0006146: OpenID&ADFS Can't get user email from profile because: no mail found - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006146	SOGo	Backend General	public	2025-09-04 17:36	2025-09-05 08:28

Reporter	sobyaninyd	Assigned To	qhivert
Priority	high	Severity	block	Reproducibility	always
Status	assigned	Resolution	open
Platform	Debian 12	OS	Debian 12	OS Version	Debian 12
Product Version	5.12.3

Summary	0006146: OpenID&ADFS Can't get user email from profile because: no mail found
Description	In the logs I get an error when using AD FS as Openid: [error] <0x5583FC7BE930 [SOGOOPENIDSSISION] :( NULL)> CANT GETOMMEN FROM PROFILE BECAUSE: No Mail Found log SOGo: Sep 04 20:07:29 sogod [19617]: \|SOGo\| looked up value: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| lookup in root object: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| GOT: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| matched appname: SOGo Sep 04 20:07:29 sogod [19617]: \|SOGo\| => rewrote value: <SOGo[0x0x5583fc27c480]: name=SOGo> Sep 04 20:07:29 sogod [19617]: \|SOGo\| lookup name: GET Sep 04 20:07:29 sogod [19617]: [ERROR] <0x5583fc8064a0[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:29 sogod [19617]: \|SOGo\| looked up value: <0x0x5583fc828510[SoPageInvocation]: class=SOGoRootPage bound instantiated product=<0x0x5583fc1d86e0[SoProduct]: loaded code-loaded bundle=/usr/lib/GNUstep/SOGo/MainUI.SOGo #classes=8 #categories=4 rm=0x0x5583fc1e20c0>> Sep 04 20:07:29 sogod [19617]: \|SOGo\| GOT: <0x0x5583fc828510[SoPageInvocation]: class=SOGoRootPage bound instantiated product=<0x0x5583fc1d86e0[SoProduct]: loaded code-loaded bundle=/usr/lib/GNUstep/SOGo/MainUI.SOGo #classes=8 #categories=4 rm=0x0x5583fc1e20c0>> Sep 04 20:07:29 sogod [19617]: [ERROR] <0x5583fc836c60[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc797840[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc806a80[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: \|SOGo\| request took 0.870950 seconds to execute Sep 04 20:07:30 sogod [19617]: 192.168.68.201 "GET /SOGo/?code=ABf8Gq3vUkO2Cse6lYOJjQ.5_Rih9Xr3Qh7AVDR8FXNoWamaKQ.WBN9MX396zx-66VvHhXY3B82yhTt4ZZbgVBVcRlamiJ_zkwaIhapmES-khNiN3dMR5OD3d35wLB75WKM8ZbdxgnHCNrv1KFx7I9eEeMCFBKke_fTUrZ1RvkptZctONvRJx69NuUGjMnYsOxZZ9FuWTS4RRSheKiCT6IGH5HzerdvpD3JfU143kmHv6v0HhIa8LE-wg5d-Zom0X9t1qzuQZzVO-4Uya39Di9-o8q9VySx9gwQ1-jee9TFOwawOZN0AOLYRiu6mVnPq5DBB6DGHAs2Ay9Ad3M5MgnqGicH-63DtglJGRlHBFgB3Evldqj_bH_hAWk1dv_rctVxGel8kA&state=16875f3e4c45a00a3b11983ccfa0e662fcdb0f80 HTTP/1.1" 302 0/0 0.873 - - 120K - 11 Sep 04 20:07:30 sogod [19617]: \|SOGo\| starting method 'GET' on uri '/SOGo/' Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc7be930[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: \|SOGo\| lookup name: SOGo Sep 04 20:07:30 sogod [19617]: \|SOGo\| did not find key 'SOGo' in SoClass: <0x0x5583fc184a80[SoObjCClass]: super=0x0x5583fc183c70 objc=SOGo slots=passwordRecoveryEnabled,passwordRecoveryCheck,connect,casProxy,GET,Microsoft-Server-ActiveSync,view,index,SOGoAPI,passwordRecoveryEmail,connectName,saml2-signon-post,loading,openid_redirect,saml2-metadata,toolbar,passwordRecovery,saml2-sls,changePassword> Log on the side of AD FS: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" /> <EventID>1020</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000001</Keywords> <TimeCreated SystemTime="2025-09-04T16:41:30.046233400Z" /> <EventRecordID>151</EventRecordID> <Correlation ActivityID="{890621ec-5476-4483-370a-0080010000fd}" /> <Execution ProcessID="1408" ThreadID="1840" /> <Channel>AD FS/Admin</Channel> <Computer>cd1.rupost.xyz</Computer> <Security UserID="S-1-5-21-1587453395-1195599393-282800124-1104" /> </System> <UserData> <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"> <EventData> <Data>Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: в течение одного сеанса браузера клиента за последние "9" сек. создано запросов: "6". Для получения дополнительных сведений обратитесь к администратору. в Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context) в Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context) в Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.SendAuthorizationResponse(OAuthAuthorizationRequestContext authContext, OAuthAuthorizationResponseMessage authResponse)</Data> </EventData> </Event> </UserData> </Event> In the browser, when contacting Sogo, it redirects me to AD FS where after authentication I get into the redirect loop. My config: .... SOGoMailingMechanism = smtp; NGImap4AuthMechanism = "xoauth2"; .... SOGoAuthenticationType = openid; SOGoXSRFValidationEnabled = NO; SOGoOpenIdConfigUrl = "https://sso.example.com/adfs/.well-known/openid-configuration"; SOGoOpenIdClient = "385de99b-52a2-9db2-ad60-6d645cb0ce05"; SOGoOpenIdClientSecret = "LoBmlaFytUoGeF1-kLiojVmvSsUZoWInxuTkSKam"; SOGoOpenIdScope = "openid profile email"; SOGoOpenIdEmailParam = "email"; SOGoOpenIdEnableRefreshToken = YES; SOGoOpenIdTokenCheckInterval = 300; SOGoOpenIdLogoutEnabled = YES; OCSOpenIdURL = "postgresql://sogo:sogo@192.168.68.218:5432/sogo_data/sogo_openid";
Tags	No tags attached.

sobyaninyd 2025-09-04 17:36 reporter	Снимок экрана 2025-09-04 в 22.36.22.png (92,726 bytes) Снимок экрана 2025-09-04 в 22.36.22.png (92,726 bytes)

qhivert 2025-09-05 06:39 administrator ~0018327	Hello, It means SOGo properly fecth the user profile but didn't find the mail inside. A basic user profile looks is a dict like this { "sub":"70a3e6a1-37cf-4cf6-b114-6973aabca86a", "email_verified":false, "name":"Foo Bar", "preferred_username":"myuser", "given_name":"Foo", "family_name":"Bar", "email":"myuser@user.com" } To set which key is the mail one, you can set this parameter in your sogo.conf SOGoOpenIdEmailParam = "email"; Can you add this to your sogo.conf to get more logs? It will show the user profile result. SOGoOpenIDDebugEnabled = YES;

sobyaninyd 2025-09-05 08:28 reporter ~0018328	In the log I see the following: 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request: GET https://sso.example.com/adfs/userinfo 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request, headers {authorization = "Bearer <token>"; "content-type" = "application/x-www-form-urlencoded"; } 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request, body raw (null) 2025-09-05 10:20:57.277 sogod[25732:25732] OpenId perform request: response is: <SimpleOpenIdResponse> <status: 200>, <headers: HTTP/2 200 content-length: 0 content-type: text/html; charset=utf-8 server: Microsoft-HTTPAPI/2.0 strict-transport-security: max-age = 31536000 x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; date: Fri, 05 Sep 2025 07:20:56 GMT , <content: > Sep 05 10:20:57 sogod [25732]: [ERROR] <0x55ac8a247670[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found The token contains the following information: { "aud": "microsoft:identityserver:385de95b-52a2-4db2-ad60-6d326cb0bd05", "iss": "http://sso.example.com/adfs/services/trust", "iat": 1757060637, "nbf": 1757060637, "exp": 1757064237, "email": "sobyaninyd@example.com", "upn": "sobyaninyd@example.com", "preferred_username": "sobyaninyd", "apptype": "Confidential", "appid": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "auth_time": "2025-09-05T08:23:52.144Z", "ver": "1.0", "scp": "allatclaims email profile openid" } Also in the logs there is an access_token which contains the same thing as in authorization = "Bearer <token> id_token: { "aud": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "iss": "https://sso.example.com/adfs", "iat": 1757060639, "nbf": 1757060639, "exp": 1757064239, "auth_time": 1757060632, "sub": "yiB7NrFulQsF/RRA4CjktR0yPUVuEyRyzhI2fyiqYMk=", "unique_name": "DOMAIN\sobyaninyd", "sid": "S-1-5-21-1587453395-1195599393-282800124-1103", "upn": "sobyaninyd@example.com", "email": "sobyaninyd@example.com", "preferred_username": "sobyaninyd", "apptype": "Confidential", "appid": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "ver": "1.0", "scp": "allatclaims email profile openid" } i.e. this is the information received when accessing https://sso.example.com/adfs/oauth2/token (see screenshot) image.png (693,338 bytes)

Date Modified	Username	Field	Change
2025-09-04 17:36	sobyaninyd	New Issue
2025-09-04 17:36	sobyaninyd	File Added: Снимок экрана 2025-09-04 в 22.36.22.png
2025-09-05 06:39	qhivert	Note Added: 0018327
2025-09-05 06:39	qhivert	Assigned To	=> qhivert
2025-09-05 06:39	qhivert	Status	new => feedback
2025-09-05 08:28	sobyaninyd	Note Added: 0018328
2025-09-05 08:28	sobyaninyd	File Added: image.png
2025-09-05 08:28	sobyaninyd	Status	feedback => assigned