Hello everyone, I'm trying to configure Sogo v4.3.0-1 (with dovecot / postfix on a fresh Debian Buster) to work with my keycloak using Saml protocol.
I configured Sogo -> saml -> keycloak thanks to the infos found in these discussions: - https://www.mail-archive.com/[email protected]/msg25426.html - https://www.mail-archive.com/[email protected]/msg27942.html Now, when I successfully log in Keycloak, I'm redirected to https://my.host/Sogo/saml2-signon-post, but have a white page with this error in sogo.log: ---- sogod [20896]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' sogod [20896]: |SOGo| traverse(acquire): SOGo => saml2-signon-post sogod [20896]: |SOGo| do traverse name: 'SOGo' sogod [20896]: |SOGo| do traverse name: 'saml2-signon-post' sogod [20896]: |SOGo| set clientObject: <SOGo[0x0x55fa06ffe1b0]: name=SOGo> sogod[20896:20896] EXCEPTION: <NSException: 0x55fa074f4570> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{} sogod [20896]: <0x0x55fa06f91fd0[WOResponse]> Zipping of response disabled sogod [20896]: 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/9061 0.009 - - 0 ---- This error led me to this post: https://sogo.nu/bugs/view.php?id=4441 I tried different values for the option SOGoSAML2LoginAttribute (mail, email) and check and recheck my mappers in Keycloak's Sogo client, but always have the same error. (unfortunately, in that post, the answer that seems to have resolve the problem point to a link that doesn't exist anymore (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")) Is it possible that Sogo works correctly and this error comes from the fact I didn't yet configured pam-script-saml (https://github.com/ck-ws/pam-script-saml) for the link between Sogo & dovecot. I thought to at least have the Sogo page with an Access denied or User not found without pam-script-saml, but maybe I'm wrong. Would anyone who have succeeded in configuring keycloak (Saml) be willing to share the options used for the Sogo client or check mine to see if there is a mistake (see below) And is there a way to have more debug infos on the Saml process in Sogo, like having the data that Sogo get from the token? I set all the debugging options I found for Sogo to Yes, but that doesn't give more infos about the saml data / auth process. --- SOGoEASDebugEnabled = YES; GCSFolderDebugEnabled = YES; GCSFolderStoreDebugEnabled = YES; LDAPDebugEnabled = YES; MySQL4DebugEnabled = YES; NGImap4DisableIMAP4Pooling = YES; ImapDebugEnabled = YES; OCSFolderManagerSQLDebugEnabled = YES; PGDebugEnabled = YES; SOGoDebugRequests = YES; SOGoMailKeepDraftsAfterSend = YES; SOGoUIxDebugEnabled = YES; SoDebugObjectTraversal = YES; SoSecurityManagerDebugEnabled = YES; WODontZipResponse = YES; WODebugZipResponse = YES; --- Is there another one I've missed that would give me more infos? Thanks, Kenny My configurations: ------------------ * Sogo.conf (saml part): ---- SOGoCacheCleanupInterval = 3600; SOGoAuthenticationType = saml2; NGImap4AuthMechanism = PLAIN; SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem"; SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt"; SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml"; SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.key"; SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt"; SOGoSAML2LoginAttribute = "mail"; SOGoSAML2LogoutEnabled = YES; SOGoSAML2LogoutURL = "https://my.host";; ---- * Keycloak config (sogo client): - Settings: ---- Client Id: https://my.host/SOGo/saml2-metadata Name: Sogo Enabled: ON Consent Required: OFF Client protocol: Saml Include AuthnStatement: ON Include OneTimeUse Condition: OFF Sign Documents : ON Optimize REDIRECT signing key lookup: ON Sign Assertions: OFF Signature Algorithm: RSA_CHA256 SAML Signature Key Name: KEY_ID Canonicalization Method: EXCLUSIVE Encrypt Assertions: OFF Client Signature Required: OFF Force POST Binding: ON Front Channel Logout: ON Force Name ID Format: ON Name ID Format: username Valid Redirect URIs : https://my.host/SOGo/* Master SAML Processing URL: https://my.host/SOGo/saml2-signon-post ---- - Mappers: ---- 1 - mail Protocol: Saml Name: mail Mapper type: User Property Property: email SAML Attribute Name: mail SAML Attribute NameFormat: Basic 2 - uid Protocol: Saml Name: uid Mapper type: User Property Property: uid SAML Attribute Name: uid SAML Attribute NameFormat: Basic 3 - login (added because the error "nil value for key 'login'") Protocol: Saml Name: login Mapper type: User Property Property: email SAML Attribute Name: login SAML Attribute NameFormat: Basic ---- -- [email protected] https://inverse.ca/sogo/lists
