On 8/10/24 02:27, Anton Hvornum wrote:
On 8/9/24 22:59, Anton Hvornum ([email protected]) wrote:
I've attempted to get SAML login working using the following guide:
https://bluntlab.space/posts/sogo-saml-keycloak/
Currently I'm running apache, memcached, sogo and postgresql in a
docker compose environment while keycloak, postfix and dovecot are
running externally.
This is an excerpt from sogo.conf:
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = SAML;
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.privkey.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.cert.pem";
// SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.key";
// SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp.crt";
SOGoSAML2LoginAttribute = "username";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://sogo.domain.com";;
When visiting https://sogo.domain.com/SOGo i get redirected to the
keycloak realm SSO prompt, credentials are accepted and it redirects
me back to what I configured in KeyCloak to be "Assertion Consumer
Service POST Binding URL":
https://sogo.domain.com:443/SOGo/saml2-signon-post
But once there, I keep hitting:
```
sogod [11]: 192.168.0.10 "GET /SOGo HTTP/1.1" 302 0/0 0.002 - - 0 - 11
sogod [11]: |SOGo| starting method 'POST' on uri
'/SOGo/saml2-signon-post'
sogod [11]: |SOGo| traverse(acquire): SOGo => saml2-signon-post
sogod [11]: |SOGo| do traverse name: 'SOGo'
sogod [11]: |SOGo| do traverse name: 'saml2-signon-post'
sogod [11]: |SOGo| set clientObject: <SOGo[0x0x5a13bcaa3e80]: name=SOGo>
sogod[11:11] EXCEPTION: <NSException: 0x5a13bcc7dd10>
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
```
Any idea why SOGo (or is it a library like lasso) would generate
"Tried to add nil value for key 'login' to dictionary INFO:{}"?
//Anton
From my limited ability to debug Objective-C, it appears that the
error is caused by:
https://github.com/Alinto/sogo/blob/b602b2b188ce6c331875450c6b1dbe48240f4ff7/UI/MainUI/SOGoSAML2Actions.m#L176
```
newSession = [SOGoSAML2Session SAML2SessionInContext: context];
[newSession processAuthnResponse: [rq formValueForKey: @"SAMLResponse"]];
login = [newSession login];
```
Where `[newSession login]` is `nil`?
My next obsession is going to be guessing what could be missing in the
SAML response from keycloak. Here's the post-back data from keycloak:
https://0x0.st/XWZs.txt
//Anton
I also keep getting:
```
(process:907): Lasso-CRITICAL **: 11:28:20.078: 2024-08-10 11:28:20
(profile.c/:913) Trying to unref a non GObject pointer
file=profile.c:913 pointerbybname=profile->identity
pointer=0x5f5b99c00e40 (process:907): Lasso-CRITICAL **: 11:28:20.078:
2024-08-10 11:28:20 (profile.c/:916) Trying to unref a non GObject
pointer file=profile.c:916 pointerbybname=profile->session
pointer=0x5f5b99cb6ae0
```
And in a production container I get coredump:ed:
```
2024-08-10 12:05:10.867 sogod[34:34] PG0x0x5e19c98edae0 SQL: COMMIT
TRANSACTION
(process:34): Lasso-CRITICAL **: 12:05:10.886: 2024-08-10 12:05:10
(profile.c/:913) Trying to unref a non GObject pointer
file=profile.c:913 pointerbybname=profile->identity pointer=0x5e19ca0f5d90
2024-08-10 12:05:11.077 sogod[28:28] INFO(-[NGActiveSocket isAlive])
poll(): fd=7 revents=0x0011)
Aug 10 12:05:11 sogod [28]: <0x0x5e19c9ccd250[WOWatchDogChild]> child 34
exited
Aug 10 12:05:11 sogod [28]: <0x0x5e19c9ccd250[WOWatchDogChild]>
(terminated due to signal 11, coredump)
```
Which according to some bug reports should already be handled:
- https://bugs.sogo.nu//view.php?id=5153
- https://bugs.sogo.nu/view.php?id=5270
- https://bugs.sogo.nu/view.php?id=5153
The exception appears to happen only to the two keys in `lassoLogin`
that has been "dumped" or loaded by a string:
https://github.com/Alinto/sogo/blob/b602b2b188ce6c331875450c6b1dbe48240f4ff7/SoObjects/SOGo/SOGoSAML2Session.m#L354-L362
And while debugging, with my limited knowledge, it looks like I get a
segfault right after the response is being sent.
```
gdb \
-ex 'set breakpoint pending on' \
-ex 'break SOGoSAML2Actions.m:174' \
-ex 'run' \
--args /usr/bin/sogod -WOUseWatchDog NO -SOGoDebugRequests YES
-WONoDetach YES -WOPort 0.0.0.0:20000 -WOWorkersCount 1 -WOLogFile -
-WOPidFile /tmp/sogo.pid
```
Generates:
```
Aug 10 11:57:30 sogod [271]: |SOGo| WOHttpAdaptor listening on address
0.0.0.0:20000
Aug 10 11:57:31 sogod [271]: |SOGo| starting method 'POST' on uri
'/SOGo/saml2-signon-post'
Aug 10 11:57:31 sogod [271]: <0x0x582dab9c4650[SOGoCache]> Cache cleanup
interval set every 3600.000000 seconds
Aug 10 11:57:31 sogod [271]: <0x0x582dab9c4650[SOGoCache]> Using host(s)
'memcached:11211' as server(s)
Aug 10 11:57:31 sogod [271]: |SOGo| traverse(acquire): SOGo =>
saml2-signon-post
Aug 10 11:57:31 sogod [271]: |SOGo| do traverse name: 'SOGo'
Aug 10 11:57:31 sogod [271]: |SOGo| do traverse name: 'saml2-signon-post'
Aug 10 11:57:31 sogod [271]: |SOGo| set clientObject:
<SOGo[0x0x582dab9cb550]: name=SOGo>
Breakpoint 1, -[SOGoSAML2Actions saml2SignOnPOSTAction]
(self=0x582dabbea890, _cmd=0x582dabb12e90) at
/usr/src/debug/sogo/SOGo-5.10.0/UI/MainUI/SOGoSAML2Actions.m:174
174 newSession = [SOGoSAML2Session SAML2SessionInContext: context];
(gdb) next
175 [newSession processAuthnResponse: [rq formValueForKey:
@"SAMLResponse"]];
176 login = [newSession login];
178 application = [SoApplication application];
179 auth = [application authenticatorInContext: context];
182 inContext: context];
181 andPassword: [newSession identifier]
182 inContext: context];
2024-08-10 11:57:42.261 sogod[271:271] PostgreSQL72 connection
established: <0x0x582dabcc6000[PGConnection]: connection=0x0x582dabcb4c30>
2024-08-10 11:57:42.261 sogod[271:271] PostgreSQL72 channel
0x0x582dabcb8840 opened (connection=<0x0x582dabcc6000[PGConnection]:
connection=0x0x582dabcb4c30>, count=2)
2024-08-10 11:57:42.262 sogod[271:271] PG0x0x582dabcb8840 SQL: BEGIN
TRANSACTION
2024-08-10 11:57:42.262 sogod[271:271] PG0x0x582dabcb8840 SQL: SELECT
t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM
sogo_sessions_folder t1 WHERE t1.c_id='Gq...+62v'
2024-08-10 11:57:42.263 sogod[271:271] PG0x0x582dabcb8840 SQL: ROLLBACK
TRANSACTION
2024-08-10 11:57:42.263 sogod[271:271] PG0x0x582dab5d4ae0 SQL: BEGIN
TRANSACTION
2024-08-10 11:57:42.263 sogod[271:271] PG0x0x582dab5d4ae0 SQL: INSERT
INTO sogo_sessions_folder (c_lastseen, c_creationdate, c_value, c_id)
VALUES (1723283862, 1723283862, '91R...EmI', 'Gq...+62v')
2024-08-10 11:57:42.264 sogod[271:271] PG0x0x582dab5d4ae0 SQL: COMMIT
TRANSACTION
185 creds = [auth parseCredentials: [authCookie value]];
187 value: [[SOGoSession
valueForSessionKey: [creds lastObject]] asSHA1String]];
188 [xsrfCookie setPath: [NSString stringWithFormat: @"/%@/",
[[context request] applicationName]]];
189 [response addCookie: xsrfCookie];
191 oldLocation = [[context clientObject] baseURLInContext:
context];
193 oldLocation, [login
stringByEscapingURL]];
195 [response setStatus: 302];
196 [response setHeader: newLocation forKey: @"location"];
197 [response addCookie: authCookie];
205 return response;
206 }
-[SoActionInvocation
callOnObject:withPositionalParametersWhenNotNil:inContext:]
(self=<optimized out>, _cmd=<optimized out>, _client=<optimized out>,
_positionalArgs=0x0, _ctx=0x582dab9d1b90)
at SoObjects/SoActionInvocation.m:310
310 result = [result retain];
311 [method release]; method = nil;
312 return [result autorelease];
0x00007e26c476bb40 in ?? () from /usr/lib/libgnustep-base.so.1.29
Cannot find bounds of current function
Cannot find bounds of current function
Cannot find bounds of current function
(gdb) c
Continuing.
(process:271): Lasso-CRITICAL **: 11:57:50.259: 2024-08-10 11:57:50
(profile.c/:913) Trying to unref a non GObject pointer
file=profile.c:913 pointerbybname=profile->identity pointer=0x582dabcb4de0
Program received signal SIGSEGV, Segmentation fault.
0x00007e26c3fb1f81 in g_type_check_instance_is_fundamentally_a () from
/usr/lib/libgobject-2.0.so.0
```
Any guidance or assistance here would be greatly appreciated as I'm way
out in deep water.
My two main concerns are:
- What's missing from KeyCloak or what fields/data are wrong in the
SAML2 response that could cause this
- How do I patch the lassoLogin data to not cause coredump/critical errors
//Anton
