RE: [SOGo] Setting up OIDC for SOGo

Wed, 24 Dec 2025 02:17:23 -0800 

Here it is:

 

canAuthenticate = NO;   /* OIDC handles auth */;   

 

Switch that to YES. It is a bit misleading as this param is also used for 
authorization. So even if you have OIDC for auth, you still need to set this 
param at YES.

 

Cheers,

-- 

Quentin Hivert || Alinto || R&D Lead Developer 

19 Quai Perrache 69002 Lyon

www.alinto.com <http://www.alinto.com> 

 

From: [email protected] <[email protected]> On Behalf Of Anantha Raghava
Sent: mercredi 24 décembre 2025 11:05
To: qhivert ([email protected]) <[email protected]>
Subject: Re: [SOGo] Setting up OIDC for SOGo

 

Hi,

Thanks for quick response. 

Here is my sogo.conf

{
  /* WebObjects / core runtime debugging */
  WODebuggingEnabled = YES;
  WOLogLevel = debug;

  /* Process & logging */
  WOWorkersCount = 1;
  WOPort = "0.0.0.0:20000";
  WOLogFile = "-";

  /* Timezone (optional but recommended) */
  SOGoTimeZone = "Asia/Kolkata";

  /* Cache (external memcached in Kubernetes) */
  SOGoMemcachedHost =  <sogo-memcached.indryve-org.svc.cluster.local:11211> 
"sogo-memcached.indryve-org.svc.cluster.local:11211";

  /* Database (PostgreSQL via single base URL + multiple logical stores) */
  SOGoProfileURL        =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile";
  OCSFolderInfoURL      =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info";
  OCSSessionsFolderURL  =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder";
  OCSStoreURL           =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_store> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_store";
  OCSAclURL             =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_acl> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_acl";
  OCSCacheFolderURL     =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder";
  OCSAdminURL        =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_admin> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_admin";


  /* ---------------------------
     AUTH: OpenID Connect (SSO)
     --------------------------- */
  SOGoAuthenticationType      = openid;
  SOGoXSRFValidationEnabled   = NO;

  /* DB URL used to store OpenID sessions (mandatory for OpenID) */
  OCSOpenIdURL =  
<postgresql://postgres:[email protected]:5432/sogo/sogo_openid> 
"postgresql://postgres:[email protected]:5432/sogo/sogo_openid";

  /* OpenID Provider Configuration endpoint (mandatory) */
  SOGoOpenIdConfigUrl     =  
<https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration>
 
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";;
  SOGoOpenIdClient        = "xxxxxxxx";
  SOGoOpenIdClientSecret  = "xxxxxxxxxxxxx";

  /* e.g. "openid profile email" */
  SOGoOpenIdScope         = "openid profile email";
  /* claim that carries the mailbox/uid; defaults to email if unset */
  SOGoOpenIdEmailParam    = "email";
  SOGoOpenIdRedirectURI =  <https://dav.indryve.org/SOGo/so/oidc/callback> 
"https://dav.indryve.org/SOGo/so/oidc/callback";;


  /* optional knobs */
  SOGoOpenIdEnableRefreshToken = YES;
  SOGoOpenIdTokenCheckInterval = 300;
  SOGoOpenIdLogoutEnabled      = YES;
  SOGoTrustProxy = YES;
  SOGoSecureCookies = YES;
  SOGoUseRelativeURLs = NO;
  SOGoForceExternalLoginWithHTTPS = YES;
  SOGoForceExternalLoginWithEmail = YES;
  SOGoDebugRequests = YES;
  SOGoDebugResponse = YES;
  SOGoMailDebugEnabled = YES;
  SOGoDebugOpenId = YES;

  /* If SOGo is used as webmail with OpenID, IMAP/SMTP need XOAUTH2. 
:contentReference[oaicite:3]{index=3}
     If you are Cal/Card only, keep these unset or disabled. */
  /* NGImap4AuthMechanism = xoauth2; */
  /* SOGoSMTPAuthenticationType = xoauth2; */

  /* Indryve: Calendar + Contacts */
  SOGoCalendarDAVAccessEnabled          = YES;
  SOGoAddressBookDAVAccessEnabled       = YES;
  SOGoAppointmentSendEMailNotifications = YES;

  SOGoPageTitle = "SOGo";
  SOGoPasswordChangeEnabled = NO;

  /* LDAP user source: Samba-AD (Address Book only) */
  SOGoUserSources = (
    {
      id              = "indryve-ad";
      type            = ldap;
      canAuthenticate = NO;   /* OIDC handles auth */
      isAddressBook   = YES;  /* directory/contacts source */

      CNFieldName     = "cn";
      IDFieldName     = "sAMAccountName";
      UIDFieldName    = "sAMAccountName";

      baseDN          = "DC=indryve,DC=demo";
      bindDN          = "CN=sogo_bind,OU=BindUsers,DC=indryve,DC=demo";
      bindPassword    = "oeKObjR9KmstkNd6";
      hostname        =  <ldaps://ad.indryve.demo:636> 
"ldaps://ad.indryve.demo:636";

      filter          = "(objectClass=person)";
      MailFieldNames  = (mail);
      displayName     = "Indryve Directory";
      SSL             = YES;
    }
  );
}


Thanks n’ Regards,


Raghav


        


        

 

On 24/12/25 2:09 pm, qhivert ([email protected] <mailto:[email protected]> ) 
wrote:

Hello,
It means there a mismatch between the info returns by your openid userinfo
endpoint and your user source.
Can you share your sogo.conf (mind the passwords and secrets in it) ?
 
The param
SOGoOpenIdEmailParam = "email";
tells SOGo where to get the user email in the your userinfo endpoint.
 
It must match the uid (or UIDFieldName) of your usersource. Be sure to have
canAuthenticate = YES;
in your user source
 
You can add those to have more logs:
SOGoDebugRequests = YES;
SOGoOpenIDDebugEnabled = YES;
 
Cheers,

Reply via email to