[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Lukas Skublik
lukas.skublik at evolveum.com
Thu Aug 20 09:37:04 CEST 2020
Hello Gus,
I analysed log file, but I found nothing relevant.
Regards,
Lukas Skublik.
On 19. 8. 2020 15:10, Gus Lou wrote:
> Hi Lukas
>
> I activated the debug level in the midpoint log, but found nothing
> relevant.
> I attached the log for analysis
> Thank you very much
>
> Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik
> <lukas.skublik at evolveum.com <mailto:lukas.skublik at evolveum.com>> escreveu:
>
> Hello Gus,
> can you send me your log file. Maybe you see wrong error message.
>
> Regards
> Lukas Skublik
>
> On 18. 8. 2020 23:35, Gus Lou wrote:
>> Hi Alexandre
>>
>> Thank you very much
>>
>> I made the modifications suggested by you and Lukas.
>> Something is still wrong, after authenticating with the IdP and
>> returning to the midpoint I get the message:
>> Midpoint saml module doesn't receive response from Identity
>> Provider server ..
>> The strange thing is that through the Saml Tracer tool, I can
>> verify that there was a request and a response.
>>
>>
>>
>> Saml Request:
>>
>> <saml2p:AuthnRequest
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> AssertionConsumerServiceURL="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
>> Destination="https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml"
>> ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
>> IsPassive="false" IssueInstant="2020-08-18T21:14:01.266Z"
>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>> Version="2.0" ><saml2:Issuer
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sp_midpoint</saml2:Issuer><saml2p:NameIDPolicy
>> AllowCreate="true"
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
>> /></saml2p:AuthnRequest>
>>
>> Saml Response:
>>
>> <saml2p:Response
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>> Destination="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
>> ID="id369598233453735443745710"
>> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
>> IssueInstant="2020-08-18T21:14:02.181Z" Version="2.0"
>> ><saml2:Issuer
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>> >http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer><ds:Signature
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>> /><ds:SignatureMethod
>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
>> /><ds:Reference
>> URI="#id369598233453735443745710"><ds:Transforms><ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>> /><ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>> /></ds:Transforms><ds:DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
>> /><ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
>> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
>> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode
>> Value="urn:oasis:names:tc:SAML:2.0:status:Success"
>> /></saml2p:Status><saml2:Assertion
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> ID="id3695982334609027802744130"
>> IssueInstant="2020-08-18T21:14:02.181Z" Version="2.0"
>> ><saml2:Issuer
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>> >http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer><ds:Signature
>> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>> /><ds:SignatureMethod
>> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
>> /><ds:Reference
>> URI="#id3695982334609027802744130"><ds:Transforms><ds:Transform
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
>> /><ds:Transform
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
>> /></ds:Transforms><ds:DigestMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
>> /><ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
>> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
>> DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
>> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID
>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net
>> <mailto:john.doe at xyz.net></saml2:NameID><saml2:SubjectConfirmation
>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
>> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
>> NotOnOrAfter="2020-08-18T21:19:02.181Z"
>> Recipient="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
>> /></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> NotBefore="2020-08-18T21:09:02.181Z"
>> NotOnOrAfter="2020-08-18T21:19:02.181Z"
>> ><saml2:AudienceRestriction><saml2:Audience>okta</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>> AuthnInstant="2020-08-18T21:14:02.181Z"
>> SessionIndex="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b"
>> ><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
>>
>> ---------------------------------------------------------------------------------------------
>>
>>
>> Regards
>>
>> Gus
>>
>> Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia
>> <alexandre.zia at ifood.com.br <mailto:alexandre.zia at ifood.com.br>>
>> escreveu:
>>
>> I've just changed a few things, based on your config,
>>
>> <saml2>
>> <name>oktaidp</name>
>> <description>Enterprise SAML-based SSO system</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <aliasForPath>okta</aliasForPath>
>> <signRequests>false</signRequests>
>> <wantAssertionsSigned>true</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
>> <provider>
>>
>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
>> <alias>SSO-Okta</alias>
>> <metadata>
>> <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
>> </metadata>
>> <skipSslValidation>false</skipSslValidation>
>> <linkText>Okta</linkText>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>>
>>
>> And your ACS url will be something like this:
>> http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
>>
>>
>>
>>
>>
>> On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com
>> <mailto:gugalou38 at gmail.com>> wrote:
>>
>> Hi Luca
>> Thank you very much for your help. I had not configured
>> this option yet.
>> I did the suggested configuration, now the link to the
>> IdP in the midpoint interface is correct.
>> But when I click on the link to the IdP and do the
>> authentication and get the reply back to the midpoint I
>> get an error:
>> /Midpoint saml module doesn't receive response from
>> Identity Provider server./
>> /Authentication failed, and as a consequence was
>> restarted authentication flow/
>> (probably due to the fact that the midpoint ACS url in
>> the IdP is not correct.)
>>
>> I need to find out what the Midpoint Assertion Consumer
>> Service (ACS) URL is to report on the IdP.
>>
>> Print Screen after IdP Authentication failed
>> image.png
>>
>> Regards
>>
>> Gus
>>
>> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik
>> <lukas.skublik at evolveum.com
>> <mailto:lukas.skublik at evolveum.com>> escreveu:
>>
>> Hello Gus,
>>
>> you try configure attribute
>> systemConfiguration/infrastructure/publicHttpUrlPattern
>> to 'http://midpoint-02.xyz.net/midpoint'.
>>
>> Regards,
>> Lukas Skublik
>>
>> On 6. 8. 2020 0:00, Gus Lou wrote:
>>> Hi Guys
>>> Anyone here already integrated Midpoint with Okta's
>>> solution to provide Midpoint authentication through
>>> the SAML 2.0 protocol?
>>> I created a free developer account on Okta and I am
>>> trying to make the SAML settings following the
>>> guidelines below:
>>>
>>> *Midpoint Wiki:*
>>> https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
>>>
>>> *Git Example Security-policy-flexible-authentication:*
>>> https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
>>>
>>> *Okta Example - SAML Spring Security:*
>>> https://developer.okta.com/code/java/spring_security_saml/
>>> https://github.com/oktadeveloper/okta-spring-boot-saml-example
>>>
>>> I understand that Okta is the Identity Provider IdP
>>> and Midpoint is the Service Provider SP.
>>> After trying to make the settings I had some doubts:
>>>
>>> What is the Midpoint uri that receives the IdP response?
>>> What is the Midpoint url that I should use to
>>> perform the authentication of the IdP (Okta).
>>> Because when I try to inform an existing user in the
>>> IdP an error appears and a screen with the link of
>>> the IdP (in this part there is another error that I
>>> couldn't solve the midpoint displays the internal
>>> address https://127.0.0.1/
>>>
>>> Some Informations from my Lab:
>>>
>>> *Print-01 Midpoint - Authentatication GUI* (the user
>>> john.doe, does not exist at midpoint but exists at IdP)
>>> image.png
>>>
>>> *Print-02 *
>>> After I try to authenticate, I get the error message:
>>> /_Couldn't authenticate user, reason: couldn't
>>> encode password._/
>>> image.png
>>>
>>> *Print-03*
>>> The link to the idp Okta is displaying the
>>> midpoint's internal address:
>>> *http://127.0.0.1:8080/*midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>> <http://2Fwww.okta.com>%2Fexko4d721K5vASKoJ4x6
>>>
>>> Instead of the hostname address:
>>> *http://midpoint-02.xyz.net*/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
>>> <http://2Fwww.okta.com>%2Fexko4d721K5vASKoJ4x6
>>>
>>> I believe it is some incorrect configuration on my
>>> reverse proxy - nginx
>>> image.png
>>>
>>> *Print-04: Okta IdP SAML Configuration*
>>> Here is my main question, because in the fields:
>>>
>>> 1. Single sign on URL
>>> 2. Audience URI (SP Entity ID)
>>>
>>> I need to report existing data in Midpoint, but I'm
>>> not sure where to get this information.
>>> image.png
>>>
>>>
>>>
>>> *My Security Policy Config:*
>>> I made the settings in the IdP, generated the
>>> metadata, encoded it in base 64 and put it in the
>>> Midpoint settings.
>>> *
>>> *
>>> <authentication>
>>> <modules>
>>> <loginForm id="15">
>>> <name>internalLoginForm</name>
>>> <description>Internal username/password
>>> authentication, default user password, login
>>> form</description>
>>> </loginForm>
>>> <saml2 id="16">
>>> <name>oktaidp</name>
>>> <description>My SAML-based SSO system.</description>
>>> <network>
>>> �� <readTimeout>10000</readTimeout>
>>> <connectTimeout>5000</connectTimeout>
>>> </network>
>>> <serviceProvider>
>>> <entityId>sp_midpoint</entityId>
>>> <signRequests>true</signRequests>
>>> <wantAssertionsSigned>true</wantAssertionsSigned>
>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>>> <keys/>
>>> <provider id="17">
>>> <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
>>> <alias>SSO-Okta</alias>
>>> <metadata>
>>> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>>> </metadata>
>>> <skipSslValidation>true</skipSslValidation>
>>> <linkText>Okta</linkText>
>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>> </provider>
>>> </serviceProvider>
>>> </saml2>
>>> </modules>
>>> <sequence id="8">
>>> <name>admin-gui-default</name>
>>> <description>
>>> Default GUI authentication sequence.
>>> We want to try company SSO, federation and internal.
>>> In that order.
>>> Just one of then need to be successful to let user in.
>>> </description>
>>> <channel>
>>> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
>>> <default>true</default>
>>> <urlSuffix>default</urlSuffix>
>>> </channel>
>>> <module id="12">
>>> <name>oktaidp</name>
>>> <order>30</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> <module id="13">
>>> <name>internalLoginForm</name>
>>> <order>20</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> <sequence id="9">
>>> <name>admin-gui-emergency</name>
>>> <description>
>>> Special GUI authentication sequence that is using
>>> just the internal user password.
>>> It is used only in emergency. It allows to skip SAML
>>> authentication cycles, e.g. in case
>>> that the SAML authentication is redirecting the
>>> browser incorrectly.
>>> </description>
>>> <channel>
>>> <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
>>> <default>false</default>
>>> <urlSuffix>emergency</urlSuffix>
>>> </channel>
>>> <requireAssignmentTarget
>>> oid="00000000-0000-0000-0000-000000000004"
>>> relation="org:default" type="c:RoleType">
>>> <!-- Superuser -->
>>> </requireAssignmentTarget>
>>> <module id="14">
>>> <name>internalLoginForm</name>
>>> <order>30</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> </authentication>
>>>
>>>
>>> If anyone has any suggestions for solving the
>>> problem I would appreciate it.
>>>
>>> Regards
>>>
>>> Gus
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> --
>> <https://www.ifood.com.br/>
>>
>>
>> Alexandre R Zia
>>
>>
>>
>>
>> *Security*
>>
>>
>>
>>
>>
>>
>>
>> www.ifood.com.br <https://www.ifood.com.br/>
>> <https://www.facebook.com/iFood?fref=ts>
>> <https://twitter.com/iFood>
>> <https://www.instagram.com/iFoodBrasil/>
>> <https://www.youtube.com/ifood>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/de41444c/attachment-0004.png>
More information about the midPoint
mailing list