Hi Kenny,
In the past, we also setup a PoC with SOGo / keycloak / SAML2. For IMAP
authentication, we used:
https://github.com/ck-ws/pam-script-saml
But because of the SAML2 sessions timeing out, we went back to regular
LDAP auth. We would like to move to SAML2, so we're following the recent
SAML2 list threads with interest.
MJ
On 7/19/20 2:02 PM, Jeroen van Os (jeroen.va...@nevel.io) wrote:
Hi Kenny,
I have been trying to get SAML to work with SOGo as well. In Keycloak
the following configuration works:
Client scopes: none
Mappers: fill in "email" and "username" with information from your
credentials provider
Set scope to "full scope allowed"
In the SOGo config file we have this line, the rest is similar to what
you provided:
SOGoSAML2LoginAttribute = username;
Don't forget to take into account that even if you get SAML to work, the
connection to your IMAP and SMTP server may not work. Because SOGo has
no knowledge of the user's password, it cannot authenticate against
regular IMAP and SMTP servers that expect user credentials for
authorization. So you will need to find a way to authenticate without
knowing the user's password.
Kind regards,
Jeroen
Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette"
(la.jo...@paquerette.org):
Going on with my attemps to connect Sogo to LemonLdap, I tried also with
the SAML protocol.
Few weeks ago, I first tried with Keycloak
(https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't
find a solution.
Unfortunately, with LemonLdap, I have the same error:
------------
|SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
|SOGo| traverse(acquire): SOGo => saml2-signon-post
|SOGo| do traverse name: 'SOGo'
|SOGo| do traverse name: 'saml2-signon-post'
|SOGo| set clientObject: <SOGo[0x0x5638236b2630]: name=SOGo>
sogod[8630:8630] EXCEPTION: <NSException: 0x563823b60f20>
NAME:NSInvalidArgumentException REASON:Tried to add nil value for key
'login' to dictionary INFO:{}
|SOGo| request took 0.013806 seconds to execute
<0x0x563823b8f410[WOResponse]> Zipping of response disabled
127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - -
692K
----------------
I'm back to the post https://sogo.nu/bugs/view.php?id=4441
Alas, no clue what Sogo is waiting.
I attached a saml token example LemonLdap send back to Sogo.
For the attribute with my mail (for the login), I tried the name mail,
email & login, but same error.
What is the attribute name Sogo wants for the key 'login'?
Is something wrong with the Saml token Sogo is receiving from LemonLdap?
Thanks,
Kenny
My Sogo config:
----
SOGoProfileURL =
"mysql://yyyyyyy:xxxxxxxxx@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL =
"mysql://yyyyyyy:xxxxxxxxx@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"mysql://yyyyyyy:xxxxxxxxx@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://yyyyyyy:xxxxxxxxx@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoAppointmentSendEMailNotifications = YES;
SOGoMailingMechanism = smtp;
SOGoSMTPServer = 127.0.0.1;
SOGoTimeZone = UTC;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoDraftsFolderName = Drafts;
SOGoIMAPServer = "imap://localhost:143/";
SOGoSieveServer = "sieve://localhost:4190/";
SOGoIMAPAclConformsToIMAPExt = YES;
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
SOGoFirstDayOfWeek = 0;
SOGoMailMessageCheck = manually;
SOGoMailAuxiliaryUserAccountsEnabled = NO;
SOGoMemcachedHost = 127.0.0.1;
SOGoCacheCleanupInterval = 3600;
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN; # tried without the option too
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key";
SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key";
SOGoSAML2LoginAttribute = mail;
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://xxxxxxxx";
WOWorkersCount = 10;
SOGoEASDebugEnabled = YES;
GCSFolderDebugEnabled = YES;
GCSFolderStoreDebugEnabled = YES;
LDAPDebugEnabled = YES;
MySQL4DebugEnabled = YES;
NGImap4DisableIMAP4Pooling = YES;
ImapDebugEnabled = YES;
OCSFolderManagerSQLDebugEnabled = YES;
PGDebugEnabled = YES;
SOGoDebugRequests = YES;
SOGoMailKeepDraftsAfterSend = YES;
SOGoUIxDebugEnabled = YES;
SoDebugObjectTraversal = YES;
SoSecurityManagerDebugEnabled = YES;
WODontZipResponse = YES;
WODebugZipResponse = YES;
}
--------
--
users@sogo.nu
https://inverse.ca/sogo/lists