Hi Kenny, First, just know that I am by no means an expert in SOGo. I just got SAML to work with it and I can share what I have done :) .
We have defined a SOGoUserSource (in our case, the same ldap as is used by Keycloak). It is still required for non-SAML endpoints such as ActiveSync, CardDav and CalDav. We also have set "Client Signature Required" to ON, so that is possible. The certificates you mentioned in the keycloak client export, are the certificates of your SOGo server. These are not the same ones as the identity provider certificates. Just to be clear in the SOGo configuration:SOGoSAML2PrivateKeyLocation --> you have to generate this yourself (e.g. with openssl) SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g. with openssl) SOGoSAML2IdpPublicKeyLocation --> see below for more details SOGoSAML2IdpCertificateLocation --> see below for more details SOGoSAML2IdpMetadataLocation --> see below for more detailsThese are our work instructions to retrieve the certificates and SAML descriptor from Keycloak that we put in the SOGo installation: --------- SAML descriptor: * Go to the realm settings * General > Endpoints > SAML 2.0 Identity Provider Metadata. Make sure to view the source data of that page and not the parsed XML data, because Firefox (and possibly other browsers) will remove the namespace information! SAML public key and certificate: * Go to the realm settings * Keys > RS256 algorithm > Public key & Certificate buttons on the right---------- These are our work instructions we used to configure Keycloak. Please note that you will need to define the mappers according to your credentials provider. --------- Download the SOGo metadata XML from https://<host>/SOGo/saml2-metadata. In Keycloak, go to Configure > Clients and follow these steps: * Click on "Create" and import the metadata XML file from SOGo. Click on "Save". * In Settings, set the "Name" to SOGo. Click on "Save". * In Client Scopes, remove role_list from the assigned default client scopes. * In Mappers, create the following mappers: * Name: username * Mapper type: User Property * Property: username * SAML Attribute Name: username * SAML Attribute NameFormat: basic * Name: email * Mapper type: User Property * Property: email * SAML Attribute Name: email * SAML Attribute NameFormat: basic--------- I hope this helps you. KR Jeroen On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\"" ([email protected]) <[email protected]> wrote: Hi Jeroen, Thanks for your help. I put back my keycloak test server on and tried your ideas, but no luck. The Saml2 assertion includes both email & username fields with the correct value. But I still got the same exact error. I see in sogo logs, when first accessing Sogo, before the redirection to keycloak, this line: ---- Jul 20 14:41:59 sogod [8340]: [ERROR] <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined - nobody will be able to login. Check your defaults. ---- This error comes from the fact I didn't define a: ------ SOGoUserSources = ( { type = sql or ldap; ... ------ Do I presume correctly that it's a normal error as I'm using saml2 and not sql or ldap as userSource? Can I ask you to compare your Sogo client configin Keycloak with mine to see if there is a difference? I attached the metadata of my Sogo client to the mail. I noticed one strange thing. I must have the option "Client Signature Required: OFF" in my keycloak sogo client. If I set to ON, I have a "invalid query param" in keycloak logs (does that mean Sogo can't sign the request?). Also, I'm wondering if I'm right to compose the file for the option SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo conf with the attribute "saml.signing.certificate" from the metadata file (enclosed by "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"). I put that in the file /etc/sogo/idp-public.key. Or I'm wrong to do it like that? I know about the next step where you can't send a saml assertion to dovecot for credentials as it is. You need pam-script-saml or libpam-script + lasso (patched or not, not sure as the info about it is so old). I already test pam-script-saml but need the first step to work (connection to sogo) to be see if it works. Thanks, Kenny On 19/07/20 14:02, Jeroen van Os ([email protected]) wrote: > Hi Kenny, > > I have been trying to get SAML to work with SOGo as well. In Keycloak > the following configuration works: > > Client scopes: none > Mappers: fill in "email" and "username" with information from your > credentials provider > Set scope to "full scope allowed" > > In the SOGo config file we have this line, the rest is similar to what > you provided: > SOGoSAML2LoginAttribute = username; > > Don't forget to take into account that even if you get SAML to work, > the connection to your IMAP and SMTP server may not work. Because SOGo > has no knowledge of the user's password, it cannot authenticate > against regular IMAP and SMTP servers that expect user credentials for > authorization. So you will need to find a way to authenticate without > knowing the user's password. > > Kind regards, > Jeroen > > > Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette" > ([email protected]): >> Going on with my attemps to connect Sogo to LemonLdap, I tried also with >> the SAML protocol. >> Few weeks ago, I first tried with Keycloak >> (https://www.mail-archive.com/[email protected]/msg29805.html), but I didn't >> find a solution. >> >> Unfortunately, with LemonLdap, I have the same error: >> ------------ >> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' >> |SOGo| traverse(acquire): SOGo => saml2-signon-post >> |SOGo| do traverse name: 'SOGo' >> |SOGo| do traverse name: 'saml2-signon-post' >> |SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo> >> sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20> >> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key >> 'login' to dictionary INFO:{} >> |SOGo| request took 0.013806 seconds to execute >> <0x0x563823b8f410[WOResponse]> Zipping of response disabled >> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - >> - 692K >> ---------------- >> >> I'm back to the post https://sogo.nu/bugs/view.php?id=4441 >> Alas, no clue what Sogo is waiting. >> >> I attached a saml token example LemonLdap send back to Sogo. >> For the attribute with my mail (for the login), I tried the name mail, >> email & login, but same error. >> >> What is the attribute name Sogo wants for the key 'login'? >> Is something wrong with the Saml token Sogo is receiving from LemonLdap? >> >> Thanks, >> Kenny >> >> >> My Sogo config: >> ---- >> SOGoProfileURL = >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_user_profile"; >> OCSFolderInfoURL = >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_folder_info"; >> OCSSessionsFolderURL = >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_sessions_folder"; >> OCSEMailAlarmsFolderURL = >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_alarms_folder"; >> SOGoLanguage = English; >> SOGoAppointmentSendEMailNotifications = YES; >> SOGoMailingMechanism = smtp; >> SOGoSMTPServer = 127.0.0.1; >> SOGoTimeZone = UTC; >> SOGoSentFolderName = Sent; >> SOGoTrashFolderName = Trash; >> SOGoDraftsFolderName = Drafts; >> SOGoIMAPServer = "imap://localhost:143/"; >> SOGoSieveServer = "sieve://localhost:4190/"; >> SOGoIMAPAclConformsToIMAPExt = YES; >> SOGoVacationEnabled = NO; >> SOGoForwardEnabled = NO; >> SOGoSieveScriptsEnabled = NO; >> SOGoFirstDayOfWeek = 0; >> SOGoMailMessageCheck = manually; >> SOGoMailAuxiliaryUserAccountsEnabled = NO; >> SOGoMemcachedHost = 127.0.0.1; >> >> SOGoCacheCleanupInterval = 3600; >> SOGoAuthenticationType = saml2; >> NGImap4AuthMechanism = PLAIN; # tried without the option too >> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem"; >> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt"; >> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml"; >> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key"; >> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key"; >> SOGoSAML2LoginAttribute = mail; >> SOGoSAML2LogoutEnabled = YES; >> SOGoSAML2LogoutURL = "https://xxxxxxxx";; >> >> WOWorkersCount = 10; >> >> SOGoEASDebugEnabled = YES; >> GCSFolderDebugEnabled = YES; >> GCSFolderStoreDebugEnabled = YES; >> LDAPDebugEnabled = YES; >> MySQL4DebugEnabled = YES; >> NGImap4DisableIMAP4Pooling = YES; >> ImapDebugEnabled = YES; >> OCSFolderManagerSQLDebugEnabled = YES; >> PGDebugEnabled = YES; >> SOGoDebugRequests = YES; >> SOGoMailKeepDraftsAfterSend = YES; >> SOGoUIxDebugEnabled = YES; >> SoDebugObjectTraversal = YES; >> SoSecurityManagerDebugEnabled = YES; >> WODontZipResponse = YES; >> WODebugZipResponse = YES; >> } >> -------- > -- [email protected] https://inverse.ca/sogo/lists -- [email protected] https://inverse.ca/sogo/lists
