0006146: OpenID&ADFS Can't get user email from profile because: no mail found - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006146	SOGo	Backend General	public	2025-09-04 17:36	2025-09-11 08:24

Reporter	sobyaninyd	Assigned To	qhivert
Priority	high	Severity	block	Reproducibility	always
Status	feedback	Resolution	open
Platform	Debian 12	OS	Debian 12	OS Version	Debian 12
Product Version	5.12.3

Summary	0006146: OpenID&ADFS Can't get user email from profile because: no mail found
Description	In the logs I get an error when using AD FS as Openid: [error] <0x5583FC7BE930 [SOGOOPENIDSSISION] :( NULL)> CANT GETOMMEN FROM PROFILE BECAUSE: No Mail Found log SOGo: Sep 04 20:07:29 sogod [19617]: \|SOGo\| looked up value: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| lookup in root object: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| GOT: (null) Sep 04 20:07:29 sogod [19617]: \|SOGo\| matched appname: SOGo Sep 04 20:07:29 sogod [19617]: \|SOGo\| => rewrote value: <SOGo[0x0x5583fc27c480]: name=SOGo> Sep 04 20:07:29 sogod [19617]: \|SOGo\| lookup name: GET Sep 04 20:07:29 sogod [19617]: [ERROR] <0x5583fc8064a0[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:29 sogod [19617]: \|SOGo\| looked up value: <0x0x5583fc828510[SoPageInvocation]: class=SOGoRootPage bound instantiated product=<0x0x5583fc1d86e0[SoProduct]: loaded code-loaded bundle=/usr/lib/GNUstep/SOGo/MainUI.SOGo #classes=8 #categories=4 rm=0x0x5583fc1e20c0>> Sep 04 20:07:29 sogod [19617]: \|SOGo\| GOT: <0x0x5583fc828510[SoPageInvocation]: class=SOGoRootPage bound instantiated product=<0x0x5583fc1d86e0[SoProduct]: loaded code-loaded bundle=/usr/lib/GNUstep/SOGo/MainUI.SOGo #classes=8 #categories=4 rm=0x0x5583fc1e20c0>> Sep 04 20:07:29 sogod [19617]: [ERROR] <0x5583fc836c60[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc797840[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc806a80[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: \|SOGo\| request took 0.870950 seconds to execute Sep 04 20:07:30 sogod [19617]: 192.168.68.201 "GET /SOGo/?code=ABf8Gq3vUkO2Cse6lYOJjQ.5_Rih9Xr3Qh7AVDR8FXNoWamaKQ.WBN9MX396zx-66VvHhXY3B82yhTt4ZZbgVBVcRlamiJ_zkwaIhapmES-khNiN3dMR5OD3d35wLB75WKM8ZbdxgnHCNrv1KFx7I9eEeMCFBKke_fTUrZ1RvkptZctONvRJx69NuUGjMnYsOxZZ9FuWTS4RRSheKiCT6IGH5HzerdvpD3JfU143kmHv6v0HhIa8LE-wg5d-Zom0X9t1qzuQZzVO-4Uya39Di9-o8q9VySx9gwQ1-jee9TFOwawOZN0AOLYRiu6mVnPq5DBB6DGHAs2Ay9Ad3M5MgnqGicH-63DtglJGRlHBFgB3Evldqj_bH_hAWk1dv_rctVxGel8kA&state=16875f3e4c45a00a3b11983ccfa0e662fcdb0f80 HTTP/1.1" 302 0/0 0.873 - - 120K - 11 Sep 04 20:07:30 sogod [19617]: \|SOGo\| starting method 'GET' on uri '/SOGo/' Sep 04 20:07:30 sogod [19617]: [ERROR] <0x5583fc7be930[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found Sep 04 20:07:30 sogod [19617]: \|SOGo\| lookup name: SOGo Sep 04 20:07:30 sogod [19617]: \|SOGo\| did not find key 'SOGo' in SoClass: <0x0x5583fc184a80[SoObjCClass]: super=0x0x5583fc183c70 objc=SOGo slots=passwordRecoveryEnabled,passwordRecoveryCheck,connect,casProxy,GET,Microsoft-Server-ActiveSync,view,index,SOGoAPI,passwordRecoveryEmail,connectName,saml2-signon-post,loading,openid_redirect,saml2-metadata,toolbar,passwordRecovery,saml2-sls,changePassword> Log on the side of AD FS: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" /> <EventID>1020</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000001</Keywords> <TimeCreated SystemTime="2025-09-04T16:41:30.046233400Z" /> <EventRecordID>151</EventRecordID> <Correlation ActivityID="{890621ec-5476-4483-370a-0080010000fd}" /> <Execution ProcessID="1408" ThreadID="1840" /> <Channel>AD FS/Admin</Channel> <Computer>cd1.rupost.xyz</Computer> <Security UserID="S-1-5-21-1587453395-1195599393-282800124-1104" /> </System> <UserData> <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"> <EventData> <Data>Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: в течение одного сеанса браузера клиента за последние "9" сек. создано запросов: "6". Для получения дополнительных сведений обратитесь к администратору. в Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context) в Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context) в Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.SendAuthorizationResponse(OAuthAuthorizationRequestContext authContext, OAuthAuthorizationResponseMessage authResponse)</Data> </EventData> </Event> </UserData> </Event> In the browser, when contacting Sogo, it redirects me to AD FS where after authentication I get into the redirect loop. My config: .... SOGoMailingMechanism = smtp; NGImap4AuthMechanism = "xoauth2"; .... SOGoAuthenticationType = openid; SOGoXSRFValidationEnabled = NO; SOGoOpenIdConfigUrl = "https://sso.example.com/adfs/.well-known/openid-configuration"; SOGoOpenIdClient = "385de99b-52a2-9db2-ad60-6d645cb0ce05"; SOGoOpenIdClientSecret = "LoBmlaFytUoGeF1-kLiojVmvSsUZoWInxuTkSKam"; SOGoOpenIdScope = "openid profile email"; SOGoOpenIdEmailParam = "email"; SOGoOpenIdEnableRefreshToken = YES; SOGoOpenIdTokenCheckInterval = 300; SOGoOpenIdLogoutEnabled = YES; OCSOpenIdURL = "postgresql://sogo:sogo@192.168.68.218:5432/sogo_data/sogo_openid";
Tags	No tags attached.

sobyaninyd 2025-09-04 17:36 reporter	Снимок экрана 2025-09-04 в 22.36.22.png (92,726 bytes) Снимок экрана 2025-09-04 в 22.36.22.png (92,726 bytes)

qhivert 2025-09-05 06:39 administrator ~0018327	Hello, It means SOGo properly fecth the user profile but didn't find the mail inside. A basic user profile looks is a dict like this { "sub":"70a3e6a1-37cf-4cf6-b114-6973aabca86a", "email_verified":false, "name":"Foo Bar", "preferred_username":"myuser", "given_name":"Foo", "family_name":"Bar", "email":"myuser@user.com" } To set which key is the mail one, you can set this parameter in your sogo.conf SOGoOpenIdEmailParam = "email"; Can you add this to your sogo.conf to get more logs? It will show the user profile result. SOGoOpenIDDebugEnabled = YES;

sobyaninyd 2025-09-05 08:28 reporter ~0018328	In the log I see the following: 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request: GET https://sso.example.com/adfs/userinfo 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request, headers {authorization = "Bearer <token>"; "content-type" = "application/x-www-form-urlencoded"; } 2025-09-05 10:20:57.207 sogod[25732:25732] OpenId perform request, body raw (null) 2025-09-05 10:20:57.277 sogod[25732:25732] OpenId perform request: response is: <SimpleOpenIdResponse> <status: 200>, <headers: HTTP/2 200 content-length: 0 content-type: text/html; charset=utf-8 server: Microsoft-HTTPAPI/2.0 strict-transport-security: max-age = 31536000 x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; date: Fri, 05 Sep 2025 07:20:56 GMT , <content: > Sep 05 10:20:57 sogod [25732]: [ERROR] <0x55ac8a247670[SOGoOpenIdSession]:(null)> Can't get user email from profile because: no mail found The token contains the following information: { "aud": "microsoft:identityserver:385de95b-52a2-4db2-ad60-6d326cb0bd05", "iss": "http://sso.example.com/adfs/services/trust", "iat": 1757060637, "nbf": 1757060637, "exp": 1757064237, "email": "sobyaninyd@example.com", "upn": "sobyaninyd@example.com", "preferred_username": "sobyaninyd", "apptype": "Confidential", "appid": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "auth_time": "2025-09-05T08:23:52.144Z", "ver": "1.0", "scp": "allatclaims email profile openid" } Also in the logs there is an access_token which contains the same thing as in authorization = "Bearer <token> id_token: { "aud": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "iss": "https://sso.example.com/adfs", "iat": 1757060639, "nbf": 1757060639, "exp": 1757064239, "auth_time": 1757060632, "sub": "yiB7NrFulQsF/RRA4CjktR0yPUVuEyRyzhI2fyiqYMk=", "unique_name": "DOMAIN\sobyaninyd", "sid": "S-1-5-21-1587453395-1195599393-282800124-1103", "upn": "sobyaninyd@example.com", "email": "sobyaninyd@example.com", "preferred_username": "sobyaninyd", "apptype": "Confidential", "appid": "385de95b-52a2-4db2-ad60-6d326cb0bd05", "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "ver": "1.0", "scp": "allatclaims email profile openid" } i.e. this is the information received when accessing https://sso.example.com/adfs/oauth2/token (see screenshot) image.png (693,338 bytes)

qhivert 2025-09-11 08:24 administrator ~0018332	Hello, Very strange, the endpoint https://sso.example.com/adfs/userinfo should return a dictionnary with the user's info (and the mail). But in your case the endpoint returns 200 but no content. You should look into that. Maybe there is something special to put in your scope (SOGoOpenIdScope = "openid profile email";) in your case?

Date Modified	Username	Field	Change
2025-09-04 17:36	sobyaninyd	New Issue
2025-09-04 17:36	sobyaninyd	File Added: Снимок экрана 2025-09-04 в 22.36.22.png
2025-09-05 06:39	qhivert	Note Added: 0018327
2025-09-05 06:39	qhivert	Assigned To	=> qhivert
2025-09-05 06:39	qhivert	Status	new => feedback
2025-09-05 08:28	sobyaninyd	Note Added: 0018328
2025-09-05 08:28	sobyaninyd	File Added: image.png
2025-09-05 08:28	sobyaninyd	Status	feedback => assigned
2025-09-11 08:24	qhivert	Note Added: 0018332
2025-09-11 08:24	qhivert	Status	assigned => feedback