View Issue Details

IDProjectCategoryView StatusLast Update
0005761SOGowith SOGopublic2023-06-01 13:31
ReporterAlguna Assigned To 
PriorityurgentSeverityblockReproducibilityalways
Status newResolutionopen 
PlatformServerOSDebianOS Version11
Product Version5.8.2 
Summary0005761: SSO with Keycloak for SAML 2.0 broken
Description

Hello,

I'm coming to you because I'm currently experiencing the same problem as tickets 0005270 and 0005153 but on the most recent versions.

When I set SOGoSAML2LoginAttribute = "mail", authenticate on Keycloak and am redirected to SOGo, I get a blank page. The logs return the following error:

xxxxxxxxxx 2023-04-19 06:28:10.845 sogod[419480:419480] EXCEPTION: <NSException: 0x56080c3bb030> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{}

Thanks in advance for the help.

Steps To Reproduce
  • Install SOGo 5.8.2
  • Setup Keycloak
  • Configure SAML 2.0 in SOGo with the following values:
    [...]

    / SAML /
    SOGoAuthenticationType = "saml2";
    SOGoSAML2CertificateLocation = "/etc/ssl/certs/cert-sogo.pem";
    SOGoSAML2PrivateKeyLocation = "/etc/ssl/private/priv-sogo.pem";

    SOGoSAML2IdpCertificateLocation = "/etc/ssl/certs/cert-keycloak.pem";
    SOGoSAML2IdpMetadataLocation = "/etc/ssl/idp-metadata.xml";
    SOGoSAML2IdpPublicKeyLocation = "/etc/ssl/certs/pub-keycloak.pem";

    SOGoSAML2LoginAttribute = "mail";
    SOGoSAML2LogoutEnabled = NO;
    SOGoSAML2LogoutURL = "https://toto.com/SOGo&quot;;

    [...]

  • Restart SOGo
  • Sign in with any valid user using SSO and experience the broken page
Additional Information

I have not linked SOGo to an LDAP directory yet. For testing purposes, I am currently using a user that was created on iRedAdmin (toto@toto.fr) and is also known to Keycloak. The authentication is going "well" since having modified the mapping on the Keycloak side and using the "username" attribute on the SOGo side, I get the following error where I get the username of my user:

(process:263925): Lasso-CRITICAL **: 14:51:55.448: 2023-04-13 14:51:55 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x560a1c4bae10
Apr 13 08:51:55 sogod [263925]: |SOGo| request took 0.012132 seconds to execute
Apr 13 08:51:55 sogod [263925]: 192.168.50.12 "POST /SOGo/saml2-signon-post HTTP/1.0" 302 0/13705 0.015 - - 0 - 13
Apr 13 08:51:55 sogod [263925]: |SOGo| starting method 'GET' on uri '/SOGo//toto'
Apr 13 08:51:55 sogod [263925]: |SOGo| request took 0.003966 seconds to execute
Apr 13 08:51:55 sogod [263925]: 192.168.50.12 "GET /SOGo//jdc HTTP/1.0" 302 0/0 0.005 - - 44K - 13
Apr 13 08:51:55 sogod [263925]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'

(on the front side, I loop on the authentication page of Keycloak)

Tagssaml, sogo, sso

Activities

sebastien

sebastien

2023-05-02 15:40

administrator   ~0016933

Hi, you can get the stacktrace with NSException breakpoint. Follow https://www.sogo.nu/support/faq/how-do-i-debug-sogo.html instructions for this

Sebastien

Alguna

Alguna

2023-05-02 15:58

reporter   ~0016934

Here is the stacktrace :

$ gdb --args /usr/sbin/sogod -WOUseWatchDog NO -WONoDetach YES -WOPort 127.0.0.1:20000 -WOWorkersCount 1 -WOLogFile - -WOPidFile /tmp/sogo.pid
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/sogod...
Reading symbols from /usr/lib/debug//usr/sbin/sogod...
(gdb) run
Starting program: /usr/sbin/sogod -WOUseWatchDog NO -WONoDetach YES -WOPort 127.0.0.1:20000 -WOWorkersCount 1 -WOLogFile - -WOPidFile /tmp/sogo.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
May 02 11:54:54 sogod [747223]: version 5.8.2 (build @sogo-build.alinto.int 202305012257) -- starting
May 02 11:54:54 sogod [747223]: vmem size check enabled: shutting down app when vmem > 500 MB. Currently at 84 MB
May 02 11:54:54 sogod [747223]: <0x0x5555558a74c0[SOGoProductLoader]> SOGo products loaded from '/usr/lib/GNUstep/SOGo':
May 02 11:54:54 sogod [747223]: <0x0x5555558a74c0[SOGoProductLoader]> Mailer.SOGo, ActiveSync.SOGo, SchedulerUI.SOGo, MainUI.SOGo, PreferencesUI.SOGo, Appointments.SOGo, MailPartViewers.SOGo, AdministrationUI.SOGo, ContactsUI.SOGo, MailerUI.SOGo, Contacts.SOGo, CommonUI.SOGo
May 02 11:54:55 sogod [747223]: All products loaded - current memory usage at 94 MB
May 02 11:54:55 sogod [747223]: |SOGo| WOHttpAdaptor listening on address 127.0.0.1:20000
^C
Program received signal SIGINT, Interrupt.
0x00007ffff6b82cf3 in __GI___poll (fds=0x5555559d2f40, nfds=2, timeout=timeout@entry=29983) at ../sysdeps/unix/sysv/linux/poll.c:29
29 ../sysdeps/unix/sysv/linux/poll.c: Aucun fichier ou dossier de ce type.
(gdb) b [NSException raise]
Breakpoint 1 at 0x7ffff7080150: file NSException.m, line 1574.
(gdb) b abort
Breakpoint 2 at 0x7ffff6ab4414: -qualified abort. (2 locations)
(gdb) c
Continuing.
May 02 11:55:07 sogod [747223]: |SOGo| starting method 'GET' on uri '/SOGo/'
May 02 11:55:07 sogod [747223]: <0x0x555555b3d790[SOGoCache]> Cache cleanup interval set every 300.000000 seconds
May 02 11:55:07 sogod [747223]: <0x0x555555b3d790[SOGoCache]> Using host(s) '127.0.0.1' as server(s)
May 02 11:55:07 sogod [747223]: |SOGo| traverse(acquire): SOGo
May 02 11:55:07 sogod [747223]: |SOGo| do traverse name: 'SOGo'
May 02 11:55:07 sogod [747223]: |SOGo| set clientObject: <SOGo[0x0x55555599abc0]: name=SOGo>
May 02 11:55:08 sogod [747223]: [WARN] <0x0x7ffff7b33f60[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder
May 02 11:55:08 sogod [747223]: |SOGo| request took 0.529974 seconds to execute
May 02 11:55:08 sogod [747223]: <0x0x555555853ff0[WOResponse]> Zipping of response disabled
May 02 11:55:08 sogod [747223]: 192.168.50.12 "GET /SOGo/ HTTP/1.0" 302 0/0 0.532 - - 3M - 11
May 02 11:55:14 sogod [747223]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
May 02 11:55:14 sogod [747223]: |SOGo| traverse(acquire): SOGo => saml2-signon-post
May 02 11:55:14 sogod [747223]: |SOGo| do traverse name: 'SOGo'
May 02 11:55:14 sogod [747223]: |SOGo| do traverse name: 'saml2-signon-post'
May 02 11:55:14 sogod [747223]: |SOGo| set clientObject: <SOGo[0x0x55555599abc0]: name=SOGo>

Breakpoint 1, -[NSException raise] (self=0x555555a1af20, _cmd=0x7ffff7377a70 <_OBJC_SELECTOR_TABLE+528>) at NSException.m:1574
1574 NSException.m: Aucun fichier ou dossier de ce type.
(gdb) bt
#0 -[NSException raise] (self=0x555555a1af20, _cmd=0x7ffff7377a70 <_OBJC_SELECTOR_TABLE+528>) at NSException.m:1574
0000001 0x00007ffff6fc05a5 in -[GSMutableDictionary setObject:forKey:] (self=0x555555a234c0, _cmd=<optimized out>, anObject=0x0, aKey=0x7ffff7fc6b20 <_OBJC_INSTANCE_15.4>) at GSDictionary.m:449
0000002 0x00007ffff7f46103 in -[SOGoSAML2Session processAuthnResponse:] (self=0x5555556d8e60, _cmd=0x7ffff2a04af0 <_OBJC_SELECTOR_TABLE+720>, authnResponse=0x5555558763b0) at SOGoSAML2Session.m:469
0000003 0x00007ffff29fa4d1 in -[SOGoSAML2Actions saml2SignOnPOSTAction] (self=0x555555db2f00, _cmd=0x555555724830) at SOGoSAML2Actions.m:175
0000004 0x00007ffff79c0b19 in -[WODirectAction performActionNamed:] (self=0x555555db2f00, _cmd=0x7ffff7b8b360 <_OBJC_SELECTOR_TABLE+928>, _actionName=0x555555a31020) at WODirectAction.m:97
0000005 0x00007ffff7a4ad97 in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:]
(self=0x555555dc0360, _cmd=0x7ffff7b8b390 <_OBJC_SELECTOR_TABLE+976>, _client=0x55555599abc0, _positionalArgs=0x0, _ctx=0x555555878910) at SoActionInvocation.m:300
0000006 0x00007ffff7a4aebc in -[SoActionInvocation callOnObject:inContext:] (self=0x555555dc0360, _cmd=0x7ffff7b87900 <_OBJC_SELECTOR_TABLE+672>, _client=0x55555599abc0, _ctx=0x555555878910)
at SoActionInvocation.m:318
0000007 0x00007ffff7a45762 in -[SoObjectMethodDispatcher dispatchInContext:] (self=0x555555dc03b0, _cmd=0x7ffff7b88fe0 <_OBJC_SELECTOR_TABLE+1536>, _ctx=0x555555878910) at SoObjectMethodDispatcher.m:192
0000008 0x00007ffff7a47a67 in -[SoObjectRequestHandler handleRequest:inContext:session:application:]
(self=0x555555a89680, _cmd=0x7ffff7b09c30 <_OBJC_SELECTOR_TABLE+848>, _rq=0x555555ddc870, _ctx=0x555555878910, _sn=0x0, app=0x55555599abc0) at SoObjectRequestHandler.m:584
0000009 0x00007ffff79d1c7a in -[WORequestHandler handleRequest:] (self=0x555555a89680, _cmd=0x7ffff7ad21b0 <_OBJC_SELECTOR_TABLE+1616>, _request=0x555555ddc870) at WORequestHandler.m:240
0000010 0x00007ffff7994661 in -[WOCoreApplication dispatchRequest:usingHandler:] (self=0x55555599abc0, _cmd=0x7ffff7ad2200 <_OBJC_SELECTOR_TABLE+1696>, _request=0x555555ddc870, handler=0x555555a89680)
at WOCoreApplication.m:712
0000011 0x00007ffff7994969 in -[WOCoreApplication dispatchRequest:] (self=0x55555599abc0, _cmd=0x5555555666c0 <_OBJC_SELECTOR_TABLE+1664>, _request=0x555555ddc870) at WOCoreApplication.m:752
0000012 0x000055555555d45b in -[SOGo dispatchRequest:] (self=0x55555599abc0, _cmd=0x7ffff7b70180 <_OBJC_SELECTOR_TABLE+1760>, _request=0x555555ddc870) at SOGo.m:584
0000013 0x00007ffff7a36622 in -[WOHttpTransaction _run] (self=0x555555d96990, _cmd=0x7ffff7b701b0 <_OBJC_SELECTOR_TABLE+1808>) at WOHttpTransaction.m:566
0000014 0x00007ffff7a36982 in -[WOHttpTransaction run] (self=0x555555d96990, _cmd=0x7ffff7b6deb0 <_OBJC_SELECTOR_TABLE+1168>) at WOHttpTransaction.m:619
0000015 0x00007ffff7a328a9 in -[WOHttpAdaptor runConnection:] (self=0x5555559ccf60, _cmd=0x7ffff7b6df50 <_OBJC_SELECTOR_TABLE+1328>, _socket=0x555555aacd40) at WOHttpAdaptor.m:373
0000016 0x00007ffff7a32ab5 in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x5555559ccf60, _cmd=0x7ffff7b6df60 <_OBJC_SELECTOR_TABLE+1344>, _connection=0x555555aacd40) at WOHttpAdaptor.m:407
0000017 0x00007ffff7a32ead in -[WOHttpAdaptor _handleConnection:] (self=0x5555559ccf60, _cmd=0x7ffff7b6e000 <_OBJC_SELECTOR_TABLE+1504>, connection=0x555555aacd40) at WOHttpAdaptor.m:466
0000018 0x00007ffff7a332fe in -[WOHttpAdaptor acceptConnection:] (self=0x5555559ccf60, _cmd=0x7ffff7b6de70 <_OBJC_SELECTOR_TABLE+1104>, _notification=0x555555a22c40) at WOHttpAdaptor.m:527
0000019 0x00007ffff70da604 in -[NSNotificationCenter _postAndRelease:] (self=0x5555557382c0, _cmd=<optimized out>, notification=0x555555a22c40) at NSNotificationCenter.m:1198
0000020 0x00007ffff75ee8e4 in -[NSObject(FileObjectWatcher) receivedEvent:type:extra:forMode:]
(self=0x5555558b32f0, _cmd=0x7ffff74ad550 <_OBJC_SELECTOR_TABLE+304>, _fdData=0x5, _type=ET_RDESC, _extra=0x5, _mode=0x7ffff7429cf0 <_OBJC_INSTANCE_2>) at NSRunLoop+FileObjects.m:58
0000021 0x00007ffff720298b in -[GSRunLoopCtxt pollUntil:within:] (self=<optimized out>, _cmd=0x7ffff7428ee0 <_OBJC_SELECTOR_TABLE+1184>, milliseconds=<optimized out>, contexts=0x555555aa8a40)
at GSRunLoopCtxt.m:600
0000022 0x00007ffff712bfde in -[NSRunLoop acceptInputForMode:beforeDate:] (self=0x5555558b5e30, _cmd=0x7ffff7428f10 <_OBJC_SELECTOR_TABLE+1232>, mode=0x7ffff7429cf0 <_OBJC_INSTANCE_2>, limit_date=0x5555559cd3c0)
at NSRunLoop.m:1238
0000023 0x00007ffff712bd74 in -[NSRunLoop runMode:beforeDate:] (self=0x5555558b5e30, _cmd=<optimized out>, mode=0x7ffff7429cf0 <_OBJC_INSTANCE_2>, date=0x5555559cd3c0) at NSRunLoop.m:1318
0000024 0x00007ffff7993ec8 in -[WOCoreApplication run] (self=0x55555599abc0, _cmd=0x555555566420 <_OBJC_SELECTOR_TABLE+992>) at WOCoreApplication.m:584
0000025 0x000055555555c664 in -[SOGo run] (self=0x55555599abc0, _cmd=0x7ffff7af4eb0 <_OBJC_SELECTOR_TABLE+208>) at SOGo.m:337
0000026 0x00007ffff79bcf95 in WOApplicationMain (_appClassName=0x5555555641c0 <_OBJC_INSTANCE_3.1>, argc=13, argv=0x7fffffffec38) at WOApplicationMain.m:42
0000027 0x00007ffff79dce04 in WOWatchDogApplicationMain (appName=0x5555555641c0 <_OBJC_INSTANCE_3.1>, argc=13, argv=0x7fffffffec38) at WOWatchDogApplicationMain.m:1049
0000028 0x000055555555b2fe in main (argc=13, argv=0x7fffffffec38, env=0x7fffffffeca8) at sogod.m:51

Alguna

Alguna

2023-05-02 16:01

reporter   ~0016935

Continuing in the debug :

(gdb) c
Continuing.
2023-05-02 12:00:28.502 sogod[747223:747223] EXCEPTION: <NSException: 0x555555a1af20> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{}
May 02 12:00:28 sogod [747223]: |SOGo| request took 313.570646 seconds to execute
May 02 12:00:28 sogod [747223]: <0x0x5555559dfcb0[WOResponse]> Zipping of response disabled

Breakpoint 1, -[NSException raise] (self=0x555555da9640, _cmd=0x7ffff76afa70 <_OBJC_SELECTOR_TABLE+560>) at NSException.m:1574
1574 in NSException.m
(gdb) c
Continuing.

sebastien

sebastien

2023-05-02 17:49

administrator   ~0016936

Can you break : b SOGoSAML2Session.m:469 and when it breaks type ad give results :
po login, po identifier and po assertion?

Sebastien

Alguna

Alguna

2023-05-03 08:14

reporter   ~0016938

Of course. Here is the result :

Breakpoint 1, -[SOGoSAML2Session processAuthnResponse:] (self=0x555555779c40, _cmd=0x7ffff2a04af0 <_OBJC_SELECTOR_TABLE+720>, authnResponse=0x555555dd3e20) at SOGoSAML2Session.m:469
469 SOGoSAML2Session.m: Aucun fichier ou dossier de ce type.
(gdb) po login
Cannot access memory at address 0x0
(gdb) po identifier
G-48ce26a2-414e-4775-aefc-5e342758b98e
(gdb) po assertion
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_abff876c-50cc-427c-b1d0-ba8b7b56034e" IssueInstant="2023-05-03T08:09:03.955Z" Version="2.0"><saml:Issuer>https://keycloak.b.test.com/realms/master&lt;/saml:Issuer>&lt;dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#&quot;>&lt;dsig:SignedInfo>&lt;dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#&quot;/>&lt;dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&quot;/>&lt;dsig:Reference URI="#ID_abff876c-50cc-427c-b1d0-ba8b7b56034e"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot;/>&lt;dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#&quot;/>&lt;/dsig:Transforms>&lt;dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256&quot;/>&lt;dsig:DigestValue>pE7ECpTIUbtPZodKZgjfKqbZQSuR2SOzfpyGPOXZjrc=&lt;/dsig:DigestValue>&lt;/dsig:Reference>&lt;/dsig:SignedInfo>&lt;dsig:SignatureValue>[BASE64]&lt;/dsig:SignatureValue>&lt;dsig:KeyInfo>&lt;dsig:X509Data>&lt;dsig:X509Certificate>[BASE64]&lt;/dsig:X509Certificate>&lt;/dsig:X509Data>&lt;dsig:KeyValue>&lt;dsig:RSAKeyValue>&lt;dsig:Modulus>[BASE64]&lt;/dsig:Modulus>&lt;dsig:Exponent>AQAB&lt;/dsig:Exponent>&lt;/dsig:RSAKeyValue>&lt;/dsig:KeyValue>&lt;/dsig:KeyInfo>&lt;/dsig:Signature>&lt;saml:Subject>&lt;saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-48ce26a2-414e-4775-aefc-5e342758b98e</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_CF5E3966562F7B6C555F9B50697CBF04" NotOnOrAfter="2023-05-03T08:10:01.955Z" Recipient="https://192.168.50.15/SOGo/saml2-signon-post&quot;/>&lt;/saml:SubjectConfirmation>&lt;/saml:Subject>&lt;saml:Conditions NotBefore="2023-05-03T08:09:01.955Z" NotOnOrAfter="2023-05-03T08:10:01.955Z"><saml:AudienceRestriction><saml:Audience>https://192.168.50.15/SOGo/saml2-metadata&lt;/saml:Audience>&lt;/saml:AudienceRestriction>&lt;/saml:Conditions>&lt;saml:AuthnStatement AuthnInstant="2023-05-03T08:09:03.955Z" SessionIndex="a05ebe34-e3ae-4bd3-9956-926e1a5d07fe::578444e3-55a2-4e2d-b44f-5b876571bf39" SessionNotOnOrAfter="2023-05-03T18:09:03.955Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot; xsi:type="xs:string">toto@test.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema&quot; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot; xsi:type="xs:string">toto</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

Issue History

Date Modified Username Field Change
2023-05-02 15:38 Alguna New Issue
2023-05-02 15:38 Alguna Tag Attached: saml
2023-05-02 15:38 Alguna Tag Attached: sogo
2023-05-02 15:38 Alguna Tag Attached: sso
2023-05-02 15:40 sebastien Note Added: 0016933
2023-05-02 15:58 Alguna Note Added: 0016934
2023-05-02 16:01 Alguna Note Added: 0016935
2023-05-02 17:49 sebastien Note Added: 0016936
2023-05-03 08:14 Alguna Note Added: 0016938