[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Gus Lou
gugalou38 at gmail.com
Wed Aug 19 15:10:25 CEST 2020
Hi Lukas
I activated the debug level in the midpoint log, but found nothing relevant.
I attached the log for analysis
Thank you very much
Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
> Hello Gus,
> can you send me your log file. Maybe you see wrong error message.
>
> Regards
> Lukas Skublik
> On 18. 8. 2020 23:35, Gus Lou wrote:
>
> Hi Alexandre
>
> Thank you very much
>
> I made the modifications suggested by you and Lukas.
> Something is still wrong, after authenticating with the IdP and returning
> to the midpoint I get the message:
> Midpoint saml module doesn't receive response from Identity Provider
> server ..
> The strange thing is that through the Saml Tracer tool, I can verify that
> there was a request and a response.
>
>
>
> Saml Request:
>
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="
> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> Destination="
> https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml
> " ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive
> ="false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> sp_midpoint</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
> saml2p:AuthnRequest>
>
> Saml Response:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="
> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> ID="id369598233453735443745710" InResponseTo=
> "ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
> "2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion" Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
> http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
> ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
> "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
> "#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
> ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
> ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</
> ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
> Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
> </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
> ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
> "urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
> "urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
> saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
> "id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z"
> Version="2.0" > <saml2:Issuer xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion" Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
> http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
> ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
> "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
> "#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
> ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
> ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</
> ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
> nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
> </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
> ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net</
> saml2:NameID> <saml2:SubjectConfirmation Method=
> "urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData
> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
> "2020-08-18T21:19:02.181Z" Recipient="
> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
> /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore=
> "2020-08-18T21:09:02.181Z" NotOnOrAfter="2020-08-18T21:19:02.181Z" > <
> saml2:AudienceRestriction> <saml2:Audience>okta</saml2:Audience> </
> saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
> "2020-08-18T21:14:02.181Z" SessionIndex=
> "ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
> saml2:AuthnContextClassRef>
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
> saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement>
> </saml2:Assertion> </saml2p:Response>
>
>
> ---------------------------------------------------------------------------------------------
>
>
> Regards
>
> Gus
>
> Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
> alexandre.zia at ifood.com.br> escreveu:
>
>> I've just changed a few things, based on your config,
>>
>> <saml2>
>> <name>oktaidp</name>
>> <description>Enterprise SAML-based SSO system</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <aliasForPath>okta</aliasForPath>
>> <signRequests>false</signRequests>
>> <wantAssertionsSigned>true</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>
>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
>> <provider>
>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
>> <alias>SSO-Okta</alias>
>> <metadata>
>> <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
>> </metadata>
>> <skipSslValidation>false</skipSslValidation>
>> <linkText>Okta</linkText>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>>
>>
>> And your ACS url will be something like this:
>> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
>>
>>
>>
>>
>>
>> On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
>>
>>> Hi Luca
>>> Thank you very much for your help. I had not configured this option yet.
>>> I did the suggested configuration, now the link to the IdP in the
>>> midpoint interface is correct.
>>> But when I click on the link to the IdP and do the authentication and
>>> get the reply back to the midpoint I get an error:
>>> *Midpoint saml module doesn't receive response from Identity Provider
>>> server.*
>>> *Authentication failed, and as a consequence was restarted
>>> authentication flow*
>>> (probably due to the fact that the midpoint ACS url in the IdP is not
>>> correct.)
>>>
>>> I need to find out what the Midpoint Assertion Consumer Service (ACS)
>>> URL is to report on the IdP.
>>>
>>> Print Screen after IdP Authentication failed
>>> [image: image.png]
>>>
>>> Regards
>>>
>>> Gus
>>>
>>> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
>>> lukas.skublik at evolveum.com> escreveu:
>>>
>>>> Hello Gus,
>>>>
>>>> you try configure attribute
>>>> systemConfiguration/infrastructure/publicHttpUrlPattern to '
>>>> http://midpoint-02.xyz.net/midpoint'.
>>>>
>>>> Regards,
>>>> Lukas Skublik
>>>> On 6. 8. 2020 0:00, Gus Lou wrote:
>>>>
>>>> Hi Guys
>>>> Anyone here already integrated Midpoint with Okta's solution to provide
>>>> Midpoint authentication through the SAML 2.0 protocol?
>>>> I created a free developer account on Okta and I am trying to make the
>>>> SAML settings following the guidelines below:
>>>>
>>>> *Midpoint Wiki:*
>>>>
>>>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>>>>
>>>> *Git Example Security-policy-flexible-authentication:*
>>>>
>>>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>>>>
>>>> *Okta Example - SAML Spring Security:*
>>>> https://developer.okta.com/code/java/spring_security_saml/
>>>> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>>>>
>>>> I understand that Okta is the Identity Provider IdP and Midpoint is the
>>>> Service Provider SP.
>>>> After trying to make the settings I had some doubts:
>>>>
>>>> What is the Midpoint uri that receives the IdP response?
>>>> What is the Midpoint url that I should use to perform the
>>>> authentication of the IdP (Okta). Because when I try to inform an existing
>>>> user in the IdP an error appears and a screen with the link of the IdP (in
>>>> this part there is another error that I couldn't solve the midpoint
>>>> displays the internal address https://127.0.0.1/
>>>>
>>>> Some Informations from my Lab:
>>>>
>>>> *Print-01 Midpoint - Authentatication GUI* (the user john.doe, does
>>>> not exist at midpoint but exists at IdP)
>>>> [image: image.png]
>>>>
>>>> *Print-02 *
>>>> After I try to authenticate, I get the error message:
>>>> *Couldn't authenticate user, reason: couldn't encode password.*
>>>> [image: image.png]
>>>>
>>>> *Print-03*
>>>> The link to the idp Okta is displaying the midpoint's internal address:
>>>> *http://127.0.0.1:8080/ <http://127.0.0.1:8080/>*
>>>> midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>>> %2Fexko4d721K5vASKoJ4x6
>>>>
>>>> Instead of the hostname address:
>>>> *http://midpoint-02.xyz.net <http://midpoint-02.xyz.net>*
>>>> /midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>>> %2Fexko4d721K5vASKoJ4x6
>>>>
>>>> I believe it is some incorrect configuration on my reverse proxy - nginx
>>>> [image: image.png]
>>>>
>>>> *Print-04: Okta IdP SAML Configuration*
>>>> Here is my main question, because in the fields:
>>>>
>>>> 1. Single sign on URL
>>>> 2. Audience URI (SP Entity ID)
>>>>
>>>> I need to report existing data in Midpoint, but I'm not sure where to
>>>> get this information.
>>>> [image: image.png]
>>>>
>>>>
>>>>
>>>> *My Security Policy Config:*
>>>> I made the settings in the IdP, generated the metadata, encoded it in
>>>> base 64 and put it in the Midpoint settings.
>>>>
>>>> <authentication>
>>>> <modules>
>>>> <loginForm id="15">
>>>> <name>internalLoginForm</name>
>>>> <description>Internal username/password authentication,
>>>> default user password, login form</description>
>>>> </loginForm>
>>>> <saml2 id="16">
>>>> <name>oktaidp</name>
>>>> <description>My SAML-based SSO system.</description>
>>>> <network>
>>>> <readTimeout>10000</readTimeout>
>>>> <connectTimeout>5000</connectTimeout>
>>>> </network>
>>>> <serviceProvider>
>>>> <entityId>sp_midpoint</entityId>
>>>> <signRequests>true</signRequests>
>>>> <wantAssertionsSigned>true</wantAssertionsSigned>
>>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>>>
>>>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>>>> <keys/>
>>>> <provider id="17">
>>>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
>>>> </entityId>
>>>> <alias>SSO-Okta</alias>
>>>> <metadata>
>>>>
>>>> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>>>> </metadata>
>>>> <skipSslValidation>true</skipSslValidation>
>>>> <linkText>Okta</linkText>
>>>>
>>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>>
>>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>>> </provider>
>>>> </serviceProvider>
>>>> </saml2>
>>>> </modules>
>>>> <sequence id="8">
>>>> <name>admin-gui-default</name>
>>>> <description>
>>>> Default GUI authentication sequence.
>>>> We want to try company SSO, federation and internal. In
>>>> that order.
>>>> Just one of then need to be successful to let user in.
>>>> </description>
>>>> <channel>
>>>> <channelId>
>>>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>>>> </channelId>
>>>> <default>true</default>
>>>> <urlSuffix>default</urlSuffix>
>>>> </channel>
>>>> <module id="12">
>>>> <name>oktaidp</name>
>>>> <order>30</order>
>>>> <necessity>sufficient</necessity>
>>>> </module>
>>>> <module id="13">
>>>> <name>internalLoginForm</name>
>>>> <order>20</order>
>>>> <necessity>sufficient</necessity>
>>>> </module>
>>>> </sequence>
>>>> <sequence id="9">
>>>> <name>admin-gui-emergency</name>
>>>> <description>
>>>> Special GUI authentication sequence that is using just
>>>> the internal user password.
>>>> It is used only in emergency. It allows to skip SAML
>>>> authentication cycles, e.g. in case
>>>> that the SAML authentication is redirecting the browser
>>>> incorrectly.
>>>> </description>
>>>> <channel>
>>>> <channelId>
>>>> http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
>>>> </channelId>
>>>> <default>false</default>
>>>> <urlSuffix>emergency</urlSuffix>
>>>> </channel>
>>>> <requireAssignmentTarget
>>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>>> type="c:RoleType">
>>>> <!-- Superuser -->
>>>> </requireAssignmentTarget>
>>>> <module id="14">
>>>> <name>internalLoginForm</name>
>>>> <order>30</order>
>>>> <necessity>sufficient</necessity>
>>>> </module>
>>>> </sequence>
>>>> </authentication>
>>>>
>>>>
>>>> If anyone has any suggestions for solving the problem I would
>>>> appreciate it.
>>>>
>>>> Regards
>>>>
>>>> Gus
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>>
>> --
>> <https://www.ifood.com.br/>
>>
>> Alexandre R Zia
>>
>> *Security*
>>
>>
>>
>>
>>
>> www.ifood.com.br
>> <https://www.facebook.com/iFood?fref=ts> <https://twitter.com/iFood>
>> <https://www.instagram.com/iFoodBrasil/> <https://www.youtube.com/ifood>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint.log
Type: application/octet-stream
Size: 727119 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200819/389426fc/attachment.obj>
More information about the midPoint
mailing list