[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
tomas.husar at ibask.eu
tomas.husar at ibask.eu
Thu Aug 20 13:13:28 CEST 2020
Hallo colleagues,
I am pretty sure I have almost similar trouble.in following case:
MidPoint is SP and
Apero CAS acts like IPD.
And my idea where is trouble is following:
midpoint on very beggining of comunication is preparing web-lage with list
of existing providers: (PageSamlSelect)
here is red from Security Context list of exiting IDP
Authentication authentication = SecurityContextHolder.getContext().
getAuthentication();
then midpoint prepare request for IDP
IDP
get request, process it and fire response for Midpoint
inside response is IDP entityID (http://www.okta.com/xxxxxxxxx4x6 in your
case)
midpoint parse entityID (http://www.okta.com/xxxxxxxxx4x6 in your case)
midpoint do a code inside MidpointAuthFilter,
MidpointSamlAuthenticationResponseFilte and seek the IPD with
http://www.okta.com/xxxxxxxxx4x6, but unsuccesfully
midpoint write to log:
2020-08-20 08:54:51,777 [] [http-nio-8080-exec-1] DEBUG
(com.evolveum.midpoint.web.security.filter.MidpointAuthFilter):
/auth/emergency/mySamlSso2/SSO/alias/cas_simplesam20 at position 6 of 14
in additional filter chain; firing Filter:
'MidpointSamlAuthenticationRequestFilter'
2020-08-20 08:54:51,779 [] [http-nio-8080-exec-1] DEBUG
(com.evolveum.midpoint.web.security.filter.MidpointAuthFilter):
/auth/emergency/mySamlSso2/SSO/alias/cas_simplesam20 at position 7 of 14
in additional filter chain; firing Filter:
'MidpointSamlAuthenticationResponseFilter'
2020-08-20 08:54:51,784 [] [http-nio-8080-exec-1] DEBUG
(com.evolveum.midpoint.web.security.filter.
MidpointSamlAuthenticationResponseFilter): Request is to process
authentication
2020-08-20 08:54:55,049 [] [http-nio-8080-exec-1] ERROR
(com.evolveum.midpoint.web.security.filter.TranslateExeptionFilter):
Provider for key 'remote provider entityId' with value 'casEntityID' not
found.
org.springframework.security.saml.SamlProviderNotFoundException: Provider
for key 'remote provider entityId' with value 'casEntityID' not found.
at
org.springframework.security.saml.provider.AbstractHostedProviderService.throwIfNull(AbstractHostedProviderService.java:115)
at
org.springframework.security.saml.provider.AbstractHostedProviderService.getRemoteProvider(AbstractHostedProviderService.java:207)
at
org.springframework.security.saml.provider.service.HostedServiceProviderService.getRemoteProvider(HostedServiceProviderService.java:131)
at
org.springframework.security.saml.provider.service.HostedServiceProviderService.getRemoteProvider(HostedServiceProviderService.java:105)
From: "Lukas Skublik" <lukas.skublik at evolveum.com>
To: midpoint at lists.evolveum.com
Date: 20. 08. 2020 09:38
Subject: Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Sent by: "midPoint" <midpoint-bounces at lists.evolveum.com>
Hello Gus,
I analysed log file, but I found nothing relevant.
Regards,
Lukas Skublik.
On 19. 8. 2020 15:10, Gus Lou wrote:
Hi Lukas
I activated the debug level in the midpoint log, but found nothing
relevant.
I attached the log for analysis
Thank you very much
Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,
can you send me your log file. Maybe you see wrong error message.
Regards
Lukas Skublik
On 18. 8. 2020 23:35, Gus Lou wrote:
Hi Alexandre
Thank you very much
I made the modifications suggested by you and Lukas.
Something is still wrong, after authenticating with the IdP and returning
to the midpoint I get the message:
Midpoint saml module doesn't receive response from Identity Provider
server ..
The strange thing is that through the Saml Tracer tool, I can verify that
there was a request and a response.
Saml Request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
Destination="
https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml
" ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive
="false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
sp_midpoint</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
saml2p:AuthnRequest>
Saml Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
ID="id369598233453735443745710" InResponseTo=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
"2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
"id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z"
Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net</
saml2:NameID> <saml2:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData
InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
"2020-08-18T21:19:02.181Z" Recipient="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore=
"2020-08-18T21:09:02.181Z" NotOnOrAfter="2020-08-18T21:19:02.181Z" > <
saml2:AudienceRestriction> <saml2:Audience>okta</saml2:Audience> </
saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
"2020-08-18T21:14:02.181Z" SessionIndex=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement>
</saml2:Assertion> </saml2p:Response>
---------------------------------------------------------------------------------------------
Regards
Gus
Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
alexandre.zia at ifood.com.br> escreveu:
I've just changed a few things, based on your config,
<saml2>
<name>oktaidp</name>
<description>Enterprise SAML-based SSO system</description>
<network>
<readTimeout>10000</readTimeout>
<connectTimeout>5000</connectTimeout>
</network>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<aliasForPath>okta</aliasForPath>
<signRequests>false</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
<provider>
<entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
<alias>SSO-Okta</alias>
<metadata>
<xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
</metadata>
<skipSslValidation>false</skipSslValidation>
<linkText>Okta</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
And your ACS url will be something like this:
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
Hi Luca
Thank you very much for your help. I had not configured this option yet.
I did the suggested configuration, now the link to the IdP in the midpoint
interface is correct.
But when I click on the link to the IdP and do the authentication and get
the reply back to the midpoint I get an error:
Midpoint saml module doesn't receive response from Identity Provider
server.
Authentication failed, and as a consequence was restarted authentication
flow
(probably due to the fact that the midpoint ACS url in the IdP is not
correct.)
I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
is to report on the IdP.
Print Screen after IdP Authentication failed
Regards
Gus
Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,
you try configure attribute
systemConfiguration/infrastructure/publicHttpUrlPattern to '
http://midpoint-02.xyz.net/midpoint'.
Regards,
Lukas Skublik
On 6. 8. 2020 0:00, Gus Lou wrote:
Hi Guys
Anyone here already integrated Midpoint with Okta's solution to provide
Midpoint authentication through the SAML 2.0 protocol?
I created a free developer account on Okta and I am trying to make the
SAML settings following the guidelines below:
Midpoint Wiki:
https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
Git Example Security-policy-flexible-authentication:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
Okta Example - SAML Spring Security:
https://developer.okta.com/code/java/spring_security_saml/
https://github.com/oktadeveloper/okta-spring-boot-saml-example
I understand that Okta is the Identity Provider IdP and Midpoint is the
Service Provider SP.
After trying to make the settings I had some doubts:
What is the Midpoint uri that receives the IdP response?
What is the Midpoint url that I should use to perform the authentication
of the IdP (Okta). Because when I try to inform an existing user in the
IdP an error appears and a screen with the link of the IdP (in this part
there is another error that I couldn't solve the midpoint displays the
internal address https://127.0.0.1/
Some Informations from my Lab:
Print-01 Midpoint - Authentatication GUI (the user john.doe, does not
exist at midpoint but exists at IdP)
Print-02
After I try to authenticate, I get the error message:
Couldn't authenticate user, reason: couldn't encode password.
Print-03
The link to the idp Okta is displaying the midpoint's internal address:
http://127.0.0.1:8080/
midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6
Instead of the hostname address:
http://midpoint-02.xyz.net
/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6
I believe it is some incorrect configuration on my reverse proxy - nginx
Print-04: Okta IdP SAML Configuration
Here is my main question, because in the fields:
Single sign on URL
Audience URI (SP Entity ID)
I need to report existing data in Midpoint, but I'm not sure where to get
this information.
My Security Policy Config:
I made the settings in the IdP, generated the metadata, encoded it in base
64 and put it in the Midpoint settings.
<authentication>
<modules>
<loginForm id="15">
<name>internalLoginForm</name>
<description>Internal username/password authentication,
default user password, login form</description>
</loginForm>
<saml2 id="16">
<name>oktaidp</name>
<description>My SAML-based SSO system.</description>
<network>
�� <readTimeout>10000</readTimeout>
<connectTimeout>5000</connectTimeout>
</network>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<signRequests>true</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
<keys/>
<provider id="17">
<entityId>http://www.okta.com/xxxxxxxxxxxx4x6
</entityId>
<alias>SSO-Okta</alias>
<metadata>
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
</metadata>
<skipSslValidation>true</skipSslValidation>
<linkText>Okta</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
</modules>
<sequence id="8">
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
We want to try company SSO, federation and internal. In
that order.
Just one of then need to be successful to let user in.
</description>
<channel>
<channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
<default>true</default>
<urlSuffix>default</urlSuffix>
</channel>
<module id="12">
<name>oktaidp</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
<module id="13">
<name>internalLoginForm</name>
<order>20</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<sequence id="9">
<name>admin-gui-emergency</name>
<description>
Special GUI authentication sequence that is using just the
internal user password.
It is used only in emergency. It allows to skip SAML
authentication cycles, e.g. in case
that the SAML authentication is redirecting the browser
incorrectly.
</description>
<channel>
<channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
<requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004" relation="org:default"
type="c:RoleType">
<!-- Superuser -->
</requireAssignmentTarget>
<module id="14">
<name>internalLoginForm</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
</sequence>
</authentication>
If anyone has any suggestions for solving the problem I would appreciate
it.
Regards
Gus
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
--
Alexandre R Zia
Security
www.ifood.com.br
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/5cdff6d6/attachment-0004.png>
More information about the midPoint
mailing list