[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Gus Lou
gugalou38 at gmail.com
Tue Aug 18 23:35:32 CEST 2020
Hi Alexandre
Thank you very much
I made the modifications suggested by you and Lukas.
Something is still wrong, after authenticating with the IdP and returning
to the midpoint I get the message:
Midpoint saml module doesn't receive response from Identity Provider server
..
The strange thing is that through the Saml Tracer tool, I can verify that
there was a request and a response.
Saml Request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
Destination="
https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml"
ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive=
"false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sp_midpoint
</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
saml2p:AuthnRequest>
Saml Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta" ID=
"id369598233453735443745710" InResponseTo=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
"2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
" /> <ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
"id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z"
Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
" /> <ds:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</ds:DigestValue>
</ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net</
saml2:NameID> <saml2:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData
InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
"2020-08-18T21:19:02.181Z" Recipient="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta" />
</saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2020-08-18T21:09:02.181Z"
NotOnOrAfter="2020-08-18T21:19:02.181Z" > <saml2:AudienceRestriction> <
saml2:Audience>okta</saml2:Audience> </saml2:AudienceRestriction> </
saml2:Conditions> <saml2:AuthnStatement xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
"2020-08-18T21:14:02.181Z" SessionIndex=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </
saml2:Assertion> </saml2p:Response>
---------------------------------------------------------------------------------------------
Regards
Gus
Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
alexandre.zia at ifood.com.br> escreveu:
> I've just changed a few things, based on your config,
>
> <saml2>
> <name>oktaidp</name>
> <description>Enterprise SAML-based SSO system</description>
> <network>
> <readTimeout>10000</readTimeout>
> <connectTimeout>5000</connectTimeout>
> </network>
> <serviceProvider>
> <entityId>sp_midpoint</entityId>
> <aliasForPath>okta</aliasForPath>
> <signRequests>false</signRequests>
> <wantAssertionsSigned>true</wantAssertionsSigned>
> <singleLogoutEnabled>true</singleLogoutEnabled>
>
> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
> <provider>
> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
> <alias>SSO-Okta</alias>
> <metadata>
> <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
> </metadata>
> <skipSslValidation>false</skipSslValidation>
> <linkText>Okta</linkText>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
> </provider>
> </serviceProvider>
> </saml2>
>
>
> And your ACS url will be something like this:
> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
>
>
>
>
>
> On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
>
>> Hi Luca
>> Thank you very much for your help. I had not configured this option yet.
>> I did the suggested configuration, now the link to the IdP in the
>> midpoint interface is correct.
>> But when I click on the link to the IdP and do the authentication and get
>> the reply back to the midpoint I get an error:
>> *Midpoint saml module doesn't receive response from Identity Provider
>> server.*
>> *Authentication failed, and as a consequence was restarted authentication
>> flow*
>> (probably due to the fact that the midpoint ACS url in the IdP is not
>> correct.)
>>
>> I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
>> is to report on the IdP.
>>
>> Print Screen after IdP Authentication failed
>> [image: image.png]
>>
>> Regards
>>
>> Gus
>>
>> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
>> lukas.skublik at evolveum.com> escreveu:
>>
>>> Hello Gus,
>>>
>>> you try configure attribute
>>> systemConfiguration/infrastructure/publicHttpUrlPattern to '
>>> http://midpoint-02.xyz.net/midpoint'.
>>>
>>> Regards,
>>> Lukas Skublik
>>> On 6. 8. 2020 0:00, Gus Lou wrote:
>>>
>>> Hi Guys
>>> Anyone here already integrated Midpoint with Okta's solution to provide
>>> Midpoint authentication through the SAML 2.0 protocol?
>>> I created a free developer account on Okta and I am trying to make the
>>> SAML settings following the guidelines below:
>>>
>>> *Midpoint Wiki:*
>>>
>>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>>>
>>> *Git Example Security-policy-flexible-authentication:*
>>>
>>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>>>
>>> *Okta Example - SAML Spring Security:*
>>> https://developer.okta.com/code/java/spring_security_saml/
>>> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>>>
>>> I understand that Okta is the Identity Provider IdP and Midpoint is the
>>> Service Provider SP.
>>> After trying to make the settings I had some doubts:
>>>
>>> What is the Midpoint uri that receives the IdP response?
>>> What is the Midpoint url that I should use to perform the authentication
>>> of the IdP (Okta). Because when I try to inform an existing user in the IdP
>>> an error appears and a screen with the link of the IdP (in this part there
>>> is another error that I couldn't solve the midpoint displays the internal
>>> address https://127.0.0.1/
>>>
>>> Some Informations from my Lab:
>>>
>>> *Print-01 Midpoint - Authentatication GUI* (the user john.doe, does not
>>> exist at midpoint but exists at IdP)
>>> [image: image.png]
>>>
>>> *Print-02 *
>>> After I try to authenticate, I get the error message:
>>> *Couldn't authenticate user, reason: couldn't encode password.*
>>> [image: image.png]
>>>
>>> *Print-03*
>>> The link to the idp Okta is displaying the midpoint's internal address:
>>> *http://127.0.0.1:8080/ <http://127.0.0.1:8080/>*
>>> midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>> %2Fexko4d721K5vASKoJ4x6
>>>
>>> Instead of the hostname address:
>>> *http://midpoint-02.xyz.net <http://midpoint-02.xyz.net>*
>>> /midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>> %2Fexko4d721K5vASKoJ4x6
>>>
>>> I believe it is some incorrect configuration on my reverse proxy - nginx
>>> [image: image.png]
>>>
>>> *Print-04: Okta IdP SAML Configuration*
>>> Here is my main question, because in the fields:
>>>
>>> 1. Single sign on URL
>>> 2. Audience URI (SP Entity ID)
>>>
>>> I need to report existing data in Midpoint, but I'm not sure where to
>>> get this information.
>>> [image: image.png]
>>>
>>>
>>>
>>> *My Security Policy Config:*
>>> I made the settings in the IdP, generated the metadata, encoded it in
>>> base 64 and put it in the Midpoint settings.
>>>
>>> <authentication>
>>> <modules>
>>> <loginForm id="15">
>>> <name>internalLoginForm</name>
>>> <description>Internal username/password authentication,
>>> default user password, login form</description>
>>> </loginForm>
>>> <saml2 id="16">
>>> <name>oktaidp</name>
>>> <description>My SAML-based SSO system.</description>
>>> <network>
>>> <readTimeout>10000</readTimeout>
>>> <connectTimeout>5000</connectTimeout>
>>> </network>
>>> <serviceProvider>
>>> <entityId>sp_midpoint</entityId>
>>> <signRequests>true</signRequests>
>>> <wantAssertionsSigned>true</wantAssertionsSigned>
>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>>
>>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>>> <keys/>
>>> <provider id="17">
>>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
>>> </entityId>
>>> <alias>SSO-Okta</alias>
>>> <metadata>
>>>
>>> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>>> </metadata>
>>> <skipSslValidation>true</skipSslValidation>
>>> <linkText>Okta</linkText>
>>>
>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>
>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>> </provider>
>>> </serviceProvider>
>>> </saml2>
>>> </modules>
>>> <sequence id="8">
>>> <name>admin-gui-default</name>
>>> <description>
>>> Default GUI authentication sequence.
>>> We want to try company SSO, federation and internal. In
>>> that order.
>>> Just one of then need to be successful to let user in.
>>> </description>
>>> <channel>
>>> <channelId>
>>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>>> </channelId>
>>> <default>true</default>
>>> <urlSuffix>default</urlSuffix>
>>> </channel>
>>> <module id="12">
>>> <name>oktaidp</name>
>>> <order>30</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> <module id="13">
>>> <name>internalLoginForm</name>
>>> <order>20</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> <sequence id="9">
>>> <name>admin-gui-emergency</name>
>>> <description>
>>> Special GUI authentication sequence that is using just
>>> the internal user password.
>>> It is used only in emergency. It allows to skip SAML
>>> authentication cycles, e.g. in case
>>> that the SAML authentication is redirecting the browser
>>> incorrectly.
>>> </description>
>>> <channel>
>>> <channelId>
>>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>>> </channelId>
>>> <default>false</default>
>>> <urlSuffix>emergency</urlSuffix>
>>> </channel>
>>> <requireAssignmentTarget
>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>> type="c:RoleType">
>>> <!-- Superuser -->
>>> </requireAssignmentTarget>
>>> <module id="14">
>>> <name>internalLoginForm</name>
>>> <order>30</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> </authentication>
>>>
>>>
>>> If anyone has any suggestions for solving the problem I would appreciate
>>> it.
>>>
>>> Regards
>>>
>>> Gus
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> <https://www.ifood.com.br/>
>
> Alexandre R Zia
>
> *Security*
>
>
>
>
>
> www.ifood.com.br
> <https://www.facebook.com/iFood?fref=ts> <https://twitter.com/iFood>
> <https://www.instagram.com/iFoodBrasil/> <https://www.youtube.com/ifood>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200818/65a7b7f8/attachment-0004.png>
More information about the midPoint
mailing list