Jeroen, Thanks a lot to have taken the time.
Lots of good infos here. I should have use the import feature instead of creating the keycloak client manually. Thanks to that, the option "Client Signature Required" works and I can encrypt or not the answer too. Alas, same error in Sogo's log. I read somewhere you had to set the option "Force Name ID Format" to On and select username as "Name ID Format". I tried every possible choice (email / username / transient / persistent), forcing or not. I tried also to encrypt or not the assertion sent to Sogo. I checked the content of the assertion that Sogo receives and all seems ok. The attributes and their values are good. But unfortunately, whatever option I tried, I always have the same error (and I'm really fed up to see that one.. it's like 1 month I see only that error). And the same error with LemonLdap instead of Keycloak. If I connect Sogo directly to Ldap, Sogo works well. The fact that even if I succeed here, there will be the problem with crudesaml + patched lasso or pam-saml-script to be able to use Dovecot, and then, as MJ explained, there will be the timeout problem, we decided to not include Sogo in our SSO at the moment. We have Roundcube working, that will suffice for now. Thanks again for your help. That was very much appreciated. Kenny On 23/07/20 10:42, "Jeroen" ([email protected]) wrote: > Hi Kenny, > > First, just know that I am by no means an expert in SOGo. I just got > SAML to work with it and I can share what I have done :) . > > We have defined a SOGoUserSource (in our case, the same ldap as is > used by Keycloak). It is still required for non-SAML endpoints such as > ActiveSync, CardDav and CalDav. We also have set "Client Signature > Required" to ON, so that is possible. > > The certificates you mentioned in the keycloak client export, are the > certificates of your SOGo server. These are not the same ones as the > identity provider certificates. Just to be clear in the SOGo > configuration: > SOGoSAML2PrivateKeyLocation --> you have to generate this yourself (e.g. with > openssl) > SOGoSAML2CertificateLocation --> you have to generate this yourself (e.g. > with openssl) > SOGoSAML2IdpPublicKeyLocation --> see below for more details > SOGoSAML2IdpCertificateLocation--> see below for more details > SOGoSAML2IdpMetadataLocation --> see below for more details > These are our work instructions to retrieve the certificates and SAML > descriptor from Keycloak that we put in the SOGo installation: > --------- > > SAML descriptor: > > * Go to the realm settings > * General > Endpoints > SAML 2.0 Identity Provider Metadata. Make > sure to view the source data of that page and not the parsed XML > data, because Firefox (and possibly other browsers) will remove > the namespace information! > > SAML public key and certificate: > > * Go to the realm settings > * Keys > RS256 algorithm > Public key & Certificate buttons on the right > > ---------- > > These are our work instructions we used to configure Keycloak. Please > note that you will need to define the mappers according to your > credentials provider. > --------- > > Download the SOGo metadata XML from |https://<host>/SOGo/saml2-metadata|. > > In Keycloak, go to Configure > Clients and follow these steps: > > * Click on "Create" and import the metadata XML file from SOGo. > Click on "Save". > * In Settings, set the "Name" to |SOGo|. Click on "Save". > * In Client Scopes, remove |role_list| from the assigned default > client scopes. > * In Mappers, create the following mappers: > o Name: |username| > + Mapper type: |User Property| > + Property: |username| > + SAML Attribute Name: |username| > + SAML Attribute NameFormat: |basic| > o Name: |email| > + Mapper type: |User Property| > + Property: |email| > + SAML Attribute Name: |email| > + SAML Attribute NameFormat: |basic| > > --------- > > I hope this helps you. > KR > Jeroen > > > > On Maandag, Juli 20, 2020 16:52 UTC, "\"la.jolie@paquerette\"" > ([email protected]) <[email protected]> wrote: > >> Hi Jeroen, >> >> Thanks for your help. >> >> I put back my keycloak test server on and tried your ideas, but no luck. >> The Saml2 assertion includes both email & username fields with the >> correct value. >> >> But I still got the same exact error. >> >> I see in sogo logs, when first accessing Sogo, before the redirection to >> keycloak, this line: >> ---- >> Jul 20 14:41:59 sogod [8340]: [ERROR] >> <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined - >> nobody will be able to login. Check your defaults. >> ---- >> >> This error comes from the fact I didn't define a: >> ------ >> SOGoUserSources = ( >> { >> type = sql or ldap; >> ... >> ------ >> Do I presume correctly that it's a normal error as I'm using saml2 and >> not sql or ldap as userSource? >> >> Can I ask you to compare your Sogo client configin Keycloak with mine to >> see if there is a difference? >> I attached the metadata of my Sogo client to the mail. >> >> I noticed one strange thing. >> I must have the option "Client Signature Required: OFF" in my keycloak >> sogo client. >> If I set to ON, I have a "invalid query param" in keycloak logs (does >> that mean Sogo can't sign the request?). >> >> Also, I'm wondering if I'm right to compose the file for the option >> SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo >> conf with the attribute "saml.signing.certificate" from the metadata >> file (enclosed by "-----BEGIN CERTIFICATE-----" and "-----END >> CERTIFICATE-----"). >> I put that in the file /etc/sogo/idp-public.key. >> >> Or I'm wrong to do it like that? >> >> I know about the next step where you can't send a saml assertion to >> dovecot for credentials as it is. >> You need pam-script-saml or libpam-script + lasso (patched or not, not >> sure as the info about it is so old). >> I already test pam-script-saml but need the first step to work >> (connection to sogo) to be see if it works. >> >> Thanks, >> Kenny >> >> On 19/07/20 14:02, Jeroen van Os ([email protected]) wrote: >> > Hi Kenny, >> > >> > I have been trying to get SAML to work with SOGo as well. In Keycloak >> > the following configuration works: >> > >> > Client scopes: none >> > Mappers: fill in "email" and "username" with information from your >> > credentials provider >> > Set scope to "full scope allowed" >> > >> > In the SOGo config file we have this line, the rest is similar to what >> > you provided: >> > SOGoSAML2LoginAttribute = username; >> > >> > Don't forget to take into account that even if you get SAML to work, >> > the connection to your IMAP and SMTP server may not work. Because SOGo >> > has no knowledge of the user's password, it cannot authenticate >> > against regular IMAP and SMTP servers that expect user credentials for >> > authorization. So you will need to find a way to authenticate without >> > knowing the user's password. >> > >> > Kind regards, >> > Jeroen >> > >> > >> > Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette" >> > ([email protected]): >> >> Going on with my attemps to connect Sogo to LemonLdap, I tried >> also with >> >> the SAML protocol. >> >> Few weeks ago, I first tried with Keycloak >> >> (https://www.mail-archive.com/[email protected]/msg29805.html), but I >> didn't >> >> find a solution. >> >> >> >> Unfortunately, with LemonLdap, I have the same error: >> >> ------------ >> >> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' >> >> |SOGo| traverse(acquire): SOGo => saml2-signon-post >> >> |SOGo| do traverse name: 'SOGo' >> >> |SOGo| do traverse name: 'saml2-signon-post' >> >> |SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo> >> >> sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20> >> >> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key >> >> 'login' to dictionary INFO:{} >> >> |SOGo| request took 0.013806 seconds to execute >> >> <0x0x563823b8f410[WOResponse]> Zipping of response disabled >> >> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - >> >> - 692K >> >> ---------------- >> >> >> >> I'm back to the post https://sogo.nu/bugs/view.php?id=4441 >> >> Alas, no clue what Sogo is waiting. >> >> >> >> I attached a saml token example LemonLdap send back to Sogo. >> >> For the attribute with my mail (for the login), I tried the name mail, >> >> email & login, but same error. >> >> >> >> What is the attribute name Sogo wants for the key 'login'? >> >> Is something wrong with the Saml token Sogo is receiving from >> LemonLdap? >> >> >> >> Thanks, >> >> Kenny >> >> >> >> >> >> My Sogo config: >> >> ---- >> >> SOGoProfileURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_user_profile"; >> >> OCSFolderInfoURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_folder_info"; >> >> OCSSessionsFolderURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_sessions_folder"; >> >> OCSEMailAlarmsFolderURL = >> >> "mysql://yyyyyyy:[email protected]:3306/sogo/sogo_alarms_folder"; >> >> SOGoLanguage = English; >> >> SOGoAppointmentSendEMailNotifications = YES; >> >> SOGoMailingMechanism = smtp; >> >> SOGoSMTPServer = 127.0.0.1; >> >> SOGoTimeZone = UTC; >> >> SOGoSentFolderName = Sent; >> >> SOGoTrashFolderName = Trash; >> >> SOGoDraftsFolderName = Drafts; >> >> SOGoIMAPServer = "imap://localhost:143/"; >> >> SOGoSieveServer = "sieve://localhost:4190/"; >> >> SOGoIMAPAclConformsToIMAPExt = YES; >> >> SOGoVacationEnabled = NO; >> >> SOGoForwardEnabled = NO; >> >> SOGoSieveScriptsEnabled = NO; >> >> SOGoFirstDayOfWeek = 0; >> >> SOGoMailMessageCheck = manually; >> >> SOGoMailAuxiliaryUserAccountsEnabled = NO; >> >> SOGoMemcachedHost = 127.0.0.1; >> >> >> >> SOGoCacheCleanupInterval = 3600; >> >> SOGoAuthenticationType = saml2; >> >> NGImap4AuthMechanism = PLAIN; # tried without the option too >> >> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem"; >> >> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt"; >> >> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml"; >> >> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key"; >> >> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key"; >> >> SOGoSAML2LoginAttribute = mail; >> >> SOGoSAML2LogoutEnabled = YES; >> >> SOGoSAML2LogoutURL = "https://xxxxxxxx";; >> >> >> >> WOWorkersCount = 10; >> >> >> >> SOGoEASDebugEnabled = YES; >> >> GCSFolderDebugEnabled = YES; >> >> GCSFolderStoreDebugEnabled = YES; >> >> LDAPDebugEnabled = YES; >> >> MySQL4DebugEnabled = YES; >> >> NGImap4DisableIMAP4Pooling = YES; >> >> ImapDebugEnabled = YES; >> >> OCSFolderManagerSQLDebugEnabled = YES; >> >> PGDebugEnabled = YES; >> >> SOGoDebugRequests = YES; >> >> SOGoMailKeepDraftsAfterSend = YES; >> >> SOGoUIxDebugEnabled = YES; >> >> SoDebugObjectTraversal = YES; >> >> SoSecurityManagerDebugEnabled = YES; >> >> WODontZipResponse = YES; >> >> WODebugZipResponse = YES; >> >> } >> >> -------- >> > >> >> -- >> [email protected] >> https://inverse.ca/sogo/lists > > > > > -- > [email protected] > https://inverse.ca/sogo/lists -- [email protected] https://inverse.ca/sogo/lists
