Re: [SOGo] Setting up OIDC for SOGo

Wed, 24 Dec 2025 04:41:19 -0800 

Hi,
Now the OIDC login succeeds. Tokens are getting exchanged and SOGo is able to get 'email' and 'username' properly in the id_token and able to extract the same. 


However, just after extracting the email and username from token, it 
again loops back and the same flow repeats many times finally failing 
the proper redirection.


/* OpenID Provider Configuration endpoint (mandatory) */
  SOGoOpenIdProviderURL      = "https://idam.indryve.org";;

  SOGoOpenIdConfigUrl     = 
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";;

  SOGoOpenIdClient        = "xxxxxx";
  SOGoOpenIdClientSecret  = "xxxxxxxx";

  /* e.g. "openid profile email" */
  SOGoOpenIdScope         = "openid profile email";
  /* claim that carries the mailbox/uid; defaults to email if unset */
  SOGoOpenIdLoginParam    = "username";
  SOGoOpenIdEmailParam    = "email";

  SOGoOpenIdRedirectURI   = 
"https://dav.indryve.org/SOGo/so/oidc/callback";;


Above is the section of sogo.conf.

Is the SOGOOpenIdRedirectURI proper?


Not able to understand why the login is simply going into loop even 
after proper OIDC exchange and getting proper username and email claims 
from tokens?


Any guidance here?

Thanks n’ Regards,

Raghav



On 24/12/25 3:46 pm, qhivert ([email protected]) wrote:


Here it is:

/canAuthenticate = NO;   /* OIDC handles auth */; /


Switch that to YES. It is a bit misleading as this param is also used 
for authorization. So even if you have OIDC for auth, you still need 
to set this param at YES.


Cheers,

--

Quentin Hivert || Alinto || R&D Lead Developer

19 Quai Perrache 69002 Lyon

www.alinto.com <http://www.alinto.com>


*From:*[email protected] <[email protected]> *On Behalf Of 
*Anantha Raghava

*Sent:* mercredi 24 décembre 2025 11:05
*To:* qhivert ([email protected]) <[email protected]>
*Subject:* Re: [SOGo] Setting up OIDC for SOGo

Hi,

Thanks for quick response.

Here is my sogo.conf

{
  /* WebObjects / core runtime debugging */
  WODebuggingEnabled = YES;
  WOLogLevel = debug;

  /* Process & logging */
  WOWorkersCount = 1;
  WOPort = "0.0.0.0:20000";
  WOLogFile = "-";

  /* Timezone (optional but recommended) */
  SOGoTimeZone = "Asia/Kolkata";

  /* Cache (external memcached in Kubernetes) */

  SOGoMemcachedHost = 
"sogo-memcached.indryve-org.svc.cluster.local:11211" 
<sogo-memcached.indryve-org.svc.cluster.local:11211>;



  /* Database (PostgreSQL via single base URL + multiple logical 
stores) */
  SOGoProfileURL        = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile>;
  OCSFolderInfoURL      = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info>;
  OCSSessionsFolderURL  = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder>;
  OCSStoreURL           = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_store" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_store>;
  OCSAclURL             = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_acl" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_acl>;
  OCSCacheFolderURL     = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder>;
  OCSAdminURL        = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_admin" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_admin>;



  /* ---------------------------
     AUTH: OpenID Connect (SSO)
     --------------------------- */
  SOGoAuthenticationType      = openid;
  SOGoXSRFValidationEnabled   = NO;

  /* DB URL used to store OpenID sessions (mandatory for OpenID) */

  OCSOpenIdURL = 
"postgresql://postgres:[email protected]:5432/sogo/sogo_openid" 
<postgresql://postgres:[email protected]:5432/sogo/sogo_openid>;


  /* OpenID Provider Configuration endpoint (mandatory) */

  SOGoOpenIdConfigUrl     = 
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration"; 
<https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration>;

  SOGoOpenIdClient        = "xxxxxxxx";
  SOGoOpenIdClientSecret  = "xxxxxxxxxxxxx";

  /* e.g. "openid profile email" */
  SOGoOpenIdScope         = "openid profile email";
  /* claim that carries the mailbox/uid; defaults to email if unset */
  SOGoOpenIdEmailParam    = "email";

  SOGoOpenIdRedirectURI = 
"https://dav.indryve.org/SOGo/so/oidc/callback"; 
<https://dav.indryve.org/SOGo/so/oidc/callback>;



  /* optional knobs */
  SOGoOpenIdEnableRefreshToken = YES;
  SOGoOpenIdTokenCheckInterval = 300;
  SOGoOpenIdLogoutEnabled      = YES;
  SOGoTrustProxy = YES;
  SOGoSecureCookies = YES;
  SOGoUseRelativeURLs = NO;
  SOGoForceExternalLoginWithHTTPS = YES;
  SOGoForceExternalLoginWithEmail = YES;
  SOGoDebugRequests = YES;
  SOGoDebugResponse = YES;
  SOGoMailDebugEnabled = YES;
  SOGoDebugOpenId = YES;


  /* If SOGo is used as webmail with OpenID, IMAP/SMTP need XOAUTH2. 
:contentReference[oaicite:3]{index=3}

     If you are Cal/Card only, keep these unset or disabled. */
  /* NGImap4AuthMechanism = xoauth2; */
  /* SOGoSMTPAuthenticationType = xoauth2; */

  /* Indryve: Calendar + Contacts */
  SOGoCalendarDAVAccessEnabled          = YES;
  SOGoAddressBookDAVAccessEnabled       = YES;
  SOGoAppointmentSendEMailNotifications = YES;

  SOGoPageTitle = "SOGo";
  SOGoPasswordChangeEnabled = NO;

  /* LDAP user source: Samba-AD (Address Book only) */
  SOGoUserSources = (
    {
      id              = "indryve-ad";
      type            = ldap;
      canAuthenticate = NO;   /* OIDC handles auth */
      isAddressBook   = YES;  /* directory/contacts source */

      CNFieldName     = "cn";
      IDFieldName     = "sAMAccountName";
      UIDFieldName    = "sAMAccountName";

      baseDN          = "DC=indryve,DC=demo";
      bindDN          = "CN=sogo_bind,OU=BindUsers,DC=indryve,DC=demo";
      bindPassword    = "oeKObjR9KmstkNd6";

      hostname        = "ldaps://ad.indryve.demo:636" 
<ldaps://ad.indryve.demo:636>;


      filter          = "(objectClass=person)";
      MailFieldNames  = (mail);
      displayName     = "Indryve Directory";
      SSL             = YES;
    }
  );
}

Thanks n’ Regards,

Raghav




On 24/12/25 2:09 pm, qhivert ([email protected]) wrote:

    Hello,

    It means there a mismatch between the info returns by your openid userinfo

    endpoint and your user source.

    Can you share your sogo.conf (mind the passwords and secrets in it) ?

    The param

    SOGoOpenIdEmailParam = "email";

    tells SOGo where to get the user email in the your userinfo endpoint.

    It must match the uid (or UIDFieldName) of your usersource. Be sure to have

    canAuthenticate = YES;

    in your user source

    You can add those to have more logs:

    SOGoDebugRequests = YES;

    SOGoOpenIDDebugEnabled = YES;

    Cheers,






















					Reply via email to