[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Gus Lou
gugalou38 at gmail.com
Mon Aug 17 16:15:31 CEST 2020
Hi Luca
Thank you very much for your help. I had not configured this option yet.
I did the suggested configuration, now the link to the IdP in the midpoint
interface is correct.
But when I click on the link to the IdP and do the authentication and get
the reply back to the midpoint I get an error:
*Midpoint saml module doesn't receive response from Identity Provider
server.*
*Authentication failed, and as a consequence was restarted authentication
flow*
(probably due to the fact that the midpoint ACS url in the IdP is not
correct.)
I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
is to report on the IdP.
Print Screen after IdP Authentication failed
[image: image.png]
Regards
Gus
Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
> Hello Gus,
>
> you try configure attribute
> systemConfiguration/infrastructure/publicHttpUrlPattern to '
> http://midpoint-02.xyz.net/midpoint'.
>
> Regards,
> Lukas Skublik
> On 6. 8. 2020 0:00, Gus Lou wrote:
>
> Hi Guys
> Anyone here already integrated Midpoint with Okta's solution to provide
> Midpoint authentication through the SAML 2.0 protocol?
> I created a free developer account on Okta and I am trying to make the
> SAML settings following the guidelines below:
>
> *Midpoint Wiki:*
>
> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>
> *Git Example Security-policy-flexible-authentication:*
>
> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>
> *Okta Example - SAML Spring Security:*
> https://developer.okta.com/code/java/spring_security_saml/
> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>
> I understand that Okta is the Identity Provider IdP and Midpoint is the
> Service Provider SP.
> After trying to make the settings I had some doubts:
>
> What is the Midpoint uri that receives the IdP response?
> What is the Midpoint url that I should use to perform the authentication
> of the IdP (Okta). Because when I try to inform an existing user in the IdP
> an error appears and a screen with the link of the IdP (in this part there
> is another error that I couldn't solve the midpoint displays the internal
> address https://127.0.0.1/
>
> Some Informations from my Lab:
>
> *Print-01 Midpoint - Authentatication GUI* (the user john.doe, does not
> exist at midpoint but exists at IdP)
> [image: image.png]
>
> *Print-02 *
> After I try to authenticate, I get the error message:
> *Couldn't authenticate user, reason: couldn't encode password.*
> [image: image.png]
>
> *Print-03*
> The link to the idp Okta is displaying the midpoint's internal address:
> *http://127.0.0.1:8080/ <http://127.0.0.1:8080/>*
> midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
> %2Fexko4d721K5vASKoJ4x6
>
> Instead of the hostname address:
> *http://midpoint-02.xyz.net <http://midpoint-02.xyz.net>*
> /midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
> %2Fexko4d721K5vASKoJ4x6
>
> I believe it is some incorrect configuration on my reverse proxy - nginx
> [image: image.png]
>
> *Print-04: Okta IdP SAML Configuration*
> Here is my main question, because in the fields:
>
> 1. Single sign on URL
> 2. Audience URI (SP Entity ID)
>
> I need to report existing data in Midpoint, but I'm not sure where to get
> this information.
> [image: image.png]
>
>
>
> *My Security Policy Config:*
> I made the settings in the IdP, generated the metadata, encoded it in base
> 64 and put it in the Midpoint settings.
>
> <authentication>
> <modules>
> <loginForm id="15">
> <name>internalLoginForm</name>
> <description>Internal username/password authentication,
> default user password, login form</description>
> </loginForm>
> <saml2 id="16">
> <name>oktaidp</name>
> <description>My SAML-based SSO system.</description>
> <network>
> <readTimeout>10000</readTimeout>
> <connectTimeout>5000</connectTimeout>
> </network>
> <serviceProvider>
> <entityId>sp_midpoint</entityId>
> <signRequests>true</signRequests>
> <wantAssertionsSigned>true</wantAssertionsSigned>
> <singleLogoutEnabled>true</singleLogoutEnabled>
>
> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
> <keys/>
> <provider id="17">
> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
> </entityId>
> <alias>SSO-Okta</alias>
> <metadata>
>
> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
> </metadata>
> <skipSslValidation>true</skipSslValidation>
> <linkText>Okta</linkText>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
> </provider>
> </serviceProvider>
> </saml2>
> </modules>
> <sequence id="8">
> <name>admin-gui-default</name>
> <description>
> Default GUI authentication sequence.
> We want to try company SSO, federation and internal. In
> that order.
> Just one of then need to be successful to let user in.
> </description>
> <channel>
> <channelId>
> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
> </channelId>
> <default>true</default>
> <urlSuffix>default</urlSuffix>
> </channel>
> <module id="12">
> <name>oktaidp</name>
> <order>30</order>
> <necessity>sufficient</necessity>
> </module>
> <module id="13">
> <name>internalLoginForm</name>
> <order>20</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <sequence id="9">
> <name>admin-gui-emergency</name>
> <description>
> Special GUI authentication sequence that is using just the
> internal user password.
> It is used only in emergency. It allows to skip SAML
> authentication cycles, e.g. in case
> that the SAML authentication is redirecting the browser
> incorrectly.
> </description>
> <channel>
> <channelId>
> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
> </channelId>
> <default>false</default>
> <urlSuffix>emergency</urlSuffix>
> </channel>
> <requireAssignmentTarget
> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
> type="c:RoleType">
> <!-- Superuser -->
> </requireAssignmentTarget>
> <module id="14">
> <name>internalLoginForm</name>
> <order>30</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> </authentication>
>
>
> If anyone has any suggestions for solving the problem I would appreciate
> it.
>
> Regards
>
> Gus
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200817/1bf34397/attachment-0004.png>
More information about the midPoint
mailing list