[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Alexandre Zia
alexandre.zia at ifood.com.br
Tue Aug 18 05:09:29 CEST 2020
I've just changed a few things, based on your config,
<saml2>
<name>oktaidp</name>
<description>Enterprise SAML-based SSO system</description>
<network>
<readTimeout>10000</readTimeout>
<connectTimeout>5000</connectTimeout>
</network>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<aliasForPath>okta</aliasForPath>
<signRequests>false</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
<provider>
<entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
<alias>SSO-Okta</alias>
<metadata>
<xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
</metadata>
<skipSslValidation>false</skipSslValidation>
<linkText>Okta</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
And your ACS url will be something like this:
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
> Hi Luca
> Thank you very much for your help. I had not configured this option yet.
> I did the suggested configuration, now the link to the IdP in the midpoint
> interface is correct.
> But when I click on the link to the IdP and do the authentication and get
> the reply back to the midpoint I get an error:
> *Midpoint saml module doesn't receive response from Identity Provider
> server.*
> *Authentication failed, and as a consequence was restarted authentication
> flow*
> (probably due to the fact that the midpoint ACS url in the IdP is not
> correct.)
>
> I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
> is to report on the IdP.
>
> Print Screen after IdP Authentication failed
> [image: image.png]
>
> Regards
>
> Gus
>
> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
> lukas.skublik at evolveum.com> escreveu:
>
>> Hello Gus,
>>
>> you try configure attribute
>> systemConfiguration/infrastructure/publicHttpUrlPattern to '
>> http://midpoint-02.xyz.net/midpoint'.
>>
>> Regards,
>> Lukas Skublik
>> On 6. 8. 2020 0:00, Gus Lou wrote:
>>
>> Hi Guys
>> Anyone here already integrated Midpoint with Okta's solution to provide
>> Midpoint authentication through the SAML 2.0 protocol?
>> I created a free developer account on Okta and I am trying to make the
>> SAML settings following the guidelines below:
>>
>> *Midpoint Wiki:*
>>
>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>>
>> *Git Example Security-policy-flexible-authentication:*
>>
>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>>
>> *Okta Example - SAML Spring Security:*
>> https://developer.okta.com/code/java/spring_security_saml/
>> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>>
>> I understand that Okta is the Identity Provider IdP and Midpoint is the
>> Service Provider SP.
>> After trying to make the settings I had some doubts:
>>
>> What is the Midpoint uri that receives the IdP response?
>> What is the Midpoint url that I should use to perform the authentication
>> of the IdP (Okta). Because when I try to inform an existing user in the IdP
>> an error appears and a screen with the link of the IdP (in this part there
>> is another error that I couldn't solve the midpoint displays the internal
>> address https://127.0.0.1/
>>
>> Some Informations from my Lab:
>>
>> *Print-01 Midpoint - Authentatication GUI* (the user john.doe, does not
>> exist at midpoint but exists at IdP)
>> [image: image.png]
>>
>> *Print-02 *
>> After I try to authenticate, I get the error message:
>> *Couldn't authenticate user, reason: couldn't encode password.*
>> [image: image.png]
>>
>> *Print-03*
>> The link to the idp Okta is displaying the midpoint's internal address:
>> *http://127.0.0.1:8080/ <http://127.0.0.1:8080/>*
>> midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>> %2Fexko4d721K5vASKoJ4x6
>>
>> Instead of the hostname address:
>> *http://midpoint-02.xyz.net <http://midpoint-02.xyz.net>*
>> /midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>> %2Fexko4d721K5vASKoJ4x6
>>
>> I believe it is some incorrect configuration on my reverse proxy - nginx
>> [image: image.png]
>>
>> *Print-04: Okta IdP SAML Configuration*
>> Here is my main question, because in the fields:
>>
>> 1. Single sign on URL
>> 2. Audience URI (SP Entity ID)
>>
>> I need to report existing data in Midpoint, but I'm not sure where to get
>> this information.
>> [image: image.png]
>>
>>
>>
>> *My Security Policy Config:*
>> I made the settings in the IdP, generated the metadata, encoded it in
>> base 64 and put it in the Midpoint settings.
>>
>> <authentication>
>> <modules>
>> <loginForm id="15">
>> <name>internalLoginForm</name>
>> <description>Internal username/password authentication,
>> default user password, login form</description>
>> </loginForm>
>> <saml2 id="16">
>> <name>oktaidp</name>
>> <description>My SAML-based SSO system.</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <signRequests>true</signRequests>
>> <wantAssertionsSigned>true</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>
>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>> <keys/>
>> <provider id="17">
>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
>> </entityId>
>> <alias>SSO-Okta</alias>
>> <metadata>
>>
>> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>> </metadata>
>> <skipSslValidation>true</skipSslValidation>
>> <linkText>Okta</linkText>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>
>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>> </modules>
>> <sequence id="8">
>> <name>admin-gui-default</name>
>> <description>
>> Default GUI authentication sequence.
>> We want to try company SSO, federation and internal. In
>> that order.
>> Just one of then need to be successful to let user in.
>> </description>
>> <channel>
>> <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>> </channelId>
>> <default>true</default>
>> <urlSuffix>default</urlSuffix>
>> </channel>
>> <module id="12">
>> <name>oktaidp</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> <module id="13">
>> <name>internalLoginForm</name>
>> <order>20</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="9">
>> <name>admin-gui-emergency</name>
>> <description>
>> Special GUI authentication sequence that is using just
>> the internal user password.
>> It is used only in emergency. It allows to skip SAML
>> authentication cycles, e.g. in case
>> that the SAML authentication is redirecting the browser
>> incorrectly.
>> </description>
>> <channel>
>> <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>> </channelId>
>> <default>false</default>
>> <urlSuffix>emergency</urlSuffix>
>> </channel>
>> <requireAssignmentTarget
>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>> type="c:RoleType">
>> <!-- Superuser -->
>> </requireAssignmentTarget>
>> <module id="14">
>> <name>internalLoginForm</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> </authentication>
>>
>>
>> If anyone has any suggestions for solving the problem I would appreciate
>> it.
>>
>> Regards
>>
>> Gus
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
<https://www.ifood.com.br/>
Alexandre R Zia
*Security*
www.ifood.com.br
<https://www.facebook.com/iFood?fref=ts> <https://twitter.com/iFood>
<https://www.instagram.com/iFoodBrasil/> <https://www.youtube.com/ifood>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/891e32a9/attachment-0004.png>
More information about the midPoint
mailing list