml2-metadata produces a blank page and the login page itself produces the error: GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to `LassoSamlp2AuthnRequest' This last error could be from the absence of the metadata, however, not being able to obtain the metadata is a showstopper unless there is an undocumented way to obtain it. Share your complete configuration, without this, it's impossible to tell what's wrong. -- Ludovic Marcotte lmarco...@inverse.ca :: +1.514.755.3630 :: http://inverse.ca Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org) -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
On Thu, May 23, 2013 at 6:41 AM, Moussa NOMBRÉ moussa.nom...@auf.orgwrote: We worked on SOGo/SAML with Inverse. We've got something almost functional, but there still have some important bugs. Currently, the project is not completed. I'm guessing that Inverse is aware that SAML does not work with SOGo then? Are you working on a paid or sponsored project with them to add this feature? Steve -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
On 2013-06-17 3:55 PM, Stephen Ingram wrote: I'm guessing that Inverse is aware that SAML does not work with SOGo then? Are you working on a paid or sponsored project with them to add this feature? SAML2 *does work* with SOGo. It's just that some features aren't present, like the logout button. These aren't bugs, but missing features. -- Ludovic Marcotte lmarco...@inverse.ca :: +1.514.755.3630 :: http://inverse.ca Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org) -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
On Mon, Jun 17, 2013 at 12:58 PM, Ludovic Marcotte lmarco...@inverse.cawrote: On 2013-06-17 3:55 PM, Stephen Ingram wrote: I'm guessing that Inverse is aware that SAML does not work with SOGo then? Are you working on a paid or sponsored project with them to add this feature? SAML2 *does work* with SOGo. It's just that some features aren't present, like the logout button. These aren't bugs, but missing features. Maybe you've made some changes since in the nightlies, but even trying to retrieve the metadata didn't work for me with version 2.0.5a. Going to http://hostname/SOGo/saml2-metadata produces a blank page and the login page itself produces the error: GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to `LassoSamlp2AuthnRequest' This last error could be from the absence of the metadata, however, not being able to obtain the metadata is a showstopper unless there is an undocumented way to obtain it. Steve -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
Hi, We worked on SOGo/SAML with Inverse. We've got something almost functional, but there still have some important bugs. Currently, the project is not completed. I think, that's why Inverse has disable SAML support in SOGo 2.0.5 : don't build SAML support on debian yet https://github.com/inverse-inc/sogo/commit/dfb8788270ff3b30133417a52c9052fafea19ae2. You can see our work here http://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML (in french). NM Le 2013-05-22 16:10, Stephen Ingram a écrit : After looking more closely at Lasso, it appears that Lasso itself it supposed to provide the functionality of a SP, it just doesn't work. First, the configuration information (from the SOGo manual) is incorrect. The SOGoSAML2IdpCertificateLocation is really the CA certificate of the IdP, not the certificate. (Could the variable name should be changed to reflect that, or, at a minimum, the documentation?) Second, the metadata for SOGo (SP) is missing. The manual says that it can be accessed by going to http://hostname/SOGo/saml2-metadata. This is also incorrect as that link produces a blank page. Is there a recommended way to generate that file? On Mon, May 20, 2013 at 10:48 AM, Stephen Ingram sbing...@gmail.com mailto:sbing...@gmail.com wrote: I'm trying to setup SAML2 authentication for SOGo and not sure of the requirements. According to the installation guide, only changes to to the SOGo configuration are necessary. Of course, you must then use something like the crudesaml plugin to handle the authentication to the IMAP server, but that is not necessary for SOGo itself. I set SOGoAuthenticationType=saml2 along with all of the cert and Idp metadata information, but nothing seems to happen. I get a proxy error when trying to bring up the login page with the log saying: GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to `LassoSamlp2AuthnRequest' The installation manual leads you believe that everything is automatic beyond the SOGoSAML2... configuration lines in sogo.conf. Does SOGo actually do everything including SP functionality or do you have to setup something like a Shibboleth SP to get things working? Also, the metadata link turns up a HTTP 200 with a blank page. Is there another way to get the metadata as the IdP obviously needs it to work properly? Steve -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: SAML2 authentication requirements
Moussa- Thank you. That is an excellent writeup. I had come to the same conclusion that SAML wasn't working in SOGo yet. I saw that SAML was disabled in Debian builds, but I'm using CentOS so I didn't think it applied to me. I was thinking there are packaging issues with CentOS as well, but, based on your experience, there seem to be other problems. I thought Inverse used CentOS as their reference platform, but maybe they are using compiled version to prove SAML. I'd love to know if you have any progress with this in the future. Steve On Thu, May 23, 2013 at 6:41 AM, Moussa NOMBRÉ moussa.nom...@auf.orgwrote: Hi, We worked on SOGo/SAML with Inverse. We've got something almost functional, but there still have some important bugs. Currently, the project is not completed. I think, that's why Inverse has disable SAML support in SOGo 2.0.5 : don't build SAML support on debian yet https://github.com/inverse-inc/sogo/commit/dfb8788270ff3b30133417a52c9052fafea19ae2 . You can see our work here http://wiki.auf.org/wikiteki/Projet/SOGo/TestsSAML (in french). NM Le 2013-05-22 16:10, Stephen Ingram a écrit : After looking more closely at Lasso, it appears that Lasso itself it supposed to provide the functionality of a SP, it just doesn't work. First, the configuration information (from the SOGo manual) is incorrect. The SOGoSAML2IdpCertificateLocation is really the CA certificate of the IdP, not the certificate. (Could the variable name should be changed to reflect that, or, at a minimum, the documentation?) Second, the metadata for SOGo (SP) is missing. The manual says that it can be accessed by going to http://hostname/SOGo/saml2-metadata. This is also incorrect as that link produces a blank page. Is there a recommended way to generate that file? On Mon, May 20, 2013 at 10:48 AM, Stephen Ingram sbing...@gmail.comwrote: I'm trying to setup SAML2 authentication for SOGo and not sure of the requirements. According to the installation guide, only changes to to the SOGo configuration are necessary. Of course, you must then use something like the crudesaml plugin to handle the authentication to the IMAP server, but that is not necessary for SOGo itself. I set SOGoAuthenticationType=saml2 along with all of the cert and Idp metadata information, but nothing seems to happen. I get a proxy error when trying to bring up the login page with the log saying: GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to `LassoSamlp2AuthnRequest' The installation manual leads you believe that everything is automatic beyond the SOGoSAML2... configuration lines in sogo.conf. Does SOGo actually do everything including SP functionality or do you have to setup something like a Shibboleth SP to get things working? Also, the metadata link turns up a HTTP 200 with a blank page. Is there another way to get the metadata as the IdP obviously needs it to work properly? Steve -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: SAML2 authentication requirements
After looking more closely at Lasso, it appears that Lasso itself it supposed to provide the functionality of a SP, it just doesn't work. First, the configuration information (from the SOGo manual) is incorrect. The SOGoSAML2IdpCertificateLocation is really the CA certificate of the IdP, not the certificate. (Could the variable name should be changed to reflect that, or, at a minimum, the documentation?) Second, the metadata for SOGo (SP) is missing. The manual says that it can be accessed by going to http://hostname/SOGo/saml2-metadata. This is also incorrect as that link produces a blank page. Is there a recommended way to generate that file? On Mon, May 20, 2013 at 10:48 AM, Stephen Ingram sbing...@gmail.com wrote: I'm trying to setup SAML2 authentication for SOGo and not sure of the requirements. According to the installation guide, only changes to to the SOGo configuration are necessary. Of course, you must then use something like the crudesaml plugin to handle the authentication to the IMAP server, but that is not necessary for SOGo itself. I set SOGoAuthenticationType=saml2 along with all of the cert and Idp metadata information, but nothing seems to happen. I get a proxy error when trying to bring up the login page with the log saying: GLib-GObject-WARNING **: invalid cast from `LassoLibAuthnRequest' to `LassoSamlp2AuthnRequest' The installation manual leads you believe that everything is automatic beyond the SOGoSAML2... configuration lines in sogo.conf. Does SOGo actually do everything including SP functionality or do you have to setup something like a Shibboleth SP to get things working? Also, the metadata link turns up a HTTP 200 with a blank page. Is there another way to get the metadata as the IdP obviously needs it to work properly? Steve -- users@sogo.nu https://inverse.ca/sogo/lists