Hi,
You’re correct — upstream SOGo docs/configs do not define
|SOGoOpenIdProviderURL|, |SOGoOpenIdLoginParam|, or
|SOGoOpenIdRedirectURI|. The supported OpenID/OIDC configuration is done
via |SOGoAuthenticationType = openid| plus |SOGoOpenIdConfigUrl|,
|SOGoOpenIdClientId|, |SOGoOpenIdClientSecret|, |SOGoOpenIdScope|, etc.,
as shown in the upstream sample/default configs. Those 3 keys were taken
from community snippets / experiments, but the reliable baseline is the
|SOGoOpenIdConfigUrl + Client + Secret + Scope + (EmailParam) +
OCSOpenIdURL| pattern.
Finally I figured out that SOGo was unable to to Bind to AD as it was
not able to verify the AD SSL certificate. The moment it was added and
ldap-bind utils were installed and certificates were mapped, the
connection went through and SSO worked.
One thing to note. We are trying to use SOGo as a CalDAV and CardDAV
provider to work with Apache James - Enterprise Mail server. Hence we
have intentionally avoided SMTP and IMAP related settings. I just wanted
to know if it is possible to disable Email UI from loading.
Find below my corrected and sogo.conf.
{
/* WebObjects / core runtime debugging */
WODebuggingEnabled = YES;
WOLogLevel = debug;
/* Process & logging */
WOWorkersCount = 1;
WOPort = "0.0.0.0:20000";
WOLogFile = "-";
/* Timezone (optional but recommended) */
SOGoTimeZone = "Asia/Kolkata";
/* Cache (external memcached in Kubernetes) */
SOGoMemcachedHost = "sogo-memcached.indryve-org.svc.cluster.local:11211";
/* Database (PostgreSQL via single base URL + multiple logical stores) */
SOGoProfileURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile";
OCSFolderInfoURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder";
OCSStoreURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_store";
OCSAclURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_acl";
OCSCacheFolderURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder";
OCSAdminURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_admin";
/* ---------------------------
AUTH: OpenID Connect (SSO)
--------------------------- */
SOGoAuthenticationType = openid;
SOGoXSRFValidationEnabled = NO;
/* DB URL used to store OpenID sessions (mandatory for OpenID) */
OCSOpenIdURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_openid";
/* OpenID Provider Configuration endpoint (mandatory) */
SOGoOpenIdConfigUrl =
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";;
SOGoOpenIdClient = "xxxxx";
SOGoOpenIdClientSecret = "xxxxxxxxxx";
SOGoOpenIdScope = "openid profile email";
SOGoOpenIdEmailParam = "email";
/* optional knobs */
SOGoOpenIdEnableRefreshToken = YES;
SOGoOpenIdTokenCheckInterval = 300;
SOGoOpenIdLogoutEnabled = YES;
SOGoTrustProxy = YES;
SOGoSecureCookies = YES;
SOGoUseRelativeURLs = NO;
SOGoForceExternalLoginWithHTTPS = YES;
SOGoForceExternalLoginWithEmail = YES;
SOGoDebugRequests = YES;
SOGoDebugResponse = YES;
SOGoOpenIDDebugEnabled = YES;
/* If SOGo is used as webmail with OpenID, IMAP/SMTP need XOAUTH2.
:contentReference[oaicite:3]{index=3}
If you are Cal/Card only, keep these unset or disabled. */
/* NGImap4AuthMechanism = xoauth2; */
/* SOGoSMTPAuthenticationType = xoauth2; */
/* Indryve: Calendar + Contacts */
SOGoCalendarDAVAccessEnabled = YES;
SOGoAddressBookDAVAccessEnabled = YES;
SOGoAppointmentSendEMailNotifications = YES;
SOGoPageTitle = "Indryve Calendar & Contacts";
SOGoPasswordChangeEnabled = NO;
/* LDAP user source: Samba-AD (Address Book only) */
SOGoUserSources = (
{
id = "indryve-ad";
type = ldap;
canAuthenticate = YES;
isAddressBook = YES;
CNFieldName = "cn";
IDFieldName = "sAMAccountName";
UIDFieldName = "sAMAccountName";
baseDN = "DC=indryve,DC=demo";
bindDN = "CN=sogo_bind,OU=BindUsers,DC=indryve,DC=demo";
bindPassword = "xxxxxx";
hostname = "ldaps://ad.indryve.demo";
filter = "(objectClass=person)";
MailFieldNames = (mail);
displayName = "Indryve Directory";
SSL = YES;
}
);
}
Thanks n’ Regards,
Anantha Raghava H A
On 24/12/25 6:22 pm, qhivert ([email protected]) wrote:
Hello,
Sorry, but from where did you see you have to set parameters
SOGoOpenIdProviderURL, SOGoOpenIdLoginParam and SOGoOpenIdRedirectURI ?
--
Quentin Hivert || Alinto || R&D Lead Developer
19 Quai Perrache 69002 Lyon
www.alinto.com <http://www.alinto.com>
*From:*[email protected] <[email protected]> *On Behalf Of
*Anantha Raghava
*Sent:* mercredi 24 décembre 2025 12:35
*To:* qhivert ([email protected]) <[email protected]>
*Subject:* Re: [SOGo] Setting up OIDC for SOGo
Hi,
Now the OIDC login succeeds. Tokens are getting exchanged and SOGo is
able to get 'email' and 'username' properly in the id_token and able
to extract the same.
However, just after extracting the email and username from token, it
again loops back and the same flow repeats many times finally failing
the proper redirection.
/* OpenID Provider Configuration endpoint (mandatory) */
SOGoOpenIdProviderURL = "https://idam.indryve.org";
<https://idam.indryve.org>;
SOGoOpenIdConfigUrl =
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";
<https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration>;
SOGoOpenIdClient = "xxxxxx";
SOGoOpenIdClientSecret = "xxxxxxxx";
/* e.g. "openid profile email" */
SOGoOpenIdScope = "openid profile email";
/* claim that carries the mailbox/uid; defaults to email if unset */
SOGoOpenIdLoginParam = "username";
SOGoOpenIdEmailParam = "email";
SOGoOpenIdRedirectURI =
"https://dav.indryve.org/SOGo/so/oidc/callback";
<https://dav.indryve.org/SOGo/so/oidc/callback>;
Above is the section of sogo.conf.
Is the SOGOOpenIdRedirectURI proper?
Not able to understand why the login is simply going into loop even
after proper OIDC exchange and getting proper username and email
claims from tokens?
Any guidance here?
Thanks n’ Regards,
Raghav
On 24/12/25 3:46 pm, qhivert ([email protected]) wrote:
Here it is:
/canAuthenticate = NO; /* OIDC handles auth */; /
Switch that to YES. It is a bit misleading as this param is also
used for authorization. So even if you have OIDC for auth, you
still need to set this param at YES.
Cheers,
--
Quentin Hivert || Alinto || R&D Lead Developer
19 Quai Perrache 69002 Lyon
www.alinto.com <http://www.alinto.com>
*From:*[email protected] <[email protected]>
<mailto:[email protected]> *On Behalf Of *Anantha Raghava
*Sent:* mercredi 24 décembre 2025 11:05
*To:* qhivert ([email protected]) <[email protected]>
<mailto:[email protected]>
*Subject:* Re: [SOGo] Setting up OIDC for SOGo
Hi,
Thanks for quick response.
Here is my sogo.conf
{
/* WebObjects / core runtime debugging */
WODebuggingEnabled = YES;
WOLogLevel = debug;
/* Process & logging */
WOWorkersCount = 1;
WOPort = "0.0.0.0:20000";
WOLogFile = "-";
/* Timezone (optional but recommended) */
SOGoTimeZone = "Asia/Kolkata";
/* Cache (external memcached in Kubernetes) */
SOGoMemcachedHost =
"sogo-memcached.indryve-org.svc.cluster.local:11211"
<sogo-memcached.indryve-org.svc.cluster.local:11211>;
/* Database (PostgreSQL via single base URL + multiple logical
stores) */
SOGoProfileURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile"
<postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile>;
OCSFolderInfoURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info"
<postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info>;
OCSSessionsFolderURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder"
<postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder>;
OCSStoreURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_store"
<postgresql://postgres:[email protected]:5432/sogo/sogo_store>;
OCSAclURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_acl"
<postgresql://postgres:[email protected]:5432/sogo/sogo_acl>;
OCSCacheFolderURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder"
<postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder>;
OCSAdminURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_admin"
<postgresql://postgres:[email protected]:5432/sogo/sogo_admin>;
/* ---------------------------
AUTH: OpenID Connect (SSO)
--------------------------- */
SOGoAuthenticationType = openid;
SOGoXSRFValidationEnabled = NO;
/* DB URL used to store OpenID sessions (mandatory for OpenID) */
OCSOpenIdURL =
"postgresql://postgres:[email protected]:5432/sogo/sogo_openid"
<postgresql://postgres:[email protected]:5432/sogo/sogo_openid>;
/* OpenID Provider Configuration endpoint (mandatory) */
SOGoOpenIdConfigUrl =
"https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";
<https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration>;
SOGoOpenIdClient = "xxxxxxxx";
SOGoOpenIdClientSecret = "xxxxxxxxxxxxx";
/* e.g. "openid profile email" */
SOGoOpenIdScope = "openid profile email";
/* claim that carries the mailbox/uid; defaults to email if unset */
SOGoOpenIdEmailParam = "email";
SOGoOpenIdRedirectURI =
"https://dav.indryve.org/SOGo/so/oidc/callback";
<https://dav.indryve.org/SOGo/so/oidc/callback>;
/* optional knobs */
SOGoOpenIdEnableRefreshToken = YES;
SOGoOpenIdTokenCheckInterval = 300;
SOGoOpenIdLogoutEnabled = YES;
SOGoTrustProxy = YES;
SOGoSecureCookies = YES;
SOGoUseRelativeURLs = NO;
SOGoForceExternalLoginWithHTTPS = YES;
SOGoForceExternalLoginWithEmail = YES;
SOGoDebugRequests = YES;
SOGoDebugResponse = YES;
SOGoMailDebugEnabled = YES;
SOGoDebugOpenId = YES;
/* If SOGo is used as webmail with OpenID, IMAP/SMTP need
XOAUTH2. :contentReference[oaicite:3]{index=3}
If you are Cal/Card only, keep these unset or disabled. */
/* NGImap4AuthMechanism = xoauth2; */
/* SOGoSMTPAuthenticationType = xoauth2; */
/* Indryve: Calendar + Contacts */
SOGoCalendarDAVAccessEnabled = YES;
SOGoAddressBookDAVAccessEnabled = YES;
SOGoAppointmentSendEMailNotifications = YES;
SOGoPageTitle = "SOGo";
SOGoPasswordChangeEnabled = NO;
/* LDAP user source: Samba-AD (Address Book only) */
SOGoUserSources = (
{
id = "indryve-ad";
type = ldap;
canAuthenticate = NO; /* OIDC handles auth */
isAddressBook = YES; /* directory/contacts source */
CNFieldName = "cn";
IDFieldName = "sAMAccountName";
UIDFieldName = "sAMAccountName";
baseDN = "DC=indryve,DC=demo";
bindDN =
"CN=sogo_bind,OU=BindUsers,DC=indryve,DC=demo";
bindPassword = "xxxxxx";
hostname = "ldaps://ad.indryve.demo:636"
<ldaps://ad.indryve.demo:636>;
filter = "(objectClass=person)";
MailFieldNames = (mail);
displayName = "Indryve Directory";
SSL = YES;
}
);
}
Thanks n’ Regards,
Raghav
On 24/12/25 2:09 pm, qhivert ([email protected]) wrote:
Hello,
It means there a mismatch between the info returns by your openid
userinfo
endpoint and your user source.
Can you share your sogo.conf (mind the passwords and secrets in it) ?
The param
SOGoOpenIdEmailParam = "email";
tells SOGo where to get the user email in the your userinfo endpoint.
It must match the uid (or UIDFieldName) of your usersource. Be sure to
have
canAuthenticate = YES;
in your user source
You can add those to have more logs:
SOGoDebugRequests = YES;
SOGoOpenIDDebugEnabled = YES;
Cheers,
