[SOGo] SOGo + Dovecot + Keycloak + Apache + libapache2-mod-auth-openidc -> working setup
Hi, after trying to the SAML working with dovecot without success for several days I tried a different approach today. Instead off using SAML I switched to use the libapache2-mod-auth-openidc module. I changed the apache sogo.conf to support the OIDC module with the settings below. Please note that you need to add some checks about valid claims, take a look at https://github.com/OpenIDC/mod_auth_openidc/wiki -> "Require claim sub:". --- /etc/apache2/sites-available/sogo.conf --- OIDCCryptoPassphrase"verylongsecret" OIDCProviderMetadataURL https://auth.example.com/realms/master/.well-known/openid-configuration OIDCRedirectURI http://sogo.example.com/redirect_uri OIDCClientIDSOGo OIDCClientSecretrandom_client_secret OIDCRemoteUserClaim email OIDCScope "email openid" OIDCAuthNHeader x-webobjects-remote-user OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Port X-Forwarded-Host OIDCRemoteUserClaim email OIDCPassClaimsAsboth AuthType openid-connect Require valid-user http://127.0.0.1:2/SOGo> # Add Basic Authorization RequestHeader set "x-webobjects-auth-type" "Basic" # Combine Username and Password wth a colon ':' only when a valid access_token is available RequestHeader set Authorization "%{OIDC_CLAIM_email}e:%{OIDC_access_token}e" env=OIDC_access_token # Add the plain Text 'Basi ' and the base64 encode Username:access_token to the Authorization header RequestHeader set Authorization "expr=Basic %{base64:%{HTTP:Authorization}}" --- /etc/apache2/sites-available/sogo.conf --- I removed every SOGoSAML2* config setting from /etc/sogo/sogo.conf and changed these settings: SOGoTrustProxyAuthentication= YES; NGImap4AuthMechanism= PLAIN; SOGoForceExternalLoginWithEmail = YES; You need to adjust dovecot to support the login via PLAIN. The access_token is stored as the password in the PLAIN authentication. To support this make these changes: --- /etc/dovecot/conf.d/auth-oauth2.conf.ext --- auth_mechanisms = $auth_mechanisms plain passdb { driver = oauth2 mechanisms = plain args = /etc/dovecot/dovecot-oauth2.plain.conf.ext } --- Please note that I use local introspection_mode, you need to copy the keys required to validate the access_token to the directory /etc/dovecot/keys/. The required keys are logged when you enable full debug logs. --- /etc/dovecot/dovecot-oauth2.plain.conf.ext --- openid_configuration_url = https://auth.example.com/realms/master/.well-known/openid-configuration introspection_mode = local issuers = https://auth.example.com/realms/master local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ client_id = dovecot client_secret = random_client_secret scope = email username_attribute = email username_format = %Ln --- Since the access_token from keycloak will expire within a minute (the default) you should change the expire time to a higher values. This is required since I didn't know how to pass the refresh_token to dovecot to enable dovecot to renew the access_token from time to time... I someone has an idea I really like to know. And one very important information. You need to configure a SOGoUserSources to enable a successful "c_uid" lookup. So create a table a SOGo required and just put the email from the OIDC_CLAIM_email into the colum "c_uid". I think this table isn't really needed, maybe I will make a patch to avoid creating such a table. Hope this helps some!
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi and again I added some debug prints to SOGoSAML2Session.m. Now the important part looks like --- - (void) processAuthnResponse: (NSString *) authnResponse NSPrintErr(@"lasso_profile_get_identity:"); lasso_identity = lasso_profile_get_identity (profile); if (lasso_identity) { dump = lasso_identity_dump (lasso_identity); nsDump = [NSString stringWithUTF8String: dump]; NSPrintErr(@"nsDumpB: %@", nsDump); [saml2Dump setObject: nsDump forKey: @"identity"]; NSPrintErr(@"identityAA: %@", nsDump); lasso_identity_destroy (lasso_identity); NSPrintErr(@"lasso_identity_destroy/post"); } NSPrintErr("sharedCache/pre"); [[SOGoCache sharedCache] setSaml2LoginDumps: saml2Dump forIdentifier: identifier]; NSPrintErr("sharedCache/post"); free (responseData); } --- Again I tried to login, get redirected to keycloak (21.1.2, just upgraded today) and after comming back to sogo this gets logged: --- lasso_profile_get_identity: nsDumpB: xmlns="http://www.entrouvert.org/namespaces/lasso/0.0"; Version="2">xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" RemoteProviderID="https://auth.example.com/realms/master"; FederationDumpVersion="2">Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-2594070f-2a5d-452d-8a25-97a59350d785 identityAA: xmlns="http://www.entrouvert.org/namespaces/lasso/0.0"; Version="2">xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"; xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" RemoteProviderID="https://auth.example.com/realms/master"; FederationDumpVersion="2">Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-2594070f-2a5d-452d-8a25-97a59350d785 lasso_identity_destroy/post Program received signal SIGSEGV, Segmentation fault. 0x77439d35 in objc_msg_lookup () from /lib/x86_64-linux-gnu/libobjc.so.4 (gdb) bt #0 0x77439d35 in objc_msg_lookup () at /lib/x86_64-linux-gnu/libobjc.so.4 #1 0x76de9cb9 in () at /lib/libgnustep-base.so.1.28 #2 0x77f3d304 in NSPrintErr (format=0x77f526f6) at ./SoObjects/SOGo/SOGoSAML2Session.m:91 #3 0x77f3f4d9 in -[SOGoSAML2Session processAuthnResponse:] (self=0x55877870, _cmd=0x725e1a30 <_OBJC_SELECTOR_TABLE+720>, authnResponse=0x559906d0) at ./SoObjects/SOGo/SOGoSAML2Session.m:546 #4 0x725d6b39 in -[SOGoSAML2Actions saml2SignOnPOSTAction] (self=0x55e2a1a0, _cmd=0x55aa6510) at ./UI/MainUI/SOGoSAML2Actions.m:175 #5 0x7794cd31 in () at /lib/libNGObjWeb.so.4.9 #6 0x779ea252 in () at /lib/libNGObjWeb.so.4.9 --- I also tried to comment out the call to lasso_identity_destroy() but this didn't change the segfault. So I assume something gets messed up before. But now I really don't know how to get further on my own. @users@sogo.nu: Any ideas? PS: The NSPrintErr is this one and the segfault is the NSString line. --- // print to stderr static void NSPrintErr(NSString *format, ...) { va_list args; va_start(args, format); NSString *string = [[NSString alloc] initWithFormat:format arguments:args]; va_end(args); fprintf(stderr, "%s\n", [string UTF8String]); fflush(stderr); #if !__has_feature(objc_arc) [string release]; #endif } ---
Re: [SOGo] Has someone a working SAML configuration most optimal with Keycloak as IDP?
Hi, DISCLAIMER: I have zero knowledge of SAML! me too I think after trying more than a week to get SOGo working with Keycloak... Having said that, there are two cases where people successfully used it, although not sure if they also used Keycloak. 1. https://www.mail-archive.com/users@sogo.nu/msg29860.html 2. https://marc.info/?l=sogo-users&m=147697076318929&w=2 I already found both post (and many more). But I can't find a post that is written this year and Keycloak changed a lot in the last years...
[SOGo] Has someone a working SAML configuration most optimal with Keycloak as IDP?
Hi, since I'm still have trouble getting SOGo 5.8.4 SAML login working with Keycloak 21.1.1 I wonder if someone has a working setup and is willing to share that configuration?
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, first of all, thanks for the help. The profile.c if from the lasso module -> https://github.com/adieu/lasso/blob/master/lasso/saml-2.0/profile.c We need to find which lasso function in SOGoSAML2Session.m (I assume, it may be another file) is called and make that error, then check the arguments given. I try to find the mentioned function with this changes: --- SOGoSAML2Session.m --- - (id) _initWithDump: (NSDictionary *) saml2Dump inContext: (WOContext *) context { lasso_error_t rc; LassoServer *server; LassoProfile *profile; const gchar *dump; if ((self = [self init])) { server = [SOGoSAML2Session lassoServerInContext: context]; lassoLogin = lasso_login_new (server); if (saml2Dump) { profile = LASSO_PROFILE (lassoLogin); ASSIGN (login, [saml2Dump objectForKey: @"login"]); ASSIGN (identifier, [saml2Dump objectForKey: @"identifier"]); ASSIGN (assertion, [saml2Dump objectForKey: @"assertion"]); ASSIGN(identity, [saml2Dump objectForKey: @"identity"]); dump = [identity UTF8String]; if (dump) { NSLog(@"_initWithDump/identity/pre: %@", dump); lasso_profile_set_identity_from_dump (profile, dump); NSLog(@"_initWithDump/identity/pore: %@", dump); } --- --- Jun 28 09:00:30 sogod [831]: |SOGo| request took 0.102924 seconds to execute Jun 28 09:00:30 sogod [831]: 79.140.187.148, 172.27.11.107 "POST /SOGo/saml2-signon-post HTTP/1.1" 302 0/12977 0.105 - - 692K - 12 Jun 28 09:00:30 sogod [831]: |SOGo| starting method 'GET' on uri '/SOGo//claas.hilbre...@linum.com' Program received signal SIGSEGV, Segmentation fault. 0x77439d35 in objc_msg_lookup () from /lib/x86_64-linux-gnu/libobjc.so.4 (gdb) bt #0 0x77439d35 in objc_msg_lookup () at /lib/x86_64-linux-gnu/libobjc.so.4 #1 0x76dc45cc in GSPrivateFormat (s=s@entry=0x7fffa9f0, format=format@entry=0x7fffaa30, ap=ap@entry=0x7fffbae0, locale=locale@entry=0x0) at ./Source/GSFormat.m:1869 #2 0x76de9d69 in -[GSPlaceholderString initWithFormat:locale:arguments:] (self=0x556ea340, _cmd=, format=out>, locale=0x0, argList=0x7fffbae0) at ./Source/GSString.m:1642 #3 0x76ec0674 in NSLogv (format=0x77fbf820 <_OBJC_INSTANCE_24.9>, args=0x7fffbae0) at ./Source/NSLog.m:425 #4 0x76ec09e9 in NSLog (format=) at ./Source/NSLog.m:297 #5 0x77f3e7ed in -[SOGoSAML2Session _initWithDump:inContext:] (self=0x55ddd350, _cmd=0x77fc01b0 <_OBJC_SELECTOR_TABLE+688>, saml2Dump=0x55746610, context=0x55ddce30) at ./SoObjects/SOGo/SOGoSAML2Session.m:372 #6 0x77f3eb31 in +[SOGoSAML2Session _SAML2SessionWithDump:inContext:] (self=0x77fbfd80 <_OBJC_Class_SOGoSAML2Session>, _cmd=0x77fc01d0 <_OBJC_SELECTOR_TABLE+720>, saml2Dump=0x55746610, context=0x55ddce30) at ./SoObjects/SOGo/SOGoSAML2Session.m:413 #7 0x77f3ec69 in +[SOGoSAML2Session SAML2SessionWithIdentifier:inContext:] ---
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, I recompiled the sogo 5.8.4 package from Debian sid and added some NSLog outputs. So I can confirm that the SAML response is really ok and the content is fine. But it seems something in my setup is wrong. SOGo writes the current session to the sogo_sessions_folder. This works fine, the content in stored in the mysql db. But after storing the session two errors get logged: --- (process:20775): Lasso-CRITICAL **: 20:45:24.648: 2023-06-27 20:45:24 (profile.c/:913) Trying to unref a non GObject pointer file=profile.c:913 pointerbybname=profile->identity pointer=0x55c2ab612ec0 (process:20775): Lasso-CRITICAL **: 20:45:24.648: 2023-06-27 20:45:24 (profile.c/:916) Trying to unref a non GObject pointer file=profile.c:916 pointerbybname=profile->session pointer=0x55c2ab547c90 --- I can't find the profile.c source code for now but I assumed sogo tried to read from the table sogo_user_profile the users profile. But even after creating this entry INSERT INTO `sogo_user_profile` (`c_uid`, `c_defaults`, `c_settings`) VALUES ('claas.hilbre...@example.com', '{}', '{}'); I still get the above error... So what I'm missing? --- Jun 27 18:45:24 sogod [20775]: 79.140.187.148, 172.27.11.107 "GET /SOGo//claas.hilbre...@example.com HTTP/1.1" 302 0/0 0.015 - - 0 - 13 Jun 27 18:45:24 sogod [20775]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' 2023-06-27 18:45:24.643 sogod[20775:20775] loginA: claas.hilbre...@example.com 2023-06-27 18:45:24.643 sogod[20775:20775] loginB: claas.hilbre...@example.com 2023-06-27 18:45:24.643 sogod[20775:20775] loginC: claas.hilbre...@example.com 2023-06-27 18:45:24.643 sogod[20775:20775] assertionA: xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_21fcb575-9d92-4539-889e-40cf22767fd0" IssueInstant="2023-06-27T18:45:24.511Z" Version="2.0">https://auth.example.com/realms/masterhttp://www.w3.org/2000/09/xmldsig#";>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmlenc#sha256"/>KNo7JjLw1k6KyvJCzBkw6firW3TO2IvMr9Z+NiIeJqE=aDvUyS7iFXxi9ILF6byZeh1wbmqu2928G2KNa7zWGGEK0bDTv6udgHtoVnaBJ1+s4JE7G5QCBc/0KdmK+qveGwITcTXLSaSZHZuKfF3Nd1Q8HbA/m7YX9F0E8qFHBQkBCGvbSiR2Jttn2YXkGsxy+T455dV24Fl840KkM9ENiG4e2kHExHdM1aFMQbgBMxdJcWhBTkatnawBvSv5PpTvG8u0bU4UX7RlsdGnK+OnWCCe8tH1aKLUUaDRANuiEzroyVdBLbXEnmiYLru8QIx9ycckrx6NuIw6kNX73g07S5uQUS9fxemYs6BRNcHUHboL/aRPdq1XrgUDdBsTdDiFdQ==lW-L-g3kaWfrc5goQbcyY8W77J3-dWbKGA1joPXW19MMIICmzCCAYMCBgGAiWAFjDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjIwNTAzMTAwMTUzWhcNMzIwNTAzMTAwMzMzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKbGwTJIDI7FURSwl83/CH15MTTVXN9ieRRcJ6Bd/tXogpNLMpqKCbMT3gdn7mF9XR+xNryKCwPIcDO2TMOE9yXxyLe4SQvj06zR+dK/v63sJk783rRO7APLFmoamQtONDc5nfqz3DpKbTCO0AqIK8Ki44TzQviEYaMzidApMI46bDl0ep5o/zCgzmNlVIZFdah4wp7c1wRw3+RVlrgJonT3dY7C+mHhLYrQ+pZsWb/6hmt1mvglf+Vh6iQrt6/I7uCMHH9LxxdRyaCCLZly6Zdei0qjlmp+VRTm+EMscct6kmeOgAXX5KCSh6n+flx7neL+MlQ0fgtGaBrnaxLzPDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGOhSwEHfHPbBk/QmyYfIvvMekDEj6iZCx/mrLRY0QuZzimsGgTFGM4kHH3kBwRvrswiB/VFloUrAtSBK6/NLc7CGNAdZ+pazOYcD/b0FtmoeGNixQluXVPdzsLYLVVvxHC/XrHS7C9Ne2bfwal+OP5c/emuNuV6PSmqo8XZhSP3025TapoDph+07DKRZUiJbCYcKgWrW+/UbaLCi0enf7qY2q7f8ztCwMxkClNN1RxQb/Fh78CG8eIW5hypyP/FLMlcOiDMLynwoSxSuinuIT/pzS8KW5nh8CftevPh8peCrlLv6Xzux7Ys3FANnXOhUEKsgM1c+PTen87Nq3JZ6RM=G-2594070f-2a5d-452d-8a25-97a59350d785https://sogo.example.com/SOGo/saml2-signon-post"/>https://sogo.example.com/SOGo/saml2-metadataurn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedhttp://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">claas.hilbre...@example.comhttp://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">clahil 2023-06-27 18:45:24.643 sogod[20775:20775] identifierA: G-2594070f-2a5d-452d-8a25-97a59350d785 2023-06-27 18:45:24.645 sogod[20775:20775] SQL: BEGIN; 2023-06-27 18:45:24.646 sogod[20775:20775] query has no results. 2023-06-27 18:45:24.646 sogod[20775:20775] SQL: SELECT t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM sogo_sessions_folder t1 WHERE t1.c_id='AY9zox6L6tlqhvTT'; 2023-06-27 18:45:24.646 sogod[20775:20775] query has results, entering fetch-mode. 2023-06-27 18:45:24.646 sogod[20775:20775] SQL: ROLLBACK; 2023-06-27 18:45:24.646 sogod[20775:20775] query has no results. 2023-06-27 18:45:24.646 sogod[20775:20775] SQL: BEGIN; 2023-06-27 18:45:24.646 sogod[20775:20775] query has no results. 2023-06-27 18:45:24.646 sogod[20775:20775] SQL: INSERT INTO sogo_sessions_folder (c_lastseen, c_creationdate, c_value, c_id) VALUES (1687891524, 1687891524, '+6v3UAlzw1Uopz6KfBucDF/undxmEMWLRwYITYMMPL/WfB8aZiYjLw4LS+IqAGZDf4awmijbrXRySJkvBVBUMogRfM
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, next Update. After using the URL https://www.scottbrady91.com/tools/saml-parser to inspect my SAML response I'm pretty sure everything is fine. This site is able to display SAML Response without any garbage. Now I'm getting a little step further (after manually doing this query: ALTER TABLE sogo_sessions_folder MODIFY c_value VARCHAR(4096);) --- Jun 26 18:45:21 sogod [2521]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' 2023-06-26 18:45:21.404 sogod[2521:2521] SQL: BEGIN; 2023-06-26 18:45:21.404 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.404 sogod[2521:2521] SQL: SELECT t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM sogo_sessions_folder t1 WHERE t1.c_id='+dm+GN1YY2Cu2LHI'; 2023-06-26 18:45:21.405 sogod[2521:2521] query has results, entering fetch-mode. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: ROLLBACK; 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: BEGIN; 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: INSERT INTO sogo_sessions_folder (c_lastseen, c_creationdate, c_value, c_id) VALUES (1687805121, 1687805121, 'iYz+xz02bTv8zdjSHNQUAGs6O/I49dCc4MhKKn0Nymqik2Dm+37+PGdVgU3d1q4izrES89wLe7h85jXF0PQhjE6wL494/RvTUin2e2gJvebZtJQ317RyX1x7KieUrbAqn9MGadEFI6+HsK6zwylpafHJ/163+u5Ii2C/mG2I0DXdFoddXQcl8YxeaOFscWNl2TdsSc/VJO897mRKoZuZZdu7U0xWTKdqK5y2vW40Oe6kJx9WUVp7GWX9rsbVeKtlTHJPHNQ2+GiyoeaOHTe676v7ufytiMOPQ1NmFqJ6vLgcfRgXyJd0P7WgUHWW+1KlbfTkveHRdsVzRhVXrhWp85rMYDV8tEZuVl2WXXuaZPSbg2BnX5QjQKgyrcauqAWktn4/uJmTRyA/fLI8oMf7WmbTmr5Gr+foXfP9Eq4lkCLWgPcitOKSs0dmyY++4nwuikMISapGekvdP1LX+elFve3vt34AXZ0/RPiAkWH+Kxh9Jr3ClBLQERjbJPgj9s/hefozT9iKoJhEaWL7EhJy2eOanwAKraA53cMI2TkXcVPbYcHkyg8N/qmhG+apwVe82a2frdFAEOT8tGsNUOfW3jIOaWEhUKSw4MnoC0qszwwZt5KYG7cSiIRCcypUeSMs1k78EBEuaI5G3A9ZviGwwP413YuV7lPH46xUDD3wJKTRWO0B2gHUZBuSRFc22HFXdYGljLuYl90PhlpR97cYBxNvhboTjT6jAZ3sPNF0QsPnvfNSNUWUvMY/e0Gp+0y5rUxQQ3WeDthFYFJxTS92rkknEiD47JsQuEEEIaFcn0ld1VszVP2ONr/biSEAMNm1VdCKshviN/21x1PP4D2YV21ntV1eHF9TgggpOIU4gqbV9FnYGtKUV86DKyHQlN7c0AvTxh4K2qL/qeUKhE4Epm3qLyEMwyPHn/JMAjmZ6WWWRdNaRmBcYGL4zL9Vqj7yrFvP/JyZtsBgDnbYR/3BuAF2TwAuOBSAYCDof +ZGcWPVXC+mnpv4Kd3xBLgolTbA H6cQe1wdVAa4hjmNZN/KFUUeuGI0v1tiNgy4Z+gnf6RZ+lf6ojr3Pw6uBI6OK/xUKnB4NdxPjJ408GxbXwbFk6ghUUGXPJ1rvGWV8+3MY9DS0g+QSnhX8ckSKZPT57tsZ0tJfTn0N8ycSaC5VmaLyN0oJZdFTIWNhqZ8debIl0WxszSZhHaS6Gb9GkvbDFMAmvLcDjYQp4AURQ22RhXb1r/YlHhdsr2EwvAafvUk+X8dHLETVXqTah4PXnu3z+eRSsR+LML4NojQ1w31hiMjQxFBZyiNB6gU0EMpHXTQ0BjzS4IocyFhamr4pL332+Q6fZll5tb/An+jnmXdU6Kp3dyrj0dI2loVS4zp4Qrfz/AJjJMUROKfTFlINQRRuEToBAMl6kVyKXTSvMlfB1Fa1Cf7esHSzegbgyPCKOHxlBqkssxXVQs78fQbczj8MDFNBTOe82+7eFrTqxY3xN1MDUcRI7awnXEQwYEOJEsR9F2X6JbY6Ee6n5DjCpRA1bgo6SuUPpB5M8Zgxff0GTaf3TyYigWqw8rdE+TLl6sGC+hAGGj9Iq0D8FAToj/dXVpC7aez5Umo8DzGxxS3Y9vMcRdvf8G4tEGP1V0KWgLMMY+cc5T1xv/jF1C9/e+Sh5dvx34beIGtBBWRS4vqjPdfLwn2vgSAwEtVvKBayzAz2WHRZJ9kK83PfSuvMeHUyqadbZUYewc7ryKkcIwcBvDXgzM6IkyZmZ58arkD6UEQLuFtDtYYrNB1WNSrxxiKrkSvaPhTFntYhH8nhDkQoVhzsQFMhYyo4XtpOSq3SsLc9s77A8YCm1M5jxgTOgyklwDBaatny0QDCeLpN9vpPQ5f00n8VfKwf2WVZ32okBk1kPnFZX3wiAfYeddSNDml/BzwoSVAiDvQkqnsmoZTWSh0mfWFOydcgMjQMD98E/F/28xykxvGoy3GPsrzvTytl9q4FR0fc0sxrNIRHtzfQqea4OiTJK1TAsHIzBirYu aXbnkcpFuyit7pgY46JwPK4abL 98E/F/28xykxvGoy3GPsrzvTytl9q4FR0fc0sxrNIRHtzfQqea4OiTJK1TAsHIzBirYuaXbnkcpFuyit7pgY46JwPK4abL 9/FPpQzff1tZeAx/MOmMmoH9QB4SU8OnqwlqRU7nqmR96W8TPjcfH+WIn8hW1do1VbEsXHVv4UvNLKlO0D3tY+/pWjSixNdov1mA1I4sWx6RreZFe7qWV/FWJT189aMz2LtGhy/azD2jVQFpHtUNTPS7STf1t6LhNVWsDhCDwWq1Ie9u/8PtFd2Tx9GLbjK3jXS9M9SCBC1nSCjP+v8aqRyjVPpntTYYnXQ8QLLbTrUmGF4No7ZRcovuzXiot+3X+1MUl+HPQPREgxF99Q9WkRdtYJHyMaHUZEkd62k+W57FUASiaCGwBz2hEimfBaSAj7yd4XAGYWJ2ZqGsBC0ne9+EfsdEdSDMt3YyGYuOusTPklJqHDxjS2n8XEDZneD3ISxDaZWT/Ps2/0kl4RtptzdGKOLv5oU05bi5twFIl1YG19ie62wsMuUN40ZZlrYXpCbl66h+TL35W1eYrYnMgLqsdR9QwWGgjeOX4Do9w4WM7GsFIKb6edCfnxFNb0oUj6HOsKfJLgbOlAHdJOJnjrIsLTwqz0TKKGjItH2qFK7DW9hNyY7uqSxe/B8m7sXIS6zznJqog5iy/Isc7PKNH7lEwqZqmHPOvwA1MRG8tImFlsM8mabPUP1QE9qiRwOv5DQuLm3950Ov8WwKmsMNFdBzOIyEcP9kmGlqPDfk5qO/rEyzJBN75xMjN+Ojh7egyZ6uWJZmDMhnqiFBKpnUsXAMStcZNyqHYhA55BVoMQmEx3c7QNL9kREOfLBKyzSEfvScyodvieGeblibPRBLKLqCz0xsrTUYTpb3iLM+lCfd5nGnLpjrOi2uptD7jHkrd5HGkcKBr33pi+G318MkhGBGCoHX8neC2EQGs0mSlmQ+S1JLvpbi2NoKQvuLnRDucQ6zZXdphTD9SJLKgbyEoHsSsFJdBQvZDIss3bj7eoiVY7NvAMcLRfDyr0Pzc1U=', '+dm+GN1YY2Cu2LHI'); 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: COMMIT; 2023-06-26 18:45:21.406 sogod[2521:2521] query has no results. Jun 26 18:45:21 sogod [2521]: |SOGo| constructed root-url: /SOGo/ Jun 26 18:45:21 sogod [2521]: |SOGo| setting root-url in context: /SOGo/ Jun 26 18:45:21 sogod [2521]: |SOGo| ROOT baseURL(no container, name=(null)): own: /SOGo/ (process:2521): Lasso-CRITICAL **: 20:45:21.407: 2023-06-26 20:45:21 (profile.c/:913) Trying to unref a non GObject pointer file=profile.c:913 poi
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, after looking at the sourcecode, which is just: if (loginAttribue && (strcmp (attribute->Name, [loginAttribue UTF8String]) == 0)) I tried to debug the request flow. With the help of the apache dumpio module I was able to capture the whole traffic. II tried to decode the capture but it seems that the data is brocken. It starts like this: xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://sogo.linum.biz/SOGo/saml2-signon-post"; ID="ID_f2451abf-1693-4509-a54f-af20461c28d5" InResponseTo="_02F15ED37EA154C6F8927F722B48897D" IssueInstant="2023-06-26T15:46:30.664Z" Version="2.0"> looks like garbage. So somewhere in between the proxy setup something goes wrong.
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, In your logs you have a segfault. You need to provide a backtrace according to https://www.sogo.nu/support/faq/how-do-i-debug-sogo.html Here it is: --- 2023-06-26 07:39:05.169 sogod[816:816] SQL: SELECT c_defaults FROM sogo_user_profile WHERE c_uid = 'anonymous'; 2023-06-26 07:39:05.171 sogod[816:816] query has results, entering fetch-mode. Jun 26 07:39:05 sogod [816]: |SOGo| request took 0.468025 seconds to execute Jun 26 07:39:05 sogod [816]: 79.140.187.148, 172.27.11.107 "GET /SOGo HTTP/1.1" 302 0/0 0.471 - - 4M - 11 Jun 26 07:39:10 sogod [816]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' Program received signal SIGSEGV, Segmentation fault. 0x76ac7744 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x76ac7744 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x77f400c1 in -[SOGoSAML2Session _updateDataFromLogin] (self=0x55705c40, _cmd=0x77fc0cc0 <_OBJC_SELECTOR_TABLE+640>) at ./SoObjects/SOGo/SOGoSAML2Session.m:272 #2 0x77f40f2c in -[SOGoSAML2Session processAuthnResponse:] (self=0x55705c40, _cmd=0x725e99b0 <_OBJC_SELECTOR_TABLE+720>, authnResponse=0x55e26970) at ./SoObjects/SOGo/SOGoSAML2Session.m:466 #3 0x725deb3b in -[SOGoSAML2Actions saml2SignOnPOSTAction] (self=0x55e07820, _cmd=0x558769c0) at ./UI/MainUI/SOGoSAML2Actions.m:175 #4 0x7794cd31 in -[WODirectAction performActionNamed:] (self=0x55e07820, _cmd=0x77b28ca0 <_OBJC_SELECTOR_TABLE+928>, _actionName=0x55dc9590) at ./sope-appserver/NGObjWeb/WODirectAction.m:97 #5 0x779ea252 in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x55752f70, _cmd=0x77b28cd0 <_OBJC_SELECTOR_TABLE+976>, _client=0x55998c80, _positionalArgs=0x0, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoActionInvocation.m:300 #6 0x779ea39b in -[SoActionInvocation callOnObject:inContext:] (self=0x55752f70, _cmd=0x77b229a0 <_OBJC_SELECTOR_TABLE+672>, _client=0x55998c80, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoActionInvocation.m:318 #7 0x779e4031 in -[SoObjectMethodDispatcher dispatchInContext:] (self=0x55de1e60, _cmd=0x77b24e40 <_OBJC_SELECTOR_TABLE+1536>, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoObjectMethodDispatcher.m:192 #8 0x779e685c in -[SoObjectRequestHandler handleRequest:inContext:session:application:] (self=0x55a978b0, _cmd=0x77aaec10 <_OBJC_SELECTOR_TABLE+848>, _rq=0x555e9f30, _ctx=0x5578e790, _sn=0x0, app=0x55998c80) at ./sope-appserver/NGObjWeb/SoObjects/SoObjectRequestHandler.m:584 #9 0x779605cd in -[WORequestHandler handleRequest:] (self=0x55a978b0, _cmd=0x77a77190 <_OBJC_SELECTOR_TABLE+1616>, _request=0x555e9f30) at ./sope-appserver/NGObjWeb/WORequestHandler.m:240 #10 0x7791aa2b in -[WOCoreApplication dispatchRequest:usingHandler:] (self=0x55998c80, _cmd=0x77a771e0 <_OBJC_SELECTOR_TABLE+1696>, _request=0x555e9f30, handler=0x55a978b0) at ./sope-appserver/NGObjWeb/WOCoreApplication.m:712 #11 0x7791ad96 in -[WOCoreApplication dispatchRequest:] (self=0x55998c80, _cmd=0x55567520 <_OBJC_SELECTOR_TABLE+1664>, _request=0x555e9f30) at ./sope-appserver/NGObjWeb/WOCoreApplication.m:752 #12 0xd9b5 in -[SOGo dispatchRequest:] (self=0x55998c80, _cmd=0x77b14d00 <_OBJC_SELECTOR_TABLE+1760>, _request=0x555e9f30) at ./Main/SOGo.m:584 #13 0x779d2c28 in -[WOHttpTransaction _run] (self=0x558f2470, _cmd=0x77b14d30 <_OBJC_SELECTOR_TABLE+1808>) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m:566 #14 0x779d2fee in -[WOHttpTransaction run] (self=0x558f2470, _cmd=0x77b11250 <_OBJC_SELECTOR_TABLE+1168>) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m:619 #15 0x779ce5e6 in -[WOHttpAdaptor runConnection:] (self=0x558f1fd0, _cmd=0x77b112f0 <_OBJC_SELECTOR_TABLE+1328>, _socket=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:373 #16 0x779ce83d in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x558f1fd0, _cmd=0x77b11300 <_OBJC_SELECTOR_TABLE+1344>, _connection=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:407 #17 0x779cecb6 in -[WOHttpAdaptor _handleConnection:] (self=0x558f1fd0, _cmd=0x77b113a0 <_OBJC_SELECTOR_TABLE+1504>, connection=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:466 #18 0x779cf1c7 in -[WOHttpAdaptor acceptConnection:] (self=0x558f1fd0, _cmd=0x77b11210 <_OBJC_SELECTOR_TABLE+1104>, _notification=0x5574f650) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:527 --Type for more, q to quit, c to
[SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, I try to get a SAML login working and failed. I read a lot in this list and think I'm pretty close towards a working setup. I managed to get redirected to the IDP login screen and while I get redirected back to SOGo I get this error message: --- Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request Reason: Error reading from remote server --- The sogo.log to this request is: --- Jun 24 11:16:38 sogod [2131]: |SOGo| starting method 'GET' on uri '/SOGo' Jun 24 11:16:38 sogod [2131]: <0x0x5572c15faaa0[SOGoCache]> Cache cleanup interval set every 3600.00 seconds Jun 24 11:16:38 sogod [2131]: <0x0x5572c15faaa0[SOGoCache]> Using host(s) '127.0.0.1' as server(s) Jun 24 11:16:38 sogod [2131]: [WARN] <0x0x7fc5bc4d8a80[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder Jun 24 11:16:38 sogod [2131]: [ERROR] <0x0x5572c19e0770[SOGoUserManager]> No authentication sources defined - nobody will be able to login. Check your defaults. 2023-06-24 11:16:38.057 sogod[2131:2131] SQL: SELECT c_defaults FROM sogo_user_profile WHERE c_uid = 'anonymous'; 2023-06-24 11:16:38.058 sogod[2131:2131] query has results, entering fetch-mode. Jun 24 11:16:38 sogod [2131]: |SOGo| request took 0.152470 seconds to execute Jun 24 11:16:38 sogod [2131]: 79.140.187.148, 172.27.11.107 "GET /SOGo HTTP/1.1" 302 0/0 0.155 - - 6M - 12 Jun 24 11:16:44 sogod [2131]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' Jun 24 11:16:44 sogod [2128]: <0x0x5572c1604cf0[WOWatchDogChild]> child 2131 exited Jun 24 11:16:44 sogod [2128]: <0x0x5572c1604cf0[WOWatchDogChild]> (terminated due to signal 11) Jun 24 11:16:44 sogod [2128]: <0x0x5572c1543c80[WOWatchDog]> child spawned with pid 2135 2023-06-24 11:16:44.602 sogod[2135:2135] MySQL4 connection established 0x0x5572c168a150 2023-06-24 11:16:44.602 sogod[2135:2135] -- -[MySQL4Channel openChannel]: connection=0x0x5572c168a150> opens channel count[0] 2023-06-24 11:16:44.602 sogod[2135:2135] MySQL4 channel 0x0x5572c155ae80 opened (connection=0x0x5572c168a150,sogo) 2023-06-24 11:16:44.602 sogod[2135:2135] SQL: SELECT 1 FROM sogo_user_profile WHERE 1 = 2; 2023-06-24 11:16:44.603 sogod[2135:2135] query has results, entering fetch-mode. 2023-06-24 11:16:44.603 sogod[2135:2135] SQL: SELECT 1 FROM sogo_folder_info WHERE 1 = 2; 2023-06-24 11:16:44.603 sogod[2135:2135] query has results, entering fetch-mode. 2023-06-24 11:16:44.605 sogod[2135:2135] SQL: SELECT 1 FROM sogo_sessions_folder WHERE 1 = 2; 2023-06-24 11:16:44.605 sogod[2135:2135] query has results, entering fetch-mode. Jun 24 11:16:44 sogod [2135]: <0x0x5572c176b150[WOHttpAdaptor]> notified the watchdog that we are ready --- I think the WOWatchDogChild kills for whatever reason the login process... Previously I got a this error: --- sogo.log.1:2023-06-22 19:10:31.616 sogod[4831:4831] EXCEPTION: NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{} --- But after adding a login key (as a AttributeStatement Mapper/User Property) to the SAML answer the above error message is thrown. I try to get the SAML login working with Debian bookworm and Keykoack 21.1.1. --- dpkg -l | grep -e 'sogo\|sope' ii libsope15.8.0-1 amd64SKYRiX Object Publishing Environment (shared libraries) ii sogo5.8.0-1 amd64Scalable groupware server ii sogo-activesync 5.8.0-1 amd64Scalable groupware server - ActiveSync module ii sogo-common 5.8.0-1all Scalable groupware server - common files --- My sogo.conf looks like this: --- { SOGoDebugRequests = YES; SoDebugBaseURL = YES; SOGoEASDebugEnabled = YES; ImapDebugEnabled= YES; LDAPDebugEnabled= YES; MySQL4DebugEnabled = YES; PGDebugEnabled = YES; SOGoUIxDebugEnabled = YES; WODontZipResponse = YES; /* Authentication */ SOGoPasswordChangeEnabled = NO; /* Web Interface */ SOGoPageTitle = SOGo; //SOGoVacationEnabled = YES; //SOGoForwardEnabled = YES; //SOGoSieveScriptsEnabled = YES; //SOGoMailAuxiliaryUserAccountsEnabled = YES; //SOGoTrustProxyAuthentication = NO; //SOGoXSRFValidationEnabled = YES; MySQL4Encoding = "utf8mb4"; SOGoProfileURL = "mysql://user:password@127.0.0.1:3306/sogo/sogo_user_profile"; OCSFolderInfoURL= "mysql://user:password@127.0.0.1:3306/sogo/sogo_folder_info"; OCSSessionsFolderURL= "mysql://user:password@127.0.0.1:3306/sogo/sogo_sessions_folder"; OCSEMailAlarmsFolderURL = "mysql://user:password@127.0.0.1:3306/sogo/sogo_alarms_folder"; SOGoLanguage = English; SOGoAppointmentSendEMailNotifications = YES; SO