[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Lukas Skublik
lukas.skublik at evolveum.com
Wed Aug 19 07:34:01 CEST 2020
Hello Gus,
can you send me your log file. Maybe you see wrong error message.
Regards
Lukas Skublik
On 18. 8. 2020 23:35, Gus Lou wrote:
> Hi Alexandre
>
> Thank you very much
>
> I made the modifications suggested by you and Lukas.
> Something is still wrong, after authenticating with the IdP and
> returning to the midpoint I get the message:
> Midpoint saml module doesn't receive response from Identity Provider
> server ..
> The strange thing is that through the Saml Tracer tool, I can verify
> that there was a request and a response.
>
>
>
> Saml Request:
>
> <saml2p:AuthnRequest
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> Destination="https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml"
> ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
> IsPassive="false" IssueInstant="2020-08-18T21:14:01.266Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0" ><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sp_midpoint</saml2:Issuer><saml2p:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> /></saml2p:AuthnRequest>
>
> Saml Response:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> ID="id369598233453735443745710"
> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
> IssueInstant="2020-08-18T21:14:02.181Z" Version="2.0" ><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> >http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> /><ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
> /><ds:Reference
> URI="#id369598233453735443745710"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> /></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
> /><ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"
> /></saml2p:Status><saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="id3695982334609027802744130"
> IssueInstant="2020-08-18T21:14:02.181Z" Version="2.0" ><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> >http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> /><ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
> /><ds:Reference
> URI="#id3695982334609027802744130"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> /></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
> /><ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net
> <mailto:john.doe at xyz.net></saml2:NameID><saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
> NotOnOrAfter="2020-08-18T21:19:02.181Z"
> Recipient="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> /></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> NotBefore="2020-08-18T21:09:02.181Z"
> NotOnOrAfter="2020-08-18T21:19:02.181Z"
> ><saml2:AudienceRestriction><saml2:Audience>okta</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> AuthnInstant="2020-08-18T21:14:02.181Z"
> SessionIndex="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
> ><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
>
> ---------------------------------------------------------------------------------------------
>
>
> Regards
>
> Gus
>
> Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia
> <alexandre.zia at ifood.com.br <mailto:alexandre.zia at ifood.com.br>> escreveu:
>
> I've just changed a few things, based on your config,
>
> <saml2>
> <name>oktaidp</name>
> <description>Enterprise SAML-based SSO system</description>
> <network>
> <readTimeout>10000</readTimeout>
> <connectTimeout>5000</connectTimeout>
> </network>
> <serviceProvider>
> <entityId>sp_midpoint</entityId>
> <aliasForPath>okta</aliasForPath>
> <signRequests>false</signRequests>
> <wantAssertionsSigned>true</wantAssertionsSigned>
> <singleLogoutEnabled>true</singleLogoutEnabled>
> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
> <provider>
> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
> <alias>SSO-Okta</alias>
> <metadata>
> <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
> </metadata>
> <skipSslValidation>false</skipSslValidation>
> <linkText>Okta</linkText>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
> </provider>
> </serviceProvider>
> </saml2>
>
>
> And your ACS url will be something like this:
> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
>
>
>
>
>
> On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com
> <mailto:gugalou38 at gmail.com>> wrote:
>
> Hi Luca
> Thank you very much for your help. I had not configured this
> option yet.
> I did the suggested configuration, now the link to the IdP in
> the midpoint interface is correct.
> But when I click on the link to the IdP and do the
> authentication and get the reply back to the midpoint I get an
> error:
> /Midpoint saml module doesn't receive response from Identity
> Provider server./
> /Authentication failed, and as a consequence was restarted
> authentication flow/
> (probably due to the fact that the midpoint ACS url in the IdP
> is not correct.)
>
> I need to find out what the Midpoint Assertion Consumer
> Service (ACS) URL is to report on the IdP.
>
> Print Screen after IdP Authentication failed
> image.png
>
> Regards
>
> Gus
>
> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik
> <lukas.skublik at evolveum.com
> <mailto:lukas.skublik at evolveum.com>> escreveu:
>
> Hello Gus,
>
> you try configure attribute
> systemConfiguration/infrastructure/publicHttpUrlPattern to
> 'http://midpoint-02.xyz.net/midpoint'.
>
> Regards,
> Lukas Skublik
>
> On 6. 8. 2020 0:00, Gus Lou wrote:
>> Hi Guys
>> Anyone here already integrated Midpoint with Okta's
>> solution to provide Midpoint authentication through the
>> SAML 2.0 protocol?
>> I created a free developer account on Okta and I am
>> trying to make the SAML settings following the guidelines
>> below:
>>
>> *Midpoint Wiki:*
>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>>
>> *Git Example Security-policy-flexible-authentication:*
>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>>
>> *Okta Example - SAML Spring Security:*
>> https://developer.okta.com/code/java/spring_security_saml/
>> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>>
>> I understand that Okta is the Identity Provider IdP and
>> Midpoint is the Service Provider SP.
>> After trying to make the settings I had some doubts:
>>
>> What is the Midpoint uri that receives the IdP response?
>> What is the Midpoint url that I should use to perform the
>> authentication of the IdP (Okta). Because when I try to
>> inform an existing user in the IdP an error appears and a
>> screen with the link of the IdP (in this part there is
>> another error that I couldn't solve the midpoint displays
>> the internal address https://127.0.0.1/
>>
>> Some Informations from my Lab:
>>
>> *Print-01 Midpoint - Authentatication GUI* (the user
>> john.doe, does not exist at midpoint but exists at IdP)
>> image.png
>>
>> *Print-02 *
>> After I try to authenticate, I get the error message:
>> /_Couldn't authenticate user, reason: couldn't encode
>> password._/
>> image.png
>>
>> *Print-03*
>> The link to the idp Okta is displaying the midpoint's
>> internal address:
>> *http://127.0.0.1:8080/*midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>> <http://2Fwww.okta.com>%2Fexko4d721K5vASKoJ4x6
>>
>> Instead of the hostname address:
>> *http://midpoint-02.xyz.net*/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>> <http://2Fwww.okta.com>%2Fexko4d721K5vASKoJ4x6
>>
>> I believe it is some incorrect configuration on my
>> reverse proxy - nginx
>> image.png
>>
>> *Print-04: Okta IdP SAML Configuration*
>> Here is my main question, because in the fields:
>>
>> 1. Single sign on URL
>> 2. Audience URI (SP Entity ID)
>>
>> I need to report existing data in Midpoint, but I'm not
>> sure where to get this information.
>> image.png
>>
>>
>>
>> *My Security Policy Config:*
>> I made the settings in the IdP, generated the metadata,
>> encoded it in base 64 and put it in the Midpoint settings.
>> *
>> *
>> <authentication>
>> <modules>
>> <loginForm id="15">
>> <name>internalLoginForm</name>
>> <description>Internal username/password authentication,
>> default user password, login form</description>
>> </loginForm>
>> <saml2 id="16">
>> <name>oktaidp</name>
>> <description>My SAML-based SSO system.</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <signRequests>true</signRequests>
>> <wantAssertionsSigned>true</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>> <keys/>
>> <provider id="17">
>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
>> <alias>SSO-Okta</alias>
>> <metadata>
>> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>> </metadata>
>> <skipSslValidation>true</skipSslValidation>
>> <linkText>Okta</linkText>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>> </modules>
>> <sequence id="8">
>> <name>admin-gui-default</name>
>> <description>
>> Default GUI authentication sequence.
>> We want to try company SSO, federation
>> and internal. In that order.
>> Just one of then need to be successful to
>> let user in.
>> </description>
>> <channel>
>> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
>> <default>true</default>
>> <urlSuffix>default</urlSuffix>
>> </channel>
>> <module id="12">
>> <name>oktaidp</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> <module id="13">
>> <name>internalLoginForm</name>
>> <order>20</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="9">
>> <name>admin-gui-emergency</name>
>> <description>
>> Special GUI authentication sequence that
>> is using just the internal user password.
>> It is used only in emergency. It allows
>> to skip SAML authentication cycles, e.g. in case
>> that the SAML authentication is
>> redirecting the browser incorrectly.
>> </description>
>> <channel>
>> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
>> <default>false</default>
>> <urlSuffix>emergency</urlSuffix>
>> </channel>
>> <requireAssignmentTarget
>> oid="00000000-0000-0000-0000-000000000004"
>> relation="org:default" type="c:RoleType">
>> <!-- Superuser -->
>> </requireAssignmentTarget>
>> <module id="14">
>> <name>internalLoginForm</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> </authentication>
>>
>>
>> If anyone has any suggestions for solving the problem I
>> would appreciate it.
>>
>> Regards
>>
>> Gus
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> --
> <https://www.ifood.com.br/>
>
>
> Alexandre R Zia
>
>
>
>
> *Security*
>
>
>
>
>
>
>
> www.ifood.com.br <https://www.ifood.com.br/>
> <https://www.facebook.com/iFood?fref=ts>
> <https://twitter.com/iFood>
> <https://www.instagram.com/iFoodBrasil/>
> <https://www.youtube.com/ifood>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/f63c5323/attachment-0004.png>
More information about the midPoint
mailing list