Hi Jeroen, Thanks for your help.
I put back my keycloak test server on and tried your ideas, but no luck.
The Saml2 assertion includes both email & username fields with the
correct value.
But I still got the same exact error.
I see in sogo logs, when first accessing Sogo, before the redirection to
keycloak, this line:
----
Jul 20 14:41:59 sogod [8340]: [ERROR]
<0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined -
nobody will be able to login. Check your defaults.
----
This error comes from the fact I didn't define a:
------
SOGoUserSources = (
{
type = sql or ldap;
...
------
Do I presume correctly that it's a normal error as I'm using saml2 and
not sql or ldap as userSource?
Can I ask you to compare your Sogo client configin Keycloak with mine to
see if there is a difference?
I attached the metadata of my Sogo client to the mail.
I noticed one strange thing.
I must have the option "Client Signature Required: OFF" in my keycloak
sogo client.
If I set to ON, I have a "invalid query param" in keycloak logs (does
that mean Sogo can't sign the request?).
Also, I'm wondering if I'm right to compose the file for the option
SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo
conf with the attribute "saml.signing.certificate" from the metadata
file (enclosed by "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----").
I put that in the file /etc/sogo/idp-public.key.
Or I'm wrong to do it like that?
I know about the next step where you can't send a saml assertion to
dovecot for credentials as it is.
You need pam-script-saml or libpam-script + lasso (patched or not, not
sure as the info about it is so old).
I already test pam-script-saml but need the first step to work
(connection to sogo) to be see if it works.
Thanks,
Kenny
On 19/07/20 14:02, Jeroen van Os ([email protected]) wrote:
> Hi Kenny,
>
> I have been trying to get SAML to work with SOGo as well. In Keycloak
> the following configuration works:
>
> Client scopes: none
> Mappers: fill in "email" and "username" with information from your
> credentials provider
> Set scope to "full scope allowed"
>
> In the SOGo config file we have this line, the rest is similar to what
> you provided:
> SOGoSAML2LoginAttribute = username;
>
> Don't forget to take into account that even if you get SAML to work,
> the connection to your IMAP and SMTP server may not work. Because SOGo
> has no knowledge of the user's password, it cannot authenticate
> against regular IMAP and SMTP servers that expect user credentials for
> authorization. So you will need to find a way to authenticate without
> knowing the user's password.
>
> Kind regards,
> Jeroen
>
>
> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
> ([email protected]):
>> Going on with my attemps to connect Sogo to LemonLdap, I tried also with
>> the SAML protocol.
>> Few weeks ago, I first tried with Keycloak
>> (https://www.mail-archive.com/[email protected]/msg29805.html), but I didn't
>> find a solution.
>>
>> Unfortunately, with LemonLdap, I have the same error:
>> ------------
>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
>> |SOGo| traverse(acquire): SOGo => saml2-signon-post
>> |SOGo| do traverse name: 'SOGo'
>> |SOGo| do traverse name: 'saml2-signon-post'
>> |SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo>
>> sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20>
>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
>> 'login' to dictionary INFO:{}
>> |SOGo| request took 0.013806 seconds to execute
>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled
>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 -
>> - 692K
>> ----------------
>>
>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441
>> Alas, no clue what Sogo is waiting.
>>
>> I attached a saml token example LemonLdap send back to Sogo.
>> For the attribute with my mail (for the login), I tried the name mail,
>> email & login, but same error.
>>
>> What is the attribute name Sogo wants for the key 'login'?
>> Is something wrong with the Saml token Sogo is receiving from LemonLdap?
>>
>> Thanks,
>> Kenny
>>
>>
>> My Sogo config:
>> ----
>> SOGoProfileURL =
>> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_user_profile";
>> OCSFolderInfoURL =
>> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_folder_info";
>> OCSSessionsFolderURL =
>> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_sessions_folder";
>> OCSEMailAlarmsFolderURL =
>> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_alarms_folder";
>> SOGoLanguage = English;
>> SOGoAppointmentSendEMailNotifications = YES;
>> SOGoMailingMechanism = smtp;
>> SOGoSMTPServer = 127.0.0.1;
>> SOGoTimeZone = UTC;
>> SOGoSentFolderName = Sent;
>> SOGoTrashFolderName = Trash;
>> SOGoDraftsFolderName = Drafts;
>> SOGoIMAPServer = "imap://localhost:143/";
>> SOGoSieveServer = "sieve://localhost:4190/";
>> SOGoIMAPAclConformsToIMAPExt = YES;
>> SOGoVacationEnabled = NO;
>> SOGoForwardEnabled = NO;
>> SOGoSieveScriptsEnabled = NO;
>> SOGoFirstDayOfWeek = 0;
>> SOGoMailMessageCheck = manually;
>> SOGoMailAuxiliaryUserAccountsEnabled = NO;
>> SOGoMemcachedHost = 127.0.0.1;
>>
>> SOGoCacheCleanupInterval = 3600;
>> SOGoAuthenticationType = saml2;
>> NGImap4AuthMechanism = PLAIN; # tried without the option too
>> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
>> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
>> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
>> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
>> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
>> SOGoSAML2LoginAttribute = mail;
>> SOGoSAML2LogoutEnabled = YES;
>> SOGoSAML2LogoutURL = "https://xxxxxxxx";;
>>
>> WOWorkersCount = 10;
>>
>> SOGoEASDebugEnabled = YES;
>> GCSFolderDebugEnabled = YES;
>> GCSFolderStoreDebugEnabled = YES;
>> LDAPDebugEnabled = YES;
>> MySQL4DebugEnabled = YES;
>> NGImap4DisableIMAP4Pooling = YES;
>> ImapDebugEnabled = YES;
>> OCSFolderManagerSQLDebugEnabled = YES;
>> PGDebugEnabled = YES;
>> SOGoDebugRequests = YES;
>> SOGoMailKeepDraftsAfterSend = YES;
>> SOGoUIxDebugEnabled = YES;
>> SoDebugObjectTraversal = YES;
>> SoSecurityManagerDebugEnabled = YES;
>> WODontZipResponse = YES;
>> WODebugZipResponse = YES;
>> }
>> --------
>
--
[email protected]
https://inverse.ca/sogo/lists
sogo.host_saml2-metadata.json
Description: application/json
