View Issue Details

IDProjectCategoryView StatusLast Update
0005270SOGoBackend Generalpublic2021-04-09 06:55
Reportercodeoverflow Assigned To 
PriorityurgentSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformServer OSUbuntuOS Version20.04
Product Version5.0.1 
Summary0005270: SSO with Keycloak for SAML2.0 broken
Description

If you setup SOGO 5.0.1 with SSO using Keycloak, you aren't able to login. If you setup a fresh server using the latest nightly build and installing, add the configuration for SAML2.0 with Keycloak and then try to login in with any valid user & password combination, you get an error. It will display an empty, white page with a small popup notification in the upper right corner. Its description is "Request failed" and it shows an exclamation sign. You can see the result in the attached screenshot. Trying other users isn't helping like a refresh in the browser. You are unable to use the system.

If we examine the log, we can recognize an error with LASSO: "GLib-GObject-CRITICAL **: 20:29:52.110: g_object_ref: assertion 'G_IS_OBJECT (object)' failed". It is thrown multiple times with the exact same error message.

The configuration is: SOGo 5.0.1 connected to a PostgreSQL database using the soge4.9 connector.

As we definitly need SSO for SOGo, so it is completely unusable for us.

-- Log start --

Mar 01 20:29:32 sogod [28]: version 5.0.1 (build @shiva2.inverse 202102270820) -- starting
Mar 01 20:29:32 sogod [28]: vmem size check enabled: shutting down app when vmem > 384 MB. Currently at 80 MB
Mar 01 20:29:32 sogod [28]: <0x0x56124f55caf0[SOGoProductLoader]> SOGo products loaded from '/usr/lib/GNUstep/SOGo':
Mar 01 20:29:32 sogod [28]: <0x0x56124f55caf0[SOGoProductLoader]> MailPartViewers.SOGo, MainUI.SOGo, CommonUI.SOGo, Contacts.SOGo, MailerUI.SOGo, Appointments.SOGo, SchedulerUI.SOGo, Mailer.SOGo, ContactsUI.SOGo, AdministrationUI.SOGo, PreferencesUI.SOGo
Mar 01 20:29:32 sogod [28]: All products loaded - current memory usage at 89 MB
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> listening on 0.0.0.0:20000
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> watchdog process pid: 28
Mar 01 20:29:32 sogod [28]: <0x0x7f7b562f8360[WOWatchDogChild]> watchdog request timeout set to 10 minutes
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> preparing 5 children
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> child spawned with pid 37
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> child spawned with pid 38
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> child spawned with pid 39
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> child spawned with pid 40
Mar 01 20:29:32 sogod [28]: <0x0x56124f58b3d0[WOWatchDog]> child spawned with pid 41
Mar 01 20:29:32 sogod [38]: <0x0x56124f625250[WOHttpAdaptor]> notified the watchdog that we are ready
Mar 01 20:29:32 sogod [37]: <0x0x56124f61ecb0[WOHttpAdaptor]> notified the watchdog that we are ready
Mar 01 20:29:32 sogod [39]: <0x0x56124f625560[WOHttpAdaptor]> notified the watchdog that we are ready
Mar 01 20:29:32 sogod [40]: <0x0x56124f623190[WOHttpAdaptor]> notified the watchdog that we are ready
Mar 01 20:29:32 sogod [41]: <0x0x56124f623190[WOHttpAdaptor]> notified the watchdog that we are ready
Mar 01 20:29:51 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo/'
Mar 01 20:29:51 sogod [41]: <0x0x56124f894250[SOGoCache]> Cache cleanup interval set every 3600.000000 seconds
Mar 01 20:29:51 sogod [41]: <0x0x56124f894250[SOGoCache]> Using host(s) 'localhost' as server(s)
Mar 01 20:29:51 sogod [41]: <0x0x56124f89c6c0[SOGoWebAuthenticator]> tried wrong password for user '0cHg7p5XZbQTbvgoyJ9f5UnIDUTx78bkT4BIm5O83ErrH/vBe9kXPdedTksjZ0qfXoo/cgMfVuDyGBLGi7Wzk33RgkI0zl5FdiVZfj6ceeMk8iFbKu37SlgsCv3GuF6uMkF+upK2oGWvG/trzQuXkwmywuZt7cDL/BzMopVFk+ChLN7q+n42Xw52fnmsAlyDHSkMwBgTZmOb4q42+g9Ikw=='!
Mar 01 20:29:51 sogod [41]: [WARN] <0x0x7f7b56319f60[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder
Mar 01 20:29:51 sogod [41]: |SOGo| request took 0.032714 seconds to execute
Mar 01 20:29:51 sogod [41]: sogo "GET /SOGo/ HTTP/1.0" 302 0/0 0.034 - - 7M - 13
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post'
Mar 01 20:29:52 sogod [41]: |SOGo| constructed root-url: /SOGo/
Mar 01 20:29:52 sogod [41]: |SOGo| setting root-url in context: /SOGo/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/

(process:41): Lasso-CRITICAL **: 20:29:52.070: 2021-03-01 20:29:52 (profile.c/:939) Trying to unref a non GObject pointer file=profile.c:939 pointerbybname=profile->identity pointer=0x56124f979270

(process:41): Lasso-CRITICAL **: 20:29:52.070: 2021-03-01 20:29:52 (profile.c/:942) Trying to unref a non GObject pointer file=profile.c:942 pointerbybname=profile->session pointer=0x56124fa1dc30
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.036253 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "POST /SOGo/saml2-signon-post HTTP/1.0" 302 0/12297 0.038 - - 764K - 13
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo//mailuser'

(process:41): GLib-GObject-CRITICAL **: 20:29:52.110: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:41): GLib-GObject-CRITICAL **: 20:29:52.137: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.028304 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "GET /SOGo//mailuser HTTP/1.0" 302 0/0 0.029 - - 6M - 13
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo//mailuser/view'

(process:41): GLib-GObject-CRITICAL **: 20:29:52.228: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:41): GLib-GObject-CRITICAL **: 20:29:52.230: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: |SOGo| constructed root-url: /SOGo/
Mar 01 20:29:52 sogod [41]: |SOGo| setting root-url in context: /SOGo/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/
Mar 01 20:29:52 sogod [41]: <0x56124fd25b50[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo//mailuser/view
own: /SOGo/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.005757 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "GET /SOGo//mailuser/view HTTP/1.0" 302 0/0 0.007 - - 0 - 13
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo/so/mailuser/Mail'

(process:41): GLib-GObject-CRITICAL **: 20:29:52.276: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:41): GLib-GObject-CRITICAL **: 20:29:52.277: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.002014 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "GET /SOGo/so/mailuser/Mail HTTP/1.0" 302 0/0 0.003 - - 0 - 13
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo/so/mailuser/Mail/view'

(process:41): GLib-GObject-CRITICAL **: 20:29:52.306: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:41): GLib-GObject-CRITICAL **: 20:29:52.307: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: |SOGo| constructed root-url: /SOGo/
Mar 01 20:29:52 sogod [41]: |SOGo| setting root-url in context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: <0x56124f93fdb0[SOGoMailAccounts]:Mail> baseURL: name=Mail (container=SOGoUserFolder)
container: /SOGo/so/mailuser/
own: /SOGo/so/mailuser/Mail
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| using root-url from context: /SOGo/so/
Mar 01 20:29:52 sogod [41]: |SOGo| ROOT baseURL(no container, name=(null)):
own: /SOGo/so/
Mar 01 20:29:52 sogod [41]: <0x56124fd32e70[SOGoUserFolder]:mailuser> baseURL: name=mailuser (container=SOGo)
container: /SOGo -- https://example.com/SOGo/so/mailuser/Mail/view
own: /SOGo/so/mailuser
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.102249 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "GET /SOGo/so/mailuser/Mail/view HTTP/1.0" 200 19065/0 0.104 82242 76% 5M - 14
Mar 01 20:29:52 sogod [41]: |SOGo| starting method 'GET' on uri '/SOGo/so/mailuser/Calendar/alarmslist?browserTime=1614626993'

(process:41): GLib-GObject-CRITICAL **: 20:29:52.818: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:41): GLib-GObject-CRITICAL **: 20:29:52.819: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: [WARN] <0x0x56124f5ef1a0[SOGoWebDAVAclManager]> entry '{DAV:}write' already exists in DAV permissions table
Mar 01 20:29:52 sogod [41]: [WARN] <0x0x56124f5ef1a0[SOGoWebDAVAclManager]> entry '{DAV:}write-properties' already exists in DAV permissions table
Mar 01 20:29:52 sogod [41]: [WARN] <0x0x56124f5ef1a0[SOGoWebDAVAclManager]> entry '{DAV:}write-content' already exists in DAV permissions table
Mar 01 20:29:52 sogod [40]: |SOGo| starting method 'POST' on uri '/SOGo/so/mailuser/Mail/0/folderINBOX/view'
Mar 01 20:29:52 sogod [40]: <0x0x56124f834c60[SOGoCache]> Cache cleanup interval set every 3600.000000 seconds
Mar 01 20:29:52 sogod [40]: <0x0x56124f834c60[SOGoCache]> Using host(s) 'localhost' as server(s)

(process:40): GLib-GObject-CRITICAL **: 20:29:52.897: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:40): GLib-GObject-CRITICAL **: 20:29:52.899: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:40): GLib-GObject-CRITICAL **: 20:29:52.902: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [39]: |SOGo| starting method 'GET' on uri '/SOGo/so/mailuser/Mail/0/view'
Mar 01 20:29:52 sogod [39]: <0x0x56124f615250[SOGoCache]> Cache cleanup interval set every 3600.000000 seconds
Mar 01 20:29:52 sogod [39]: <0x0x56124f615250[SOGoCache]> Using host(s) 'localhost' as server(s)

(process:39): GLib-GObject-CRITICAL **: 20:29:52.926: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:39): GLib-GObject-CRITICAL **: 20:29:52.928: g_object_ref: assertion 'G_IS_OBJECT (object)' failed

(process:39): GLib-GObject-CRITICAL **: 20:29:52.931: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
Mar 01 20:29:52 sogod [41]: |SOGo| request took 0.125139 seconds to execute
Mar 01 20:29:52 sogod [41]: sogo "GET /SOGo/so/mailuser/Calendar/alarmslist?browserTime=1614626993 HTTP/1.0" 500 36/0 0.126 - - 0 - 13
Mar 01 20:29:52 sogod [40]: <0x0x56124f9c01e0[NGImap4Client]> TLS started successfully.Mar 01 20:29:52 sogod [39]: <0x0x56124f9b62d0[NGImap4Client]> TLS started successfully.

S[0x56124f9c9b70]: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Ubuntu) ready.
C[0x56124f9b62d0]: 1 STARTTLS
S[0x56124f9c9b70]: 1 OK Begin TLS negotiation now.
C[0x56124f9b62d0]: 2 authenticate PLAIN
S[0x56124f9adce0]: +
C[0x56124f9b62d0]: bWFpbHVzZXIAbWFpbHVzZXIAZUY3dFdGZVQ0cm9TL2l0VDdPTVU0NXlvbmFucmdNR0FDU1lOdkd6SnRoeHd4QUdIWDMvRkVIWjI3bXc0NS9IY3d3dWx0dFRxL3JyVitscGZjeENGUFRIUFlWYjRTZnhRUjJHY1AzZktMTzRsSVBmelhnd2ltUGNLcTdjVTlVbVBmTUo3NERhNWM1bmRPNnY0RzB2U1g2OUpzNlJJckNUc1BHaktjMGRUdmptMmJVTGFzcnNVelZCZG1oV1lMakFGc292amtLTk5hTm0yemFQSmVWNUNMYzRMRUJmUEhSSW5pUzVPZFhGaVJRZzlVdWd4eEJQSDQvdk93d1ptT1hJWVRYbkNPeTlmMzJCNFc1dTllRVdSNWowTWMvS24xR3R5UDNnSy9PSUoyaVVXd01ZS0V4QmdvQ3c4TElNZ2pISTA3VHpySy9aZXhWYzc5OTNlMG5kalVKUVp2QUoxRmo1M3p1cVI5cXFxbmlycUtjbGNqTVJ4SE1NRkRNRjVudklGMlhOZkQyMHRkcEtyUUFaeEV2c1dDUDBXbk1PbHc4Skw3QWN4ZEpQTUw3em9KOG9Kak1EUHlydXd0cm9XUWNkZk90aTdMZDVNL0dOVk9IMnpzeHNsR2Z5UzVhQ2JlNEJrMkx0U0F6b3dnN0VGSDlhRzl0ejU4cWZCdTlxMHlrQ2NPMGtXNVI4RnYvWDBCeGhoZklKaGtrSzdpMEM5Qk9KdTRuMlAzNnI4SER6c0xVRC9ZNm5pdXpBdi9pS1dDS2t2SHhDODZObUFzSVF2UzZQWXpQcExDU3JOMFcxRWJsYkRzWTNwWTI2NEtZNVZTWHZFWEdTbjRpN0Q4T2V2Rjd2ZUw3K0s3akY1dVFyT3lmbERjdDJ6OWJMdG5zU054eDJwZ1dVOENiWXJhZ3BDTUhiaTVWRS9CcXJCSyt5VUl6SnRNU0hjaGlhdGxXeVB
3NmxxNGtQN01TLzhJOGx1bThWb3JrL0hROXAxanpPdGpqYTFsazlvOVlEajRwUVZYSi9aaTM1NTRGbHE2bzZtQjJmbmIzQmJ0blNNSWtqM2xHSEMwTTFUR1k2cEU3bXRWOWFBSmZ1ZW1zSUJ2NmQzcnlxLzJEYXRZMDNDd3A5d1k0TjBYQkFVNm5wd3pDMGg1N0xIcVlBWmFrYVNxOEdnNGQyOVMwRnFVN055UDZrSVZvMUFLQUlHMHlPR25iL09XTFd2VDJRd0YwWmhUQ3JCaHVzbk9xTVltUVkzdFArNndhQ3VrRXZLUEFWbXZMS2Nwc0NPZTE4NlJhZUpwK0RNcnRrWitrQTNCbE5UU2JRTXMxWXVXYWQ1bGEyTEljbFkvU0NOWEtqSDFUaHBlWW5JcXVkYmlENmdmVG53WTlpOE8rMW9ORVhWOXlXaVN5V0xRYmJPdDN6ZnlhMDAxZncyNVdmMWF0MTZuTUZGZ2ErN0czWGxOUGcxdHJlVkY2MnZEQzRvb0FEWDAzUWV5dWR5NzZCS1VzQVhYZFBrcUpWbGNhZkxrcXUyYWFyTTV3ZHhLcm5CMFF2OGdWRGhrcmpJVlZFUkRYM0JWOHBpcDJ3V0MwVVI5NUZGU1FsODFhdWhaMDMxZzFoTlc3MUcvODIwWGVQYnM2ejlMcHV0ZEh4NytMa08xKzM3dW9nUDVPVnhzTlJNU2xuMDBiNXJVYVExU2FuRUNuMGZpNG1HWlBKVWIrcWlFSlI0d2VPck9ZWVA4LzByd2VGcGtiU3AyazRlWWRFWFl3amJHRVY0c3Awa1cySTlIZFFsak9yS2Q1VzJIaHdQRzNQRTg2Zm1rUlJYb1R3TU4wRk45cGVtZkRTUFJVSlhSM2Q0Y0FOcnBjK3pldSsyNDJMaDI0OUgrekI1WFV2RWRNVEdKRGNkR0VXQkw4V2QzemYzTTB3Q3c4MU1wMGx6OGJxY09LbTd4ZVlraHZtNk5aemxzczB4
cXVDcVE1WlFEN3ZSUHRrenlWanljcDh2T2M3Zkh1dUFjbWRqYlc2d25IdFk5dVdhc29Md05GczRjak0xNVRTUTFjM3dGVWVwSDV5eXlaRGlabk5zTTl1eTlXcS80Q2JydUdHR0tEZG40U0hJb3dQdEdCdXBpaExOWDY1Vkx4RlVUQlRrbEJZOVRoNW1UVFZTRnd5eDhpMVpQQzVvU2QyWjVpcGNta1AvMUJkRVY1ZEVzWCtPNzJpYzdEWHZaRTNGUlg4aUxVUUZZUytKR3BpTkdJcE0xYkZlMTN4SjZTSElVcGVtN2Ntc0tYT2hWZG9ZcndIaE9ZVHJBcktVSjIzZUw2UmthVS9ydmVqU1VEMkdjaFVYTVZZZTdLWGlZbXk3VzBRVktLUVFDdmdhMDB5SWlWdVNXa1lTK1RnNUpMZ1NpN20vTTRJRlBqM0doaWF0QjhGcEp1dmtqTWFHZ05xMnc4M2hwRzEyWXpEdVU1d2MyeU1XYTZyeHlzdzJTeXN0QzdXdGxlSEoydS9tZ3BZY1hxMjFkZUwzVzZYWWVhLzFnY0Y1N0lBVldNQnc4UkYvcE10Z3B6WitReEhVaWNyd2l0MGxxK1dPNXdaNGhCTmNHNU9qRU4vbEo0Wk0xeFlZUEdyWVltZ3dCanBISkRPWGQ1dENoRERBNmpYY0Q0T052VEs4SWRDQnZaRVliaWtFcnJ1b3ljbWthTmpUb1prZER1MDZoVmdESlN4WUJ5dVJ2eFdFajhmeWVwUS9IRjUwc2kvbCtYSzBqYVg0UWFJbmRobVcrY3RocGVlbTZTd1lmRDd0dDVnZ2NZT05BSVd4Q1hUV3NCb3N6Z3h4Uk1VNXc1VFFKM3hXTFRhS2tadHhtbHRhSXZLOGNVeUliZVBNSi95cGNQdk13bU0yZTkzMitsRjFqTmdNelBSeEl0SDBhTmh2RlpiZjd2UW1XNlBTZFl4M0RVR0k5bW9KVTZGc2pjQTA3YjQ3MEx3Q
nVUcFZXNDlZSFdiVENGZHhuMkozNnFrVlRoaDlHRXB0aG83cm8rSHNKT094TUhha3ZBVURDR1IzWjJxblNmbEloOGQ4UDZVVjMxZHdXTklhN29tNVRZMUdaaHNNcS95d3JZNTcwZHNZaEREMFRxTUoyOVRDWTN2QWlCWENZVTJ1WncweDRrdURHVEJ0dW1NbW8rUnhpRzhXMXVnb2EwRW83Y0RjY0tyNTRnaEZEVllleStleXNaN1phem9XM1hFd0U0M3RnTVNaZFZUVFdUMWYzTXYzRGVaTEdQcDFtc1F3TGw3RWhTaGRBM2VYM1M3Zzk2RzZYTlBmUTNjZlg4ci9aWGkvSXE3MGRGbWFCMmdWMTlINWF0Q1VCeFh4SklDWTdxOFkrNW5EKzNiM1RLbEEwVXZQekRjdmtMbWRsMEVYVUtRTktFYm9Db3pOZFdsT3NMb21ZTGl1NWRnV3g5Z01BMHpteW0wdk8vNW9qSnpFam45V2UyNGVMcnpuMTdaWVVjK0VJSVBaalhSZnZYcXY2SHhaUFdpeEFYTUVhdzVYeVhQbm0wTFFqRXh5Qk1GUmZWSWdHRXFTK2d6NlViekNFSDFaN1R4TWsySVd6ekxSS1dEMmtmbFRkSThXcnN6ZmdKYWYrc2o5QzF2K25Pa3ZaNFBramRHVGIrUXhpYnRwa2hkbituamgrWjlZL2VIVEZTZmtsKzJmMGNuUEJrb1FCUUYrMHBmY3JmdWxGL2pkaTZ0MnNiU1JKeFpFVUJXWmI1MzMrZkRsRjkzTU94OGpXQUFib1g3MTdxYjI1dEtuMjF5QStPS[0x56124f9d3b90]: * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Ubuntu) ready.
C[0x56124f9c01e0]: 1 STARTTLS
S[0x56124f9d3b90]: 1 OK Begin TLS negotiation now.
C[0x56124f9c01e0]: 2 authenticate PLAIN
S[0x56124f9b7c10]: +
C[0x56124f9c01e0]: bWFpbHVzZXIAbWFpbHVzZXIAZUY3dFdGZVQ0cm9TL2l0VDdPTVU0NXlvbmFucmdNR0FDU1lOdkd6SnRoeHd4QUdIWDMvRkVIWjI3bXc0NS9IY3d3dWx0dFRxL3JyVitscGZjeENGUFRIUFlWYjRTZnhRUjJHY1AzZktMTzRsSVBmelhnd2ltUGNLcTdjVTlVbVBmTUo3NERhNWM1bmRPNnY0RzB2U1g2OUpzNlJJckNUc1BHaktjMGRUdmptMmJVTGFzcnNVelZCZG1oV1lMakFGc292amtLTk5hTm0yemFQSmVWNUNMYzRMRUJmUEhSSW5pUzVPZFhGaVJRZzlVdWd4eEJQSDQvdk93d1ptT1hJWVRYbkNPeTlmMzJCNFc1dTllRVdSNWowTWMvS24xR3R5UDNnSy9PSUoyaVVXd01ZS0V4QmdvQ3c4TElNZ2pISTA3VHpySy9aZXhWYzc5OTNlMG5kalVKUVp2QUoxRmo1M3p1cVI5cXFxbmlycUtjbGNqTVJ4SE1NRkRNRjVudklGMlhOZkQyMHRkcEtyUUFaeEV2c1dDUDBXbk1PbHc4Skw3QWN4ZEpQTUw3em9KOG9Kak1EUHlydXd0cm9XUWNkZk90aTdMZDVNL0dOVk9IMnpzeHNsR2Z5UzVhQ2JlNEJrMkx0U0F6b3dnN0VGSDlhRzl0ejU4cWZCdTlxMHlrQ2NPMGtXNVI4RnYvWDBCeGhoZklKaGtrSzdpMEM5Qk9KdTRuMlAzNnI4SER6c0xVRC9ZNm5pdXpBdi9pS1dDS2t2SHhDODZObUFzSVF2UzZQWXpQcExDU3JOMFcxRWJsYkRzWTNwWTI2NEtZNVZTWHZFWEdTbjRpN0Q4T2V2Rjd2ZUw3K0s3akY1dVFyT3lmbERjdDJ6OWJMdG5zU054eDJwZ1dVOENiWXJhZ3BDTUhiaTVWRS9CcXJCSyt5VUl6SnRNU0hjaGlhdGxXeVB
3NmxxNGtQN01TLzhJOGx1bThWb3JrL0hROXAxanpPdGpqYTFsazlvOVlEajRwUVZYSi9aaTM1NTRGbHE2bzZtQjJmbmIzQmJ0blNNSWtqM2xHSEMwTTFUR1k2cEU3bXRWOWFBSmZ1ZW1zSUJ2NmQzcnlxLzJEYXRZMDNDd3A5d1k0TjBYQkFVNm5wd3pDMGg1N0xIcVlBWmFrYVNxOEdnNGQyOVMwRnFVN055UDZrSVZvMUFLQUlHMHlPR25iL09XTFd2VDJRd0YwWmhUQ3JCaHVzbk9xTVltUVkzdFArNndhQ3VrRXZLUEFWbXZMS2Nwc0NPZTE4NlJhZUpwK0RNcnRrWitrQTNCbE5UU2JRTXMxWXVXYWQ1bGEyTEljbFkvU0NOWEtqSDFUaHBlWW5JcXVkYmlENmdmVG53WTlpOE8rMW9ORVhWOXlXaVN5V0xRYmJPdDN6ZnlhMDAxZncyNVdmMWF0MTZuTUZGZ2ErN0czWGxOUGcxdHJlVkY2MnZEQzRvb0FEWDAzUWV5dWR5NzZCS1VzQVhYZFBrcUpWbGNhZkxrcXUyYWFyTTV3ZHhLcm5CMFF2OGdWRGhrcmpJVlZFUkRYM0JWOHBpcDJ3V0MwVVI5NUZGU1FsODFhdWhaMDMxZzFoTlc3MUcvODIwWGVQYnM2ejlMcHV0ZEh4NytMa08xKzM3dW9nUDVPVnhzTlJNU2xuMDBiNXJVYVExU2FuRUNuMGZpNG1HWlBKVWIrcWlFSlI0d2VPck9ZWVA4LzByd2VGcGtiU3AyazRlWWRFWFl3amJHRVY0c3Awa1cySTlIZFFsak9yS2Q1VzJIaHdQRzNQRTg2Zm1rUlJYb1R3TU4wRk45cGVtZkRTUFJVSlhSM2Q0Y0FOcnBjK3pldSsyNDJMaDI0OUgrekI1WFV2RWRNVEdKRGNkR0VXQkw4V2QzemYzTTB3Q3c4MU1wMGx6OGJxY09LbTd4ZVlraHZtNk5aemxzczB4
cXVDcVE1WlFEN3ZSUHRrenlWanljcDh2T2M3Zkh1dUFjbWRqYlc2d25IdFk5dVdhc29Md05GczRjak0xNVRTUTFjM3dGVWVwSDV5eXlaRGlabk5zTTl1eTlXcS80Q2JydUdHR0tEZG40U0hJb3dQdEdCdXBpaExOWDY1Vkx4RlVUQlRrbEJZOVRoNW1UVFZTRnd5eDhpMVpQQzVvU2QyWjVpcGNta1AvMUJkRVY1ZEVzWCtPNzJpYzdEWHZaRTNGUlg4aUxVUUZZUytKR3BpTkdJcE0xYkZlMTN4SjZTSElVcGVtN2Ntc0tYT2hWZG9ZcndIaE9ZVHJBcktVSjIzZUw2UmthVS9ydmVqU1VEMkdjaFVYTVZZZTdLWGlZbXk3VzBRVktLUVFDdmdhMDB5SWlWdVNXa1lTK1RnNUpMZ1NpN20vTTRJRlBqM0doaWF0QjhGcEp1dmtqTWFHZ05xMnc4M2hwRzEyWXpEdVU1d2MyeU1XYTZyeHlzdzJTeXN0QzdXdGxlSEoydS9tZ3BZY1hxMjFkZUwzVzZYWWVhLzFnY0Y1N0lBVldNQnc4UkYvcE10Z3B6WitReEhVaWNyd2l0MGxxK1dPNXdaNGhCTmNHNU9qRU4vbEo0Wk0xeFlZUEdyWVltZ3dCanBISkRPWGQ1dENoRERBNmpYY0Q0T052VEs4SWRDQnZaRVliaWtFcnJ1b3ljbWthTmpUb1prZER1MDZoVmdESlN4WUJ5dVJ2eFdFajhmeWVwUS9IRjUwc2kvbCtYSzBqYVg0UWFJbmRobVcrY3RocGVlbTZTd1lmRDd0dDVnZ2NZT05BSVd4Q1hUV3NCb3N6Z3h4Uk1VNXc1VFFKM3hXTFRhS2tadHhtbHRhSXZLOGNVeUliZVBNSi95cGNQdk13bU0yZTkzMitsRjFqTmdNelBSeEl0SDBhTmh2RlpiZjd2UW1XNlBTZFl4M0RVR0k5bW9KVTZGc2pjQTA3YjQ3MEx3Q
nVUcFZXNDlZSFdiVENGZHhuMkozNnFrVlRoaDlHRXB0aG83cm8rSHNKT094TUhha3ZBVURDR1IzWjJxblNmbEloOGQ4UDZVVjMxZHdXTklhN29tNVRZMUdaaHNNcS95d3JZNTcwZHNZaEREMFRxTUoyOVRDWTN2QWlCWENZVTJ1WncweDRrdURHVEJ0dW1NbW8rUnhpRzhXMXVnb2EwRW83Y0RjY0tyNTRnaEZEVllleStleXNaN1phem9XM1hFd0U0M3RnTVNaZFZUVFdUMWYzTXYzRGVaTEdQcDFtc1F3TGw3RWhTaGRBM2VYM1M3Zzk2RzZYTlBmUTNjZlg4ci9aWGkvSXE3MGRGbWFCMmdWMTlINWF0Q1VCeFh4SklDWTdxOFkrNW5EKzNiM1RLbEEwVXZQekRjdmtMbWRsMEVYVUtRTktFYm9Db3pOZFdsT3NMb21ZTGl1NWRnV3g5Z01BMHpteW0wdk8vNW9qSnpFam45V2UyNGVMcnpuMTdaWVVjK0VJSVBaalhSZnZYcXY2SHhaUFdpeEFYTUVhdzVYeVhQbm0wTFFqRXh5Qk1GUmZWSWdHRXFTK2d6NlViekNFSDFaN1R4TWsySVd6ekxSS1dEMmtmbFRkSThXcnN6ZmdKYWYrc2o5QzF2K25Pa3ZaNFBramRHVGIrUXhpYnRwa2hkbituamgrWjlZL2VIVEZTZmtsKzJmMGNuUEJrb1FCUUYrMHBmY3JmdWxGL2pkaTZ0MnNiU1JKeFpFVUJXWmI1MzMrZkRsRjkzTU94OGpXQUFib1g3MTdxYjI1dEtuMjF5QStPMar 01 20:29:53 sogod [39]: |SOGo| request took 0.314655 seconds to execute
Mar 01 20:29:53 sogod [39]: sogo "GET /SOGo/so/mailuser/Mail/0/view HTTP/1.0" 500 36/0 0.316 - - 7M - 13
Mar 01 20:29:53 sogod [40]: |SOGo| request took 0.380459 seconds to execute
Mar 01 20:29:53 sogod [40]: sogo "POST /SOGo/so/mailuser/Mail/0/folderINBOX/view HTTP/1.0" 500 36/126 0.382 - - 7M - 13

-- Log end --

We are willing to provide further information, if this will help to solve the issue.

Steps To Reproduce
  1. Install SOGo 5.0.1

  2. Setup Keycloak

  3. Configure SAML2.0 in SOGo with the following values:

    SOGoAuthenticationType = "saml2";
    SOGoSAML2PrivateKeyLocation = "/etc/pki/tls/private/sogo-saml.key";
    SOGoSAML2CertificateLocation = "/etc/pki/tls/certs/sogo-saml.crt";
    SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml";
    SOGoSAML2IdpPublicKeyLocation = "/etc/pki/tls/certs/idp-pub-key.crt";
    SOGoSAML2IdpCertificateLocation = "/etc/pki/tls/certs/idp.crt";
    SOGoSAML2LoginAttribute = "username";
    SOGoSAML2LogoutEnabled = YES;
    SOGoSAML2LogoutURL = "https://example.com/&quot;;

  4. Start or restart SOGo

  5. Sign in with any valid user using SSO and experience the broken page

Additional Information

We also tested this on older versions of SOGo, including SOGo 2 and SOGo 4.?.?, reproducing the same error in the log files. The error message displayed in the web browser in SOGo 2 is diffrent than in SOGo 5.0.1, but it is the same error in the logs.

Tagsidentity, saml, sogo, sso

Activities

codeoverflow

codeoverflow

2021-03-01 15:27

reporter  

ludovic

ludovic

2021-03-09 08:56

administrator   ~0015128

Do you have a test server that we could test things with you?

codeoverflow

codeoverflow

2021-03-09 12:52

reporter   ~0015129

Yes, we do have a test server that can be used for testing. What's the next step?

ludovic

ludovic

2021-03-10 06:20

administrator   ~0015130

Contact me in private by email and we can set up remote access for us with a test account. Thanks!

codeoverflow

codeoverflow

2021-03-15 12:19

reporter   ~0015148

We created a minimal docker setup with SOGo, Keycloak and Dovecot, which is reproducing the error. Link to the repo: https://github.com/fsphys/sogo-keycloak-docker-example .
The setup instructions can be found in the README.md file of the repository, which should be straight forward.

If everything is running and you try to login with any keycloak user to SOGo, you will recreate the LASSO error (GLib-GObject-CRITICAL) described above in the logs. The user interface will behave a little bit diffrent, create a redirect loop with the IdentityProvider and won't show the "Request failed" message. This is due to missing ldap setup as a user source for the keycloak, which we didn't provide in the docker setup as the error can be reproduced without it.

francis

francis

2021-04-06 15:08

administrator   ~0015184

Can you try to disable SOGoXSRFValidationEnabled?

codeoverflow

codeoverflow

2021-04-08 18:59

reporter   ~0015192

Disabling SOGoXSRFValidationEnabled by setting it to YES will result in breaking the Saml2 login. When accessing SOGo by calling the representing url (HOST_NAME/SOGo), the standard SOGo login will be shown and there is no redirect to the identity provider. The login remains enabled and a local sign with ldap is possible, which should not be possible and the saml2 login used instead.

When checking the log of sogo, we couldn't find any reported errors. This was tested on version 5.0.1 and 5.1.0.

After enabling the feature in the sogo.conf and restarting the machine, the previous result is reported. There is the redirect to the Identity Provider, but a login is creating the LASSO error.

webtech

webtech

2021-04-09 06:55

reporter   ~0015193

Just throwing it out there that I get the LASSO g_object_ref: assertion 'G_IS_OBJECT (object)' failed errors with a working SAML SOGo install. I think that may be a red herring and the issue is the "tried wrong password for user" error you're seeing. How have you setup dovecot to authenticate the SAML users? If you haven't already try setting dovecot to allow local.

i.e.
passdb {
driver = static
args = nopassword=y allow_nets=127.0.0.1/32

}

Issue History

Date Modified Username Field Change
2021-03-01 15:27 codeoverflow New Issue
2021-03-01 15:27 codeoverflow Tag Attached: identity
2021-03-01 15:27 codeoverflow Tag Attached: saml
2021-03-01 15:27 codeoverflow Tag Attached: sogo
2021-03-01 15:27 codeoverflow Tag Attached: sso
2021-03-01 15:27 codeoverflow File Added: Screenshot_MainView_after_login.PNG
2021-03-09 08:56 ludovic Note Added: 0015128
2021-03-09 12:52 codeoverflow Note Added: 0015129
2021-03-10 06:20 ludovic Note Added: 0015130
2021-03-15 12:19 codeoverflow Note Added: 0015148
2021-04-06 15:08 francis Note Added: 0015184
2021-04-08 18:59 codeoverflow Note Added: 0015192
2021-04-09 06:55 webtech Note Added: 0015193