[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?

Gus Lou gugalou38 at gmail.com
Thu Aug 6 00:00:58 CEST 2020 

Hi Guys
Anyone here already integrated Midpoint with Okta's solution to provide
Midpoint authentication through the SAML 2.0 protocol?
I created a free developer account on Okta and I am trying to make the SAML
settings following the guidelines below:

*Midpoint Wiki:*
https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration

*Git Example Security-policy-flexible-authentication:*
https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml

*Okta Example - SAML Spring Security:*
https://developer.okta.com/code/java/spring_security_saml/
https://github.com/oktadeveloper/okta-spring-boot-saml-example

I understand that Okta is the Identity Provider IdP and Midpoint is the
Service Provider SP.
After trying to make the settings I had some doubts:

What is the Midpoint uri that receives the IdP response?
What is the Midpoint url that I should use to perform the authentication of
the IdP (Okta). Because when I try to inform an existing user in the IdP an
error appears and a screen with the link of the IdP (in this part there is
another error that I couldn't solve the midpoint displays the internal
address https://127.0.0.1/

Some Informations from my Lab:

*Print-01 Midpoint - Authentatication GUI* (the user john.doe, does not
exist at midpoint but exists at IdP)
[image: image.png]

*Print-02 *
After I try to authenticate, I get the error message:
*Couldn't authenticate user, reason: couldn't encode password.*
[image: image.png]

*Print-03*
The link to the idp Okta is displaying the midpoint's internal address:
*http://127.0.0.1:8080/ <http://127.0.0.1:8080/>*
midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6

Instead of the hostname address:
*http://midpoint-02.xyz.net <http://midpoint-02.xyz.net>*
/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6

I believe it is some incorrect configuration on my reverse proxy - nginx
[image: image.png]

*Print-04: Okta IdP SAML Configuration*
Here is my main question, because in the fields:

   1. Single sign on URL
   2. Audience URI (SP Entity ID)

I need to report existing data in Midpoint, but I'm not sure where to get
this information.
[image: image.png]



*My Security Policy Config:*
I made the settings in the IdP, generated the metadata, encoded it in base
64 and put it in the Midpoint settings.

<authentication>
        <modules>
            <loginForm id="15">
                <name>internalLoginForm</name>
                <description>Internal username/password authentication,
default user password, login form</description>
            </loginForm>
            <saml2 id="16">
                <name>oktaidp</name>
                <description>My SAML-based SSO system.</description>
                <network>
                    <readTimeout>10000</readTimeout>
                    <connectTimeout>5000</connectTimeout>
                </network>
                <serviceProvider>
                    <entityId>sp_midpoint</entityId>
                    <signRequests>true</signRequests>
                    <wantAssertionsSigned>true</wantAssertionsSigned>
                    <singleLogoutEnabled>true</singleLogoutEnabled>

<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                    <keys/>
                    <provider id="17">
                        <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
</entityId>
                        <alias>SSO-Okta</alias>
                        <metadata>

<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
                        </metadata>
                        <skipSslValidation>true</skipSslValidation>
                        <linkText>Okta</linkText>

<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>

<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
                    </provider>
                </serviceProvider>
            </saml2>
        </modules>
        <sequence id="8">
            <name>admin-gui-default</name>
            <description>
                Default GUI authentication sequence.
                We want to try company SSO, federation and internal. In
that order.
                Just one of then need to be successful to let user in.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>true</default>
                <urlSuffix>default</urlSuffix>
            </channel>
            <module id="12">
                <name>oktaidp</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
            <module id="13">
                <name>internalLoginForm</name>
                <order>20</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="9">
            <name>admin-gui-emergency</name>
            <description>
                Special GUI authentication sequence that is using just the
internal user password.
                It is used only in emergency. It allows to skip SAML
authentication cycles, e.g. in case
                that the SAML authentication is redirecting the browser
incorrectly.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>false</default>
                <urlSuffix>emergency</urlSuffix>
            </channel>
            <requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004" relation="org:default"
type="c:RoleType">
                <!-- Superuser -->
            </requireAssignmentTarget>
            <module id="14">
                <name>internalLoginForm</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
    </authentication>


If anyone has any suggestions for solving the problem I would appreciate it.

Regards

Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200805/34b4531d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200805/34b4531d/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200805/34b4531d/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200805/34b4531d/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200805/34b4531d/attachment-0003.png>

More information about the midPoint mailing list