View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005153||SOGo||Backend Mail||public||2020-09-08 18:14||2020-09-08 18:14|
|Platform||Solaris Zone||OS||Debian||OS Version||10|
|Summary||0005153: SAML2 login mapping|
I am trying to setup SOGo with SAML2 authentication (via Keycloak), but I'm experiencing some weird behaviour.
SOGo configuration is as follows:
When I try to login to SOGo it correctly redirects to the SSO page with a request, to which Keycloak responds nicely, for example:
As far as I can tell, this is all perfectly compliant.
The interesting part comes when I try to map a login attribute. Normally I used login to SOGo using the full email address (SOGoForceExternalLoginWithEmail = YES) with LDAP, so I tried to set
I tried a few different combinations of parameters, and it seems that the problems occurs when I try to map login to a string that contains a '@', which would make sense consider that in the source code for SAML2 a string with '@' is treated differently and is sent to SOGOUserManager.
However I need necessarily to have a '@' in the login attribute, so this breaks SAML2.
|Steps To Reproduce|
I had commented out SOGoUserSource to disable LDAP, but then I thought that maybe SOGoUserManager needed it to map it to the user uid so I enabled it again. This makes no difference.