Relationship Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004441 | SOGo | Web Mail | public | 2018-04-06 12:28 | 2018-04-27 15:30 |
Reporter | webtech | Assigned To | ludovic | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | no change required | ||
Platform | AWS | OS | Ubuntu | OS Version | 16.04.4 |
Product Version | 3.2.10 | ||||
Summary | 0004441: SAML login not working - nil value for key 'login' error | ||||
Description | Hi I have a working instance of SOGo (MySQL) but am trying to configure SAML for SSO. I've got to the stage that the user gets redirected to the IDP (ADFS) and having succesfully logged in the SAML response indicates success: <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status> and the users email address which I assume is what the response should be?: <Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">test@domain.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6BDEA4EADDCD9E52A36A32A2508CA6D2" NotOnOrAfter="2018-04-06T06:35:43.207Z" Recipient="https://test.domain.org/SOGo/saml2-signon-post"/></SubjectConfirmation></Subject> I get a "HTTP/2.0 501 Not Implemented error" and the following entry in sogo.log NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary Any help would be much appreciated. | ||||
Tags | No tags attached. | ||||
Can you please share your config? |
|
This is still valid: |
|
I was using that post for guidance. / SAML / This is what's being sent in the response: i.e. the users email address |
|
Well, I think the problem is, that you're getting a Subject, but SOGo expects a full Assertion (to my knowledge, a Subject is part of an Assertion). For an example of a full SAML Response (including an Assertion), you can take a look here: https://www.samltool.com/generic_sso_res.php |
|
I can see what you're saying I've added an attribute and the full (altered domain names) SAML response is below: <samlp:Response ID="_6a1b22b2-198a-48d4-8a4c-5d00cfcc74e7"
|
|
Thanks for sharing. The problem is, that SOGo can not find a Attribute called "mail", because ADFS calls it "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress". You can try to set that value as SOGoSAML2LoginAttribute, or you somehow need the rename the Attribute that is sent. Last works with SimpleSAMLphp for me, but I think it will be harder in ADFS. |
|
Yes setting to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" worked - should really have worked that out myself. Next problem is the login to Dovecot which looks like it's going to be a challenge. |
|
For dovecot, you could try: https://github.com/ck-ws/pam-script-saml/ Created and offered to us by ckreuzer himself :-) |
|
Got it working eventually - thanks for your assistance. Gotcha for those using iRedmail is the CSRF protection option that caught me out for a while. Please close the ticket - I don't seem to be able to. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2018-04-06 12:28 | webtech | New Issue | |
2018-04-07 07:13 | ckreutzer | Note Added: 0012812 | |
2018-04-07 07:35 | ckreutzer | Note Added: 0012813 | |
2018-04-07 17:40 | webtech | Note Added: 0012814 | |
2018-04-07 18:57 | ckreutzer | Note Added: 0012815 | |
2018-04-07 23:03 | webtech | Note Added: 0012816 | |
2018-04-08 12:26 | ckreutzer | Note Added: 0012817 | |
2018-04-09 08:26 | webtech | Note Added: 0012818 | |
2018-04-09 13:25 | heupink | Note Added: 0012820 | |
2018-04-13 14:04 | webtech | Note Added: 0012839 | |
2018-04-13 14:06 | webtech | Note Edited: 0012839 | |
2018-04-27 15:30 | ludovic | Status | new => closed |
2018-04-27 15:30 | ludovic | Assigned To | => ludovic |
2018-04-27 15:30 | ludovic | Resolution | open => no change required |