View Issue Details

IDProjectCategoryView StatusLast Update
0004441SOGoWeb Mailpublic2018-04-27 15:30
Reporterwebtech Assigned Toludovic  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
PlatformAWSOSUbuntuOS Version16.04.4
Product Version3.2.10 
Summary0004441: SAML login not working - nil value for key 'login' error
Description

Hi I have a working instance of SOGo (MySQL) but am trying to configure SAML for SSO. I've got to the stage that the user gets redirected to the IDP (ADFS) and having succesfully logged in the SAML response indicates success:

<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>

and the users email address which I assume is what the response should be?:

<Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">test@domain.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6BDEA4EADDCD9E52A36A32A2508CA6D2" NotOnOrAfter="2018-04-06T06:35:43.207Z" Recipient="https://test.domain.org/SOGo/saml2-signon-post&quot;/>&lt;/SubjectConfirmation>&lt;/Subject>

I get a "HTTP/2.0 501 Not Implemented error" and the following entry in sogo.log

NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary

Any help would be much appreciated.

TagsNo tags attached.

Activities

ckreutzer

ckreutzer

2018-04-07 07:13

reporter   ~0012812

Can you please share your config?
The error occurs when the attribute you defined as uid is not found in the SAML response.

ckreutzer

ckreutzer

2018-04-07 07:35

reporter   ~0012813

This is still valid:
https://lists.inverse.ca/sogo/arc/users/2016-10/msg00100.html

webtech

webtech

2018-04-07 17:40

reporter   ~0012814

I was using that post for guidance.

/ SAML /
SOGoAuthenticationType = saml2;
NGImap4AuthMechanism = PLAIN;
SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem";
SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt";
SOGoSAML2IdpMetadataLocation = "/etc/sogo/FederationMetadata.xml";
SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp.crt";
SOGoSAML2IdpCertificateLocation = "/etc/ssl/certs/";
SOGoSAML2LoginAttribute = "mail";
SOGoSAML2LogoutEnabled = YES;
SOGoSAML2LogoutURL = "https://example.com&quot;;

This is what's being sent in the response:
<Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">test@domain.org</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_6BDEA4EADDCD9E52A36A32A2508CA6D2" NotOnOrAfter="2018-04-06T06:35:43.207Z" Recipient="https://test.domain.org/SOGo/saml2-signon-post&quot;/>&lt;/SubjectConfirmation>&lt;/Subject> [^]

i.e. the users email address

ckreutzer

ckreutzer

2018-04-07 18:57

reporter   ~0012815

Well, I think the problem is, that you're getting a Subject, but SOGo expects a full Assertion (to my knowledge, a Subject is part of an Assertion).
Assertions also contain Attributes, and at least one attribute should be contained for SOGo (mail in your case). The NameID of the Subject won't be used.

For an example of a full SAML Response (including an Assertion), you can take a look here: https://www.samltool.com/generic_sso_res.php
I don't know how to configure ADFS, though.

webtech

webtech

2018-04-07 23:03

reporter   ~0012816

I can see what you're saying I've added an attribute and the full (altered domain names) SAML response is below:

<samlp:Response ID="_6a1b22b2-198a-48d4-8a4c-5d00cfcc74e7"
Version="2.0"
IssueInstant="2018-04-07T22:55:01.670Z"
Destination="https://webmail.testdomain.org/SOGo/saml2-signon-post&quot;
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_9A8FF669DA978BA59B608AF1BE803AA4"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.testdomain.org/adfs/services/trust&lt;/Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_d643a153-9f73-4f52-8347-428274badada"
IssueInstant="2018-04-07T22:55:01.670Z"
Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
<Issuer>http://sso.testdomain.org/adfs/services/trust&lt;/Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#&quot;> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; /> <ds:Reference URI="#_d643a153-9f73-4f52-8347-428274badada"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot; /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1&quot; /> <ds:DigestValue>fDOWgZwx3I1T4QCzOb4k2BPPc9c=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FdFslI9Q0F7x4AJ88UcqsS+wSPw4+lsx9Cfad3wwBydwUboV/Z8RSsX5GJiFR5pxAaXIFM2HQytUyVkAzmtxvTz9L6b+s54kqzCFVxJC93qjP01NpwvyNu6JST40AOWu1705czJ8gzSQ2Qay3v65Drk5XR8aY1bTakr8dREN7bUkchaNPfgVD7cL3F+tFrT+TGNxxH68XcDR9o2EYZrMMcRQPB9jE5k6pghuFWoBDxFbjsq8kWiG+/02pz3s4/XptXwOPOSdcHjPkO5D/B4EMKwyC+B5sTczoqzxhFn4QDH1rZxq6+wvkLouwZThJyIso+Wfn4f+SORl5lY1GnD2xQ==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#&quot;> <ds:X509Data> <ds:X509Certificate>MIIDIzCCAg+gAwIBAgIQlY2TGUBvwrVGP2K8jscczjAJBgUrDgMCHQUAMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZzAeFw0wOTEyMzEyMzAwMDBaFw0yMDAyMDMyMzAwMDBaMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANcCm8OzVSHQ1U4T5Lg6HLenQxJaDK5qi303ic/GRV42+IybEwWeM+6CUjjOwVHGULLRd3oif0Tdd2Cb2S6ZvvL7gOY8LX0jxD2r6IUpeOyAIoiJZXPHLaFltdgA2RSqjY9bPAwkXjKaM1cil5nRd65HXwcdzTin3RpJvF1cJiQHb2kJi/FlKp6EDByzC0Ln7mu2H2VovXXvOO9XINXZIi7RyrOim9JaK2XQn2iWEz5UcNKs3IRGb6q2AmPbYm8TJZs2yVc9QM4L1Qz12P3E9LizXiNDrMYneTBaukue3el/Dg7ea/Pktrc0D0pEmO1fdvuPJzmimh/Ra4VPNrTovB8CAwEAAaNnMGUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwTgYDVR0BBEcwRYAQc4A242NjRnMdJHthfyLBR6EfMB0xGzAZBgNVBAMTEkFERlMgVG9rZW4gU2lnbmluZ4IQlY2TGUBvwrVGP2K8jscczjAJBgUrDgMCHQUAA4IBAQCBRtAur0ao+kQkh9nKv8dXDkKy0QXpMfE+rgHuG+HeoLdQicG8jvooSQrlhaZr4gMjpkiqfDNe7RAWhpldEJ+aVabRDXfguJbOiK8SrYo1igmxwgLYsuFP3O8jNaAx4Bm5TcHaP8Z7XYvC4xshm0gfXAd33iWblJN6e/VO+MKFMLFtlYaTZr70rNd0CCf38NnSe9AkhDpnq/K196Da97gzU3ck0Ablfuak0y67V5uadW/Z2jeTw+DGPvoAZBcCzHV20d91ixvl//g8Gdugq0Am3gUzcCTA8LgWVIxJh/bZOFgv/4WXV+5EcWEP112kklcyLy9C0DODXU5IA27mlw8P</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">webtech@testdomain.org</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_9A8FF669DA978BA59B608AF1BE803AA4"
NotOnOrAfter="2018-04-07T23:00:01.670Z"
Recipient="https://webmail.testdomain.org/SOGo/saml2-signon-post&quot;
/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2018-04-07T22:55:01.670Z"
NotOnOrAfter="2018-04-07T23:55:01.670Z"
<AudienceRestriction> <Audience>https://webmail.testdomain.org/SOGo/saml2-metadata&lt;/Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;
a:OriginalIssuer="https://sts.testdomain.org/&quot;
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims&quot;
<AttributeValue>webtech@testdomain.org</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2018-04-07T22:55:00.531Z"
SessionIndex="_d643a153-9f73-4f52-8347-428274badada"
<AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>

ckreutzer

ckreutzer

2018-04-08 12:26

reporter   ~0012817

Thanks for sharing.

The problem is, that SOGo can not find a Attribute called "mail", because ADFS calls it "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;. You can try to set that value as SOGoSAML2LoginAttribute, or you somehow need the rename the Attribute that is sent. Last works with SimpleSAMLphp for me, but I think it will be harder in ADFS.

webtech

webtech

2018-04-09 08:26

reporter   ~0012818

Yes setting to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot; worked - should really have worked that out myself. Next problem is the login to Dovecot which looks like it's going to be a challenge.

heupink

heupink

2018-04-09 13:25

reporter   ~0012820

For dovecot, you could try: https://github.com/ck-ws/pam-script-saml/

Created and offered to us by ckreuzer himself :-)

webtech

webtech

2018-04-13 14:04

reporter   ~0012839

Last edited: 2018-04-13 14:06

Got it working eventually - thanks for your assistance. Gotcha for those using iRedmail is the CSRF protection option that caught me out for a while.

Please close the ticket - I don't seem to be able to.

Issue History

Date Modified Username Field Change
2018-04-06 12:28 webtech New Issue
2018-04-07 07:13 ckreutzer Note Added: 0012812
2018-04-07 07:35 ckreutzer Note Added: 0012813
2018-04-07 17:40 webtech Note Added: 0012814
2018-04-07 18:57 ckreutzer Note Added: 0012815
2018-04-07 23:03 webtech Note Added: 0012816
2018-04-08 12:26 ckreutzer Note Added: 0012817
2018-04-09 08:26 webtech Note Added: 0012818
2018-04-09 13:25 heupink Note Added: 0012820
2018-04-13 14:04 webtech Note Added: 0012839
2018-04-13 14:06 webtech Note Edited: 0012839
2018-04-27 15:30 ludovic Status new => closed
2018-04-27 15:30 ludovic Assigned To => ludovic
2018-04-27 15:30 ludovic Resolution open => no change required