SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004441SOGoWeb Mailpublic2018-04-06 08:282018-04-13 10:06
Reporterwebtech 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformAWSOSUbuntuOS Version16.04.4
Product Version3.2.10 
Target VersionFixed in Version 
Summary0004441: SAML login not working - nil value for key 'login' error
DescriptionHi I have a working instance of SOGo (MySQL) but am trying to configure SAML for SSO. I've got to the stage that the user gets redirected to the IDP (ADFS) and having succesfully logged in the SAML response indicates success:

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>

and the users email address which I assume is what the response should be?:

<Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">test@domain.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6BDEA4EADDCD9E52A36A32A2508CA6D2" NotOnOrAfter="2018-04-06T06:35:43.207Z" Recipient="https://test.domain.org/SOGo/saml2-signon-post"/></SubjectConfirmation></Subject> [^]

I get a "HTTP/2.0 501 Not Implemented error" and the following entry in sogo.log

NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary

Any help would be much appreciated.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0012812)
ckreutzer (reporter)
2018-04-07 03:13

Can you please share your config?
The error occurs when the attribute you defined as uid is not found in the SAML response.
(0012813)
ckreutzer (reporter)
2018-04-07 03:35

This is still valid:
https://lists.inverse.ca/sogo/arc/users/2016-10/msg00100.html [^]
(0012814)
webtech (reporter)
2018-04-07 13:40

I was using that post for guidance.

/* SAML */
        SOGoAuthenticationType = saml2;
        NGImap4AuthMechanism = PLAIN;
        SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
        SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
        SOGoSAML2IdpMetadataLocation = "/etc/sogo/FederationMetadata.xml";
        SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.crt";
        SOGoSAML2IdpCertificateLocation = "/etc/ssl/certs/";
        SOGoSAML2LoginAttribute = "mail";
        SOGoSAML2LogoutEnabled = YES;
        SOGoSAML2LogoutURL = "https://example.com"; [^]

This is what's being sent in the response:
<Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">test@domain.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6BDEA4EADDCD9E52A36A32A2508CA6D2" NotOnOrAfter="2018-04-06T06:35:43.207Z" Recipient="https://test.domain.org/SOGo/saml2-signon-post"/></SubjectConfirmation></Subject> [^] [^]

i.e. the users email address
(0012815)
ckreutzer (reporter)
2018-04-07 14:57

Well, I think the problem is, that you're getting a Subject, but SOGo expects a full Assertion (to my knowledge, a Subject is part of an Assertion).
Assertions also contain Attributes, and at least one attribute should be contained for SOGo (mail in your case). The NameID of the Subject won't be used.

For an example of a full SAML Response (including an Assertion), you can take a look here: https://www.samltool.com/generic_sso_res.php [^]
I don't know how to configure ADFS, though.
(0012816)
webtech (reporter)
2018-04-07 19:03

I can see what you're saying I've added an attribute and the full (altered domain names) SAML response is below:

<samlp:Response ID="_6a1b22b2-198a-48d4-8a4c-5d00cfcc74e7"
                Version="2.0"
                IssueInstant="2018-04-07T22:55:01.670Z"
                Destination="https://webmail.testdomain.org/SOGo/saml2-signon-post" [^]
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="_9A8FF669DA978BA59B608AF1BE803AA4"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.testdomain.org/adfs/services/trust</Issuer> [^] <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_d643a153-9f73-4f52-8347-428274badada"
               IssueInstant="2018-04-07T22:55:01.670Z"
               Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               > <Issuer>http://sso.testdomain.org/adfs/services/trust</Issuer> [^] <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> [^] <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" [^] /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" [^] /> <ds:Reference URI="#_d643a153-9f73-4f52-8347-428274badada"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" [^] /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" [^] /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" [^] /> <ds:DigestValue>fDOWgZwx3I1T4QCzOb4k2BPPc9c=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FdFslI9Q0F7x4AJ88UcqsS+wSPw4+lsx9Cfad3wwBydwUboV/Z8RSsX5GJiFR5pxAaXIFM2HQytUyVkAzmtxvTz9L6b+s54kqzCFVxJC93qjP01NpwvyNu6JST40AOWu1705czJ8gzSQ2Qay3v65Drk5XR8aY1bTakr8dREN7bUkchaNPfgVD7cL3F+tFrT+TGNxxH68XcDR9o2EYZrMMcRQPB9jE5k6pghuFWoBDxFbjsq8kWiG+/02pz3s4/XptXwOPOSdcHjPkO5D/B4EMKwyC+B5sTczoqzxhFn4QDH1rZxq6+wvkLouwZThJyIso+Wfn4f+SORl5lY1GnD2xQ==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> [^] <ds:X509Data> <ds:X509Certificate>MIIDIzCCAg+gAwIBAgIQlY2TGUBvwrVGP2K8jscczjAJBgUrDgMCHQUAMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZzAeFw0wOTEyMzEyMzAwMDBaFw0yMDAyMDMyMzAwMDBaMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcCm8OzVSHQ1U4T5Lg6HLenQxJaDK5qi303ic/GRV42+IybEwWeM+6CUjjOwVHGULLRd3oif0Tdd2Cb2S6ZvvL7gOY8LX0jxD2r6IUpeOyAIoiJZXPHLaFltdgA2RSqjY9bPAwkXjKaM1cil5nRd65HXwcdzTin3RpJvF1cJiQHb2kJi/FlKp6EDByzC0Ln7mu2H2VovXXvOO9XINXZIi7RyrOim9JaK2XQn2iWEz5UcNKs3IRGb6q2AmPbYm8TJZs2yVc9QM4L1Qz12P3E9LizXiNDrMYneTBaukue3el/Dg7ea/Pktrc0D0pEmO1fdvuPJzmimh/Ra4VPNrTovB8CAwEAAaNnMGUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwTgYDVR0BBEcwRYAQc4A242NjRnMdJHthfyLBR6EfMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZ4IQlY2TGUBvwrVGP2K8jscczjAJBgUrDgMCHQUAA4IBAQCBRtAur0ao+kQkh9nKv8dXDkKy0QXpMfE+rgHuG+HeoLdQicG8jvooSQrlhaZr4gMjpkiqfDNe7RAWhpldEJ+aVabRDXfguJbOiK8SrYo1igmxwgLYsuFP3O8jNaAx4Bm5TcHaP8Z7XYvC4xshm0gfXAd33iWblJN6e/VO+MKFMLFtlYaTZr70rNd0CCf38NnSe9AkhDpnq/K196Da97gzU3ck0Ablfuak0y67V5uadW/Z2jeTw+DGPvoAZBcCzHV20d91ixvl//g8Gdugq0Am3gUzcCTA8LgWVIxJh/bZOFgv/4WXV+5EcWEP112kklcyLy9C0DODXU5IA27mlw8P</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">webtech@testdomain.org</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_9A8FF669DA978BA59B608AF1BE803AA4"
                                         NotOnOrAfter="2018-04-07T23:00:01.670Z"
                                         Recipient="https://webmail.testdomain.org/SOGo/saml2-signon-post" [^]
                                         /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2018-04-07T22:55:01.670Z"
                    NotOnOrAfter="2018-04-07T23:55:01.670Z"
                    > <AudienceRestriction> <Audience>https://webmail.testdomain.org/SOGo/saml2-metadata</Audience> [^] </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" [^]
                       a:OriginalIssuer="https://sts.testdomain.org/" [^]
                       xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" [^]
                       > <AttributeValue>webtech@testdomain.org</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2018-04-07T22:55:00.531Z"
                        SessionIndex="_d643a153-9f73-4f52-8347-428274badada"
                        > <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>
(0012817)
ckreutzer (reporter)
2018-04-08 08:26

Thanks for sharing.

The problem is, that SOGo can not find a Attribute called "mail", because ADFS calls it "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress". [^] You can try to set that value as SOGoSAML2LoginAttribute, or you somehow need the rename the Attribute that is sent. Last works with SimpleSAMLphp for me, but I think it will be harder in ADFS.
(0012818)
webtech (reporter)
2018-04-09 04:26

Yes setting to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" [^] worked - should really have worked that out myself. Next problem is the login to Dovecot which looks like it's going to be a challenge.
(0012820)
heupink (reporter)
2018-04-09 09:25

For dovecot, you could try: https://github.com/ck-ws/pam-script-saml/ [^]

Created and offered to us by ckreuzer himself :-)
(0012839)
webtech (reporter)
2018-04-13 10:04
edited on: 2018-04-13 10:06

Got it working eventually - thanks for your assistance. Gotcha for those using iRedmail is the CSRF protection option that caught me out for a while.

Please close the ticket - I don't seem to be able to.


- Issue History
Date Modified Username Field Change
2018-04-06 08:28 webtech New Issue
2018-04-07 03:13 ckreutzer Note Added: 0012812
2018-04-07 03:35 ckreutzer Note Added: 0012813
2018-04-07 13:40 webtech Note Added: 0012814
2018-04-07 14:57 ckreutzer Note Added: 0012815
2018-04-07 19:03 webtech Note Added: 0012816
2018-04-08 08:26 ckreutzer Note Added: 0012817
2018-04-09 04:26 webtech Note Added: 0012818
2018-04-09 09:25 heupink Note Added: 0012820
2018-04-13 10:04 webtech Note Added: 0012839
2018-04-13 10:06 webtech Note Edited: 0012839 View Revisions


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker