Hello everybody,We are trying to configure SAML2 authentication with SOGo. We have tried everything we had in mind but without success.
In this message we attach a text file with all the configurations and logs we got and we also attach all steps doneĀ in order to get the result.
We will appreciate very much any help. -- *Roger Garcia* 934 76 69 10 618 24 67 33 <http://www.datalab.es/> Aviso Legal <http://www.datalab.es/cont_cas/legal.html> -- [email protected] https://inverse.ca/sogo/lists
# Report SOGo SAML2/ADFS issues This report summarizes the issues found while we were trying to authenticate users using SAML2 protocol. Our testbed has the especifications below: - ADFS Server running in Windows 2012 R2 (SAML2 IdP Server) - Debian 10 (buster) running SOGo 4.3.2 server with dovecot and postfix We have tried using two types of saml2 attributes: username and mail. The first one doesn't include mail domain, the second includes (at) hostname. Examples: - username: testuser - email: [email protected] We also provide user database using AD/LDAP (it points to the same user storage than SAML2 ADFS Server). Before trying SAML2 we have checked the results using plain LDAP authentication and it was working like a charm. ## Behavior using the first approach (username) sogo.conf contents: ``` { SOGoProfileURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_user_profile"; OCSFolderInfoURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_folder_info"; OCSSessionsFolderURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_sessions_folder"; SOGoLanguage = English; SOGoTimeZone = Europe/Madrid; SOGoMailDomain = example.com; SOGoIMAPServer = 127.0.0.1; SOGoDraftsFolderName = "Drafts"; SOGoSentFolderName = "Sent Items"; SOGoTrashFolderName = "Deleted Items"; SOGoJunkFolderName = "Junk E-Mail"; SOGoMailingMechanism = smtp; SOGoSMTPServer = 127.0.0.1; SOGoSuperUsernames = (support); SOGoPageTitle = SOGo; SOGoVacationEnabled = YES; SOGoForwardEnabled = YES; SOGoSieveScriptsEnabled = YES; SOGoSieveServer = sieve://127.0.0.1:4190; WOWorkersCount = 90; WOWatchDogRequestTimeout = 60; SOGoMaximumPingInterval = 3540; SOGoMaximumSyncInterval = 3540; SOGoInternalSyncInterval = 60; SOGoMaximumSyncResponseSize = 2048; SOGoMaximumSyncWindowSize = 32; SxVMemLimit = 512; SOGoAuthenticationType = saml2; SOGoSAML2PrivateKeyLocation = "/etc/letsencrypt/live/sogo-test.example.com/privkey.pem"; SOGoSAML2CertificateLocation = "/etc/letsencrypt/live/sogo-test.example.com/cert.pem"; SOGoSAML2IdpMetadataLocation = "/etc/sogo/FederationMetadata.xml"; SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/certs/adfs-xml.pem"; SOGoSAML2IdpCertificateLocation = "/etc/sogo/certs/"; SAML2ServerURLString = "https://sogo-test.example.com/";; SOGoSAML2LoginAttribute = "username"; NGImap4AuthMechanism = PLAIN; SOGoForceExternalLoginWithEmail = YES; SOGoUserSources = ( { type = ldap; CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; bindFields = (sAMAccountName); baseDN = "ou=Central,dc=hq,dc=example,dc=com"; bindDN = "cn=ldapbrowser,cn=users,dc=hq,dc=example,dc=com"; MailFieldNames = (mail); canAuthenticate = NO; displayName = "Shared Addresses"; hostname = "192.168.201.10"; id = public; isAddressBook = YES; port = 389; } ); } ``` Steps: 1. Open Mozilla Firefox Browser and point to sogo-test.example.com 2. SOGo redirects our session to IdP (ADFS) 3. ADFS asks our credentials 4. ADFS returns to SOGo with one assertion 5. SOGo stores some log error entries (liblasso related) and finally returns a 501 Error Code Decrypted SAML2 assertion: ``` <?xml version="1.0"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_ad0d0b67-fb9a-4488-9d9c-2a9907fa5a81" Version="2.0" IssueInstant="2021-01-14T15:02:55.314Z" Destination="https://sogo-test.example.com/SOGo/saml2-signon-post"; Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_F0F3974B0C13F5EB99BECC7EEBBB07F6"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.example.com/adfs/services/trust</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9ad6304d-0465-4cae-bb45-29553aba33b8" IssueInstant="2021-01-14T15:02:55.314Z" Version="2.0"> <Issuer>http://adfs.example.com/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_9ad6304d-0465-4cae-bb45-29553aba33b8"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>r/w7LmIOliL5HL/zjXB2BZNl4Ao=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>IgtyBHwUh2hTqfzrlNYm0MF/yfSiO3n4IVpOefoyNlbyUJm/O+4HytJZftdXhw4xZRkI/zF4MMjpjwhS0ibunbDJ+GUSe772Ft3HxN1zkIaIbCfHWj1miKoZCI2teSdCJiLJHc891yvJViVVQF71lLTJ8Q5sO8JzPpsf/k3m2MSc4gE6ti0MuWpD98/FzJt74V3p366Z+CcrzdihNE0QGg9azR1Oru70TNfESJPDCKqYLexFNfWp3z3sKUrl4wg5H5bpvjuM6wQa1ZVPak9zp5mYojWcxKr5WG7cZXCKG+dnf359dhPzjswSCpvQ9kPyOEUU3I2kDGye1lzILlZpWg==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFsTCCBJmgAwIBAgITEwAAAU6m5IvCuPU8awADAAABTjANBgkqhkiG9w0BAQsFADBUMRMwEQYKCZImiZPyLGQBGRYDbmV0MRUwEwYKCZImiZPyLGQBGRYFZGx0ZWMxEjAQBgoJkiaJk/IsZAEZFgJocTESMBAGA1UEAxMJZGx0ZWNtYWlsMB4XDTIwMTExOTA4NTEwM1oXDTM1MDMxMTA3MTM0M1owRjELMAkGA1UEBhMCRVMxDjAMBgNVBAoTBURMVEVDMQ4wDAYDVQQLEwVETFRFQzEXMBUGA1UEAxMOYWRmcy5kbHRlYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhES+Br2xjKMYxt+5Cg3KGzLyDXOvysfv9MLPn9srqTGikkZxqZrybDAJ5k7j9vGDZGijoR0o1TvJSrfuUHygJkbvqmV3BnXzaRIUGkXgJH+rILZp40ul/BPKDwPwj0Rq9bVXK0jWOQUrOy594/1YW74pgRIXC2TGpNfdU+5pvTrEBow0yx8acqhrqUXzrcDqjYnmLj80mo0G6owPkdUMWxaKKrvUjASXsQoTOxkWY5aNzLP3/FlTvxNTLqBoaSXSj9v9ZsxGrQhJlWI4cYD1ZOP/Cyd4wZlKNRyc/mKKs9eVvcv5M5Gks4sr7bEHu5TGLbwcVoUKfji/Q+GmM/nWXAgMBAAGjggKIMIIChDA7BgkrBgEEAYI3FQcELjAsBiQrBgEEAYI3FQiDloZij4oRh5WPOoePww+mkXmBGbDWaoHuzBgCAWQCAQ8wEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFBRnkO8BtK0lWUx5gQHNmtd81YvzMDEGA1UdEQQqMCiCDmFkZnMuZGx0ZWMubmV0ghZkbHRlY2FkZnMuaHEuZGx0ZWMubmV0MB8GA1UdIwQYMBaAFOl7mfDDCURsgp8F2jhel1CUcVckMIHQBgNVHR8EgcgwgcUwgcKggb+ggbyGgblsZGFwOi8vL0NOPWRsdGVjbWFpbCgzKSxDTj1ETFRFQ01BSUwsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aHEsREM9ZGx0ZWMsREM9bmV0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8wgawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj1kbHRlY21haWwsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aHEsREM9ZGx0ZWMsREM9bmV0P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQCCUzJnTbieMWuvUFwlLjE/Zw6eIIjHQvYmlm3Lme/SnF6OTZrmPuGdrxxZbjMa6NdXDN1+LdftEyfyofiSh7Wx04dGDyiC0Tc9eCpgIeeKK1z3TCIAiuvEzLkb9Fh/FVe6jMVR4c9cE8VvydVXmuNydyUv8ZT78IsILgSWw38uIDCsVwMOhPi6GN9EgqLRaZLoCs9S5bW/HQIBAzzfqIq4l0nGvu9aN81hOD/4wexPqJJFMIJkXT/3iPXO/wYiiF7lsG3j2b7lKUsdZnBRamiBvG9nK0CyMgMmcc3o5CQU7NC4egDXIcVujNphbQ8rx+LxvFeO8oaN01Sd7qyXGA6p</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">testuser</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_F0F3974B0C13F5EB99BECC7EEBBB07F6" NotOnOrAfter="2021-01-14T15:07:55.314Z" Recipient="https://sogo-test.example.com/SOGo/saml2-signon-post"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2021-01-14T15:02:55.298Z" NotOnOrAfter="2021-01-14T16:02:55.298Z"> <AudienceRestriction> <Audience>https://sogo-test.example.com/SOGo/saml2-metadata</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="username"> <AttributeValue>testuser</AttributeValue> </Attribute> <Attribute Name="email"> <AttributeValue>[email protected]</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2021-01-14T15:02:55.220Z" SessionIndex="_9ad6304d-0465-4cae-bb45-29553aba33b8"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response> ``` SOGo log: ``` Jan 14 16:02:37 sogod [10618]: 192.168.200.83 "GET /SOGo HTTP/1.1" 302 0/0 0.010 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:55.589: 2021-01-14 16:02:55 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b6f2500 (process:10618): Lasso-CRITICAL **: 16:02:55.589: 2021-01-14 16:02:55 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1b7ebdb0 Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.122 - - 852K (process:10618): GLib-GObject-CRITICAL **: 16:02:55.599: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:55.606: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.016 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:55.781: 2021-01-14 16:02:55 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b6db430 (process:10618): Lasso-CRITICAL **: 16:02:55.781: 2021-01-14 16:02:55 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1b7ad4f0 Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.059 - - 0 (process:10618): GLib-GObject-CRITICAL **: 16:02:55.789: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:55.791: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.010 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:55.904: 2021-01-14 16:02:55 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b6f2500 (process:10618): Lasso-CRITICAL **: 16:02:55.904: 2021-01-14 16:02:55 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1afb84f0 Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.017 - - 0 (process:10618): GLib-GObject-CRITICAL **: 16:02:55.912: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:55.914: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:55 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.009 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:56.097: 2021-01-14 16:02:56 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b81db20 (process:10618): Lasso-CRITICAL **: 16:02:56.097: 2021-01-14 16:02:56 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1afb86d0 Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.025 - - 0 (process:10618): GLib-GObject-CRITICAL **: 16:02:56.107: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:56.109: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.010 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:56.240: 2021-01-14 16:02:56 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b81dec0 (process:10618): Lasso-CRITICAL **: 16:02:56.240: 2021-01-14 16:02:56 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1b7ad490 Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.025 - - 0 (process:10618): GLib-GObject-CRITICAL **: 16:02:56.248: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:56.250: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.010 - - 0 (process:10618): Lasso-CRITICAL **: 16:02:56.371: 2021-01-14 16:02:56 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x564f1b81e070 (process:10618): Lasso-CRITICAL **: 16:02:56.371: 2021-01-14 16:02:56 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x564f1afb85b0 Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/10449 0.030 - - 0 (process:10618): GLib-GObject-CRITICAL **: 16:02:56.380: g_object_ref: assertion 'G_IS_OBJECT (object)' failed (process:10618): GLib-GObject-CRITICAL **: 16:02:56.382: g_object_ref: assertion 'G_IS_OBJECT (object)' failed Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "GET /SOGo/testuser HTTP/1.1" 302 0/0 0.011 - - 0 2021-01-14 16:02:56.490 sogod[10618:10618] EXCEPTION: <NSException: 0x564f1b83ac60> NAME:LassoProfileErrorStatusNotSuccess REASON:Status code is not success INFO:(null) Jan 14 16:02:56 sogod [10618]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/4917 0.003 - - 0 ``` ## Behavior using the second approach (email) sogo.conf: ``` { SOGoProfileURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_user_profile"; OCSFolderInfoURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_folder_info"; OCSSessionsFolderURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_sessions_folder"; SOGoLanguage = English; SOGoTimeZone = Europe/Madrid; SOGoMailDomain = example.com; SOGoIMAPServer = 127.0.0.1; SOGoDraftsFolderName = "Drafts"; SOGoSentFolderName = "Sent Items"; SOGoTrashFolderName = "Deleted Items"; SOGoJunkFolderName = "Junk E-Mail"; SOGoMailingMechanism = smtp; SOGoSMTPServer = 127.0.0.1; SOGoSuperUsernames = (support); SOGoPageTitle = SOGo; SOGoVacationEnabled = YES; SOGoForwardEnabled = YES; SOGoSieveScriptsEnabled = YES; SOGoSieveServer = sieve://127.0.0.1:4190; WOWorkersCount = 90; WOWatchDogRequestTimeout = 60; SOGoMaximumPingInterval = 3540; SOGoMaximumSyncInterval = 3540; SOGoInternalSyncInterval = 60; SOGoMaximumSyncResponseSize = 2048; SOGoMaximumSyncWindowSize = 32; SxVMemLimit = 512; SOGoAuthenticationType = saml2; SOGoSAML2PrivateKeyLocation = "/etc/letsencrypt/live/sogo-test.example.com/privkey.pem"; SOGoSAML2CertificateLocation = "/etc/letsencrypt/live/sogo-test.example.com/cert.pem"; SOGoSAML2IdpMetadataLocation = "/etc/sogo/FederationMetadata.xml"; SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/certs/adfs-xml.pem"; SOGoSAML2IdpCertificateLocation = "/etc/sogo/certs/"; SAML2ServerURLString = "https://sogo-test.example.com/";; SOGoSAML2LoginAttribute = "email"; NGImap4AuthMechanism = PLAIN; SOGoForceExternalLoginWithEmail = YES; SOGoUserSources = ( { type = ldap; CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; baseDN = "ou=Central,dc=hq,dc=example,dc=com"; bindDN = "cn=ldapbrowser,cn=users,dc=hq,dc=example,dc=com"; bindFields = (sAMAccountName); bindPassword = "passw0rd"; MailFieldNames = (mail); canAuthenticate = NO; displayName = "Shared Addresses"; hostname = "192.168.201.10"; id = public; isAddressBook = YES; port = 389; } ); } ``` Steps: 1. Open Mozilla Firefox Browser and point to sogo-test.example.com 2. SOGo redirects our session to IdP (ADFS) 3. ADFS asks our credentials 4. ADFS returns to SOGo with one assertion (identical to the previous test) 5. SOGo stores log an index array error related with login attribute and immediately returns a 501 Error Code sogo.log: ``` Jan 14 16:43:02 sogod [21567]: 192.168.200.83 "GET /SOGo HTTP/1.1" 302 0/0 0.078 - - 6M 2021-01-14 16:43:29.888 sogod[21567:21567] EXCEPTION: <NSException: 0x556125fa7fa0> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{} Jan 14 16:43:29 sogod [21567]: 192.168.200.83 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/10449 0.021 - - 0 ```
