Thanks for that Jeroen. I need to do the same and this will help. -- Daniel Kollmer Computer Technology Group NIKHEF - Dutch National Institute for Sub-atomic Physics Science Park 105 1098 XG Amsterdam Phone: +31205922164
On 7/23/20 10:42 AM, "Jeroen" ([email protected]) wrote: > Hi Kenny, > > First, just know that I am by no means an expert in SOGo. I just got > SAML to work with it and I can share what I have done :) . > > We have defined a SOGoUserSource (in our case, the same ldap as is > used by Keycloak). It is still required for non-SAML endpoints such as > ActiveSync, CardDav and CalDav. We also have set "Client Signature > Required" to ON, so that is possible. > > The certificates you mentioned in the keycloak client export, are the > certificates of your SOGo server. These are not the same ones as the > identity provider certificates. Just to be clear in the SOGo > configuration: > SOGoSAML2PrivateKeyLocation --> you have to generate this yourself (e.g. with > openssl) > SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g. > with openssl) > SOGoSAML2IdpPublicKeyLocation --> see below for more details > SOGoSAML2IdpCertificateLocation--> see below for more details > SOGoSAML2IdpMetadataLocation --> see below for more details > These are our work instructions to retrieve the certificates and SAML > descriptor from Keycloak that we put in the SOGo installation: > --------- > > SAML descriptor: > > * Go to the realm settings > * General > Endpoints > SAML 2.0 Identity Provider Metadata. Make > sure to view the source data of that page and not the parsed XML > data, because Firefox (and possibly other browsers) will remove > the namespace information! > > SAML public key and certificate: > > * Go to the realm settings > * Keys > RS256 algorithm > Public key & Certificate buttons on the right > > ---------- > > These are our work instructions we used to configure Keycloak. Please > note that you will need to define the mappers according to your > credentials provider. > --------- > > Download the SOGo metadata XML from |https://<host>/SOGo/saml2-metadata|. > > In Keycloak, go to Configure > Clients and follow these steps: > > * Click on "Create" and import the metadata XML file from SOGo. > Click on "Save". > * In Settings, set the "Name" to |SOGo|. Click on "Save". > * In Client Scopes, remove |role_list| from the assigned default > client scopes. > * In Mappers, create the following mappers: > o Name: |username| > + Mapper type: |User Property| > + Property: |username| > + SAML Attribute Name: |username| > + SAML Attribute NameFormat: |basic| > o Name: |email| > + Mapper type: |User Property| > + Property: |email| > + SAML Attribute Name: |email| > + SAML Attribute NameFormat: |basic| > > --------- > > I hope this helps you. > > KR > Jeroen > > > > On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\"" > ([email protected]) <[email protected]> wrote: > >> Hi Jeroen, >> >> Thanks for your help. >> >> I put back my keycloak test server on and tried your ideas, but no luck. >> The Saml2 assertion includes both email & username fields with the >> correct value. >> >> But I still got the same exact error. >> >> I see in sogo logs, when first accessing Sogo, before the redirection to >> keycloak, this line: >> ---- >> Jul 20 14:41:59 sogod [8340]: [ERROR] >> <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined - >> nobody will be able to login. Check your defaults. >> ---- >> >> This error comes from the fact I didn't define a: >> ------ >> SOGoUserSources = ( >> { >> type = sql or ldap; >> ... >> ------ >> Do I presume correctly that it's a normal error as I'm using saml2 and >> not sql or ldap as userSource? >> >> Can I ask you to compare your Sogo client configin Keycloak with mine to >> see if there is a difference? >> I attached the metadata of my Sogo client to the mail. >> >> I noticed one strange thing. >> I must have the option "Client Signature Required: OFF" in my keycloak >> sogo client. >> If I set to ON, I have a "invalid query param" in keycloak logs (does >> that mean Sogo can't sign the request?). >> >> Also, I'm wondering if I'm right to compose the file for the option >> SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo >> conf with the attribute "saml.signing.certificate" from the metadata >> file (enclosed by "-----BEGIN CERTIFICATE-----" and "-----END >> CERTIFICATE-----"). >> I put that in the file /etc/sogo/idp-public.key. >> >> Or I'm wrong to do it like that? >> >> I know about the next step where you can't send a saml assertion to >> dovecot for credentials as it is. >> You need pam-script-saml or libpam-script + lasso (patched or not, not >> sure as the info about it is so old). >> I already test pam-script-saml but need the first step to work >> (connection to sogo) to be see if it works. >> >> Thanks, >> Kenny >> >> On 19/07/20 14:02, Jeroen van Os ([email protected]) wrote: >> > Hi Kenny, >> > >> > I have been trying to get SAML to work with SOGo as well. In Keycloak >> > the following configuration works: >> > >> > Client scopes: none >> > Mappers: fill in "email" and "username" with information from your >> > credentials provider >> > Set scope to "full scope allowed" >> > >> > In the SOGo config file we have this line, the rest is similar to what >> > you provided: >> > SOGoSAML2LoginAttribute = username; >> > >> > Don't forget to take into account that even if you get SAML to work, >> > the connection to your IMAP and SMTP server may not work. Because SOGo >> > has no knowledge of the user's password, it cannot authenticate >> > against regular IMAP and SMTP servers that expect user credentials for >> > authorization. So you will need to find a way to authenticate without >> > knowing the user's password. >> > >> > Kind regards, >> > Jeroen >> > >> > >> > Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette" >> > ([email protected]): >> >> Going on with my attemps to connect Sogo to LemonLdap, I tried >> also with >> >> the SAML protocol. >> >> Few weeks ago, I first tried with Keycloak >> >> (https://www.mail-archive.com/[email protected]/msg29805.html), but I >> didn't >> >> find a solution. >> >> >> >> Unfortunately, with LemonLdap, I have the same error: >> >> ------------ >> >> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' >> >> |SOGo| traverse(acquire): SOGo => saml2-signon-post >> >> |SOGo| do traverse name: 'SOGo' >> >> |SOGo| do traverse name: 'saml2-signon-post' >> >> |SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo> >> >> sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20> >> >> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key >> >> 'login' to dictionary INFO:{} >> >> |SOGo| request took 0.013806 seconds to execute >> >> <0x0x563823b8f410[WOResponse]> Zipping of response disabled >> >> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - >> >> - 692K >> >> ---------------- >> >> >> >> I'm back to the post https://sogo.nu/bugs/view.php?id=4441 >> >> Alas, no clue what Sogo is waiting. >> >> >> >> I attached a saml token example LemonLdap send back to Sogo. >> >> For the attribute with my mail (for the login), I tried the name mail, >> >> email & login, but same error. >> >> >> >> What is the attribute name Sogo wants for the key 'login'? >> >> Is something wrong with the Saml token Sogo is receiving from >> LemonLdap? >> >> >> >> Thanks, >> >> Kenny >> >> >> >> >> >> My Sogo config: >> >> ---- >> >> SOGoProfileURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_user_profile"; >> >> OCSFolderInfoURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_folder_info"; >> >> OCSSessionsFolderURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_sessions_folder"; >> >> OCSEMailAlarmsFolderURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_alarms_folder"; >> >> SOGoLanguage = English; >> >> SOGoAppointmentSendEMailNotifications = YES; >> >> SOGoMailingMechanism = smtp; >> >> SOGoSMTPServer = 127.0.0.1; >> >> SOGoTimeZone = UTC; >> >> SOGoSentFolderName = Sent; >> >> SOGoTrashFolderName = Trash; >> >> SOGoDraftsFolderName = Drafts; >> >> SOGoIMAPServer = "imap://localhost:143/"; >> >> SOGoSieveServer = "sieve://localhost:4190/"; >> >> SOGoIMAPAclConformsToIMAPExt = YES; >> >> SOGoVacationEnabled = NO; >> >> SOGoForwardEnabled = NO; >> >> SOGoSieveScriptsEnabled = NO; >> >> SOGoFirstDayOfWeek = 0; >> >> SOGoMailMessageCheck = manually; >> >> SOGoMailAuxiliaryUserAccountsEnabled = NO; >> >> SOGoMemcachedHost = 127.0.0.1; >> >> >> >> SOGoCacheCleanupInterval = 3600; >> >> SOGoAuthenticationType = saml2; >> >> NGImap4AuthMechanism = PLAIN; # tried without the option too >> >> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem"; >> >> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt"; >> >> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml"; >> >> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key"; >> >> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key"; >> >> SOGoSAML2LoginAttribute = mail; >> >> SOGoSAML2LogoutEnabled = YES; >> >> SOGoSAML2LogoutURL = "https://xxxxxxxx";; >> >> >> >> WOWorkersCount = 10; >> >> >> >> SOGoEASDebugEnabled = YES; >> >> GCSFolderDebugEnabled = YES; >> >> GCSFolderStoreDebugEnabled = YES; >> >> LDAPDebugEnabled = YES; >> >> MySQL4DebugEnabled = YES; >> >> NGImap4DisableIMAP4Pooling = YES; >> >> ImapDebugEnabled = YES; >> >> OCSFolderManagerSQLDebugEnabled = YES; >> >> PGDebugEnabled = YES; >> >> SOGoDebugRequests = YES; >> >> SOGoMailKeepDraftsAfterSend = YES; >> >> SOGoUIxDebugEnabled = YES; >> >> SoDebugObjectTraversal = YES; >> >> SoSecurityManagerDebugEnabled = YES; >> >> WODontZipResponse = YES; >> >> WODebugZipResponse = YES; >> >> } >> >> -------- >> > >> >> -- >> [email protected] >> https://inverse.ca/sogo/lists > > > > > -- > [email protected] > https://inverse.ca/sogo/lists
signature.asc
Description: OpenPGP digital signature
