[SOGo] Sogo - Lemonldap - Saml

Sat, 18 Jul 2020 16:06:02 -0700 

Going on with my attemps to connect Sogo to LemonLdap, I tried also with
the SAML protocol.
Few weeks ago, I first tried with Keycloak
(https://www.mail-archive.com/[email protected]/msg29805.html), but I didn't
find a solution.

Unfortunately, with LemonLdap, I have the same error:
------------
|SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
 |SOGo| traverse(acquire): SOGo => saml2-signon-post
|SOGo|   do traverse name: 'SOGo'
|SOGo|   do traverse name: 'saml2-signon-post'
|SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo>
sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20>
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
|SOGo| request took 0.013806 seconds to execute
<0x0x563823b8f410[WOResponse]> Zipping of response disabled
127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - - 692K
----------------

I'm back to the post https://sogo.nu/bugs/view.php?id=4441
Alas, no clue what Sogo is waiting.

I attached a saml token example LemonLdap send back to Sogo.
For the attribute with my mail (for the login), I tried the name mail,
email & login, but same error.

What is the attribute name Sogo wants for the key 'login'?
Is something wrong with the Saml token Sogo is receiving from LemonLdap?

Thanks,
Kenny


My Sogo config:
----
  SOGoProfileURL =
"mysql://yyyyyyy:[email protected]:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL =
"mysql://yyyyyyy:[email protected]:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL =
"mysql://yyyyyyy:[email protected]:3306/sogo/sogo_sessions_folder";
  OCSEMailAlarmsFolderURL =
"mysql://yyyyyyy:[email protected]:3306/sogo/sogo_alarms_folder";
  SOGoLanguage = English;
  SOGoAppointmentSendEMailNotifications = YES;
  SOGoMailingMechanism = smtp;
  SOGoSMTPServer = 127.0.0.1;
  SOGoTimeZone = UTC;
  SOGoSentFolderName = Sent;
  SOGoTrashFolderName = Trash;
  SOGoDraftsFolderName = Drafts;
  SOGoIMAPServer = "imap://localhost:143/";
  SOGoSieveServer = "sieve://localhost:4190/";
  SOGoIMAPAclConformsToIMAPExt = YES;
  SOGoVacationEnabled = NO;
  SOGoForwardEnabled = NO;
  SOGoSieveScriptsEnabled = NO;
  SOGoFirstDayOfWeek = 0;
  SOGoMailMessageCheck = manually;
  SOGoMailAuxiliaryUserAccountsEnabled = NO;
  SOGoMemcachedHost = 127.0.0.1;

SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;    # tried without the option too
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://xxxxxxxx";;

WOWorkersCount = 10;

    SOGoEASDebugEnabled = YES;
    GCSFolderDebugEnabled = YES;
    GCSFolderStoreDebugEnabled = YES;
    LDAPDebugEnabled = YES;
    MySQL4DebugEnabled = YES;
    NGImap4DisableIMAP4Pooling = YES;
    ImapDebugEnabled = YES;
    OCSFolderManagerSQLDebugEnabled = YES;
    PGDebugEnabled = YES;
    SOGoDebugRequests = YES;
    SOGoMailKeepDraftsAfterSend = YES;
    SOGoUIxDebugEnabled = YES;
    SoDebugObjectTraversal = YES;
    SoSecurityManagerDebugEnabled = YES;
    WODontZipResponse = YES;
    WODebugZipResponse = YES;
}
--------
-- 
[email protected]
https://inverse.ca/sogo/lists
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
ID="_7C24657A994CE184AD6187DA2F5FEAF3" 
InResponseTo="_4168636FA164C0837D937374CCC5FF5B" Version="2.0" 
IssueInstant="2020-07-18T19:32:24Z" 
Destination="https://sogo.host/SOGo/saml2-signon-post";>
  <saml:Issuer>https://auth.host/saml/metadata</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
    <SignedInfo>
      <CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <Reference URI="#_7C24657A994CE184AD6187DA2F5FEAF3">
        <Transforms>
          <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>Jpeg42CvCJwD+8YdADtvlsqOhl7XcJ53Z0zjsvzOegM=</DigestValue>
      </Reference>
    </SignedInfo>

    
<SignatureValue>TK8miYydQ1ERBJkIMbuEEqtWTVRJfUDPMM9zwNO9J8DKN5NFVST3iqeFg6aKhnaX
      jLHBB+nrYoOyagb20ylXtBugJdnW0ZJwlfis29RNPzqwJldKsBzlDZWSOwg989YY
      iY1U01nnM4mAyMtHeA/A1hKCFljlBnfnxCXjYy1OMPZhkgP1OF6X8CEChTRXP6rF
      4OuJp6oB/pBwVeIEfIALvCcYN72dPevkOvtdyiXqkZloi4IpY4ZQ+qBfAG9sTSBT
      Gj7duF+KSdUL3hGu0TFHNGC9laz3+Q5zuRgrT+HmpSfFJefpz4m8UmcNn2qVAlkA
      PlgnF1PE0bAKnR4/9Hm0KA==
    </SignatureValue>
    <KeyInfo>
      <KeyValue>
        <RSAKeyValue>
          <Modulus>
            xV0D8VKOdWuZWMLqPaXq4bXjJ/v1Qn8tZ2kA37KSwdT859ZE6/vQyc3RTZxnLOit
            EdsqcDHC+efGYRp9zyvebi79wa+Co22TIYFAO4UpgweSQq4YjBrkT9JPEAl2uKN5
            M7lk4GQfoCpT70Tggt820v3fVxazySGGFVwgiBBbedNlpk0iylmEwDbRlOG/FwxB
            hGy7ri1TdkOl/ta9eKhxW6N29y+N5rLdtcIH+0A40fHlP1hkk5+iCkCekdiMeIGP
            8tvmTAp26yxq+H0++cZaKQ3Y35N+nfdT0Q85pZ5AkV/g1DMd0nyjHIU5QIJHgTgG
            91FezHi8PtmE/yWq7ksQuw==
          </Modulus>
          <Exponent>
            AQAB
          </Exponent>
        </RSAKeyValue>
      </KeyValue>
    </KeyInfo>
  </Signature>

  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>

  <saml:Assertion Version="2.0" ID="_B16F49CBBA5873CF0557E56E2A39EC17" 
IssueInstant="2020-07-18T19:32:24Z">
    <saml:Issuer>https://auth.host/saml/metadata</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
      <SignedInfo>
        <CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference URI="#_B16F49CBBA5873CF0557E56E2A39EC17">
          <Transforms>
            <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          
<DigestValue>Wb8ZIBcWKUTPte8fMocExGpsqsBUkdeO419eEWTZLtU=</DigestValue>
        </Reference>
      </SignedInfo>
      
<SignatureValue>ZRuNH7EptLuF3cn/H5KIQMWr2Dyq7atBiQv0kQnIr0ayyak7+D6mCt9rqqfqA4Dn
        HrdCEj7tS8z1plG7odr2taGB9qbfNHCSDgWJNH/FJAupDg0d/GwzuELjOTaMZ4D/
        n+5fAZWKwzfbrmJhomXwDL9dGOcxOcsMBWE5C9CiD7xfrQv/GL/XeGvE+6FXORTq
        za0k4Dy2ddVZ6ckNGZ9FMbmO7JOqqKwOmOsdFFGCm8+HPH3imTUUuSDkXjwhxZPO
        O6X05KU4im8cKb98DFXWY87a7vP2TM9/GUVm8mPHmVjDbl3bc8nVxOUTti+1PBir
        JPYeQ/a4gyVCJvtvQM2E+Q==
      </SignatureValue>
      <KeyInfo>
        <KeyValue>
          <RSAKeyValue>
            <Modulus>
              xV0D8VKOdWuZWMLqPaXq4bXjJ/v1Qn8tZ2kA37KSwdT859ZE6/vQyc3RTZxnLOit
              EdsqcDHC+efGYRp9zyvebi79wa+Co22TIYFAO4UpgweSQq4YjBrkT9JPEAl2uKN5
              M7lk4GQfoCpT70Tggt820v3fVxazySGGFVwgiBBbedNlpk0iylmEwDbRlOG/FwxB
              hGy7ri1TdkOl/ta9eKhxW6N29y+N5rLdtcIH+0A40fHlP1hkk5+iCkCekdiMeIGP
              8tvmTAp26yxq+H0++cZaKQ3Y35N+nfdT0Q85pZ5AkV/g1DMd0nyjHIU5QIJHgTgG
              91FezHi8PtmE/yWq7ksQuw==
            </Modulus>
            <Exponent>
              AQAB
            </Exponent>
          </RSAKeyValue>
        </KeyValue>
      </KeyInfo>
    </Signature>

    <saml:Subject>
      <saml:NameID 
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" 
NameQualifier="https://auth.host/saml/metadata"; 
SPNameQualifier="https://sogo.host/SOGo/saml2-metadata";>
        _B5B0EA682AC4FDAA46F9EA260F85360C
      </saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2020-07-19T15:32:24Z" 
Recipient="https://sogo.host/SOGo/saml2-signon-post"; 
InResponseTo="_4168636FA164C0837D937374CCC5FF5B"/>
      </saml:SubjectConfirmation>
    </saml:Subject>

    <saml:Conditions NotBefore="2020-07-18T19:31:24Z" 
NotOnOrAfter="2020-07-19T15:33:24Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://sogo.host/SOGo/saml2-metadata</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>

    <saml:AuthnStatement AuthnInstant="2020-07-18T19:32:24Z" 
SessionIndex="41d77be782264d2858aebd0f583191ab6e1f5e954a37a2422d2247163aa7c615" 
SessionNotOnOrAfter="2020-07-19T15:32:24Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>
          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
        </saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>

    <saml:AttributeStatement>
      <saml:Attribute Name="cn" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
FriendlyName="cn">
        <saml:AttributeValue>
          My name
        </saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="mail" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
FriendlyName="mail">
        <saml:AttributeValue>
          [email protected]
        </saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="uid" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
FriendlyName="uid">
        <saml:AttributeValue>
          my username
        </saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Reply via email to