[midPoint] SAML authentication return URL

Fri Jul 14 13:07:25 CEST 2023

Hi Eetu,

I think it could be a miss configuration of your nginx. Please check this: https://community.sonarsource.com/t/saml-error-with-nginx-reverse-proxy/46324 (It is not midPoint, but covered the same problem).

On midpoint site you can check, if you have set the “Default hostname” in system configuration • Infrastructure to you Reverse Proxy address (https://midpoint.example.com).

Good Luck!

Kind regards,
Fabian

--
Fabian Noll-Dukiewicz
Spezialist Identity & Access Management | Geschäftsführer
Tel.: +49 152 244 63 211
Email: fabian.noll-dukiewicz at veryfy.gmbh
Web: https://veryfy.gmbh

Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Eetu Salpaharju via midPoint <midpoint at lists.evolveum.com>
Datum: Freitag, 14. Juli 2023 um 12:53
An: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Eetu Salpaharju <Eetu.Salpaharju at tietokeskus.fi>
Betreff: [midPoint] SAML authentication return URL
Hello,

I'm deploying SAML2 authentication against Microsoft Azure AD.

My network configuration is using nginx server as reverse proxy like this. Both Midpoint and nginx are running on the same server.

 user ---https://midpoint.example.com---> nginx ---http://localhost:8080---> Midpoint

Now Midpoint sends following return URL to Azure: http://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad . The problem is that return url is using http instead of https. The return url should be https://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad .

Where could I define base url or similar attribute so return URL would be with https protocol? For reference, my authenticator configuration is below.

<authentication>
...
    <modules>
        ...
        <saml2 id="10">
            <identifier>azure_auth</identifier>
            <description>Authentication against AzureAD tenant.</description>
            <focusType>UserType</focusType>
            <serviceProvider id="11">
                <entityId>**ApplicationID from Azure**</entityId>
                <aliasForPath>aad</aliasForPath>
                <identityProvider>
                    <entityId>**ApplicationID from Azure**</entityId>
                    <metadata>
                        <pathToFile>/var/midpoint/auth/azure_metadata.xml</pathToFile>
                    </metadata>
                    <linkText>Microsoft Azure</linkText>
                    <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
                    <nameOfUsernameAttribute>emailAddress</nameOfUsernameAttribute>
                </identityProvider>
            </serviceProvider>
        </saml2>
    </modules>
....
</authentication>

Thank you in advance for helping with this one.

- Eetu
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230714/d5e57fb8/attachment-0001.htm>