[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
tomas.husar at ibask.eu
tomas.husar at ibask.eu
Thu Aug 20 18:27:26 CEST 2020
Hallo Martina,
can I understand to your post in this way, that this feature (midPoint is
recognising and processing SAML response from external IDM system) is not
actually available on midpoint git-repository and it needs analytic and
development effort which goes beyond support covered in this mailing list?
Tomas
From: "Martina Benckova" <mbenckova at evolveum.com>
To: midpoint at lists.evolveum.com
Date: 20. 08. 2020 13:22
Subject: Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Sent by: "midPoint" <midpoint-bounces at lists.evolveum.com>
Hi Gus,
Let me join the communication.
Lukas tried to help you within limited time that he could dedicate to the
community. His main responsibilities are development activities to make
midPoint even better for the whole community. Based on this he mainly
follows Jira tickets of platform subscribers and customers with active
product support.
On the other hand, if you would like to engage our team with the issue,
and provide detailed analysis with possible solution, you might be
interested in our commercial services. In case of activated a services, we
dedicate available techie to help our customer with their issues.
We provide different services for different purposes.
Would you be interested?
Best regards,
Martina Benckova | Sales Manager
mbenckova at evolveum.com | www.evolveum.com
tel: +421 948 940 888
Disclaimer:
The contents of this e-mail and attachment(s) thereto are confidential and
intended for the named recipient(s) only. It shall not attach any
liability on the originator or Evolveum s.r.o. or its affiliates. Any
views or opinions presented in this email are solely those of the author
and may not necessarily reflect the opinions of Evolveum s.r.o. or its
affiliates. Any form of reproduction, dissemination, copying, disclosure,
modification, distribution and / or publication of this message without
the prior written consent of the author of this e-mail is strictly
prohibited. If you have received this email in error please delete it and
notify the sender immediately.
From: "Lukas Skublik" <lukas.skublik at evolveum.com>
To: midpoint at lists.evolveum.com
Sent: Thursday, August 20, 2020 9:37:04 AM
Subject: Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Hello Gus,
I analysed log file, but I found nothing relevant.
Regards,
Lukas Skublik.
On 19. 8. 2020 15:10, Gus Lou wrote:
Hi Lukas
I activated the debug level in the midpoint log, but found nothing
relevant.
I attached the log for analysis
Thank you very much
Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,
can you send me your log file. Maybe you see wrong error message.
Regards
Lukas Skublik
On 18. 8. 2020 23:35, Gus Lou wrote:
Hi Alexandre
Thank you very much
I made the modifications suggested by you and Lukas.
Something is still wrong, after authenticating with the IdP and returning
to the midpoint I get the message:
Midpoint saml module doesn't receive response from Identity Provider
server ..
The strange thing is that through the Saml Tracer tool, I can verify that
there was a request and a response.
Saml Request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
Destination="
https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml
" ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive
="false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
sp_midpoint</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
saml2p:AuthnRequest>
Saml Response:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
ID="id369598233453735443745710" InResponseTo=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
"2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
"id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z"
Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net</
saml2:NameID> <saml2:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData
InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
"2020-08-18T21:19:02.181Z" Recipient="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta"
/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore=
"2020-08-18T21:09:02.181Z" NotOnOrAfter="2020-08-18T21:19:02.181Z" > <
saml2:AudienceRestriction> <saml2:Audience>okta</saml2:Audience> </
saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
"2020-08-18T21:14:02.181Z" SessionIndex=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement>
</saml2:Assertion> </saml2p:Response>
---------------------------------------------------------------------------------------------
Regards
Gus
Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
alexandre.zia at ifood.com.br> escreveu:
I've just changed a few things, based on your config,
<saml2>
<name>oktaidp</name>
<description>Enterprise SAML-based SSO system</description>
<network>
<readTimeout>10000</readTimeout>
<connectTimeout>5000</connectTimeout>
</network>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<aliasForPath>okta</aliasForPath>
<signRequests>false</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
<provider>
<entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
<alias>SSO-Okta</alias>
<metadata>
<xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
</metadata>
<skipSslValidation>false</skipSslValidation>
<linkText>Okta</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
And your ACS url will be something like this:
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta
On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
Hi Luca
Thank you very much for your help. I had not configured this option yet.
I did the suggested configuration, now the link to the IdP in the midpoint
interface is correct.
But when I click on the link to the IdP and do the authentication and get
the reply back to the midpoint I get an error:
Midpoint saml module doesn't receive response from Identity Provider
server.
Authentication failed, and as a consequence was restarted authentication
flow
(probably due to the fact that the midpoint ACS url in the IdP is not
correct.)
I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
is to report on the IdP.
Print Screen after IdP Authentication failed
Regards
Gus
Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,
you try configure attribute
systemConfiguration/infrastructure/publicHttpUrlPattern to '
http://midpoint-02.xyz.net/midpoint'.
Regards,
Lukas Skublik
On 6. 8. 2020 0:00, Gus Lou wrote:
Hi Guys
Anyone here already integrated Midpoint with Okta's solution to provide
Midpoint authentication through the SAML 2.0 protocol?
I created a free developer account on Okta and I am trying to make the
SAML settings following the guidelines below:
Midpoint Wiki:
https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration
Git Example Security-policy-flexible-authentication:
https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml
Okta Example - SAML Spring Security:
https://developer.okta.com/code/java/spring_security_saml/
https://github.com/oktadeveloper/okta-spring-boot-saml-example
I understand that Okta is the Identity Provider IdP and Midpoint is the
Service Provider SP.
After trying to make the settings I had some doubts:
What is the Midpoint uri that receives the IdP response?
What is the Midpoint url that I should use to perform the authentication
of the IdP (Okta). Because when I try to inform an existing user in the
IdP an error appears and a screen with the link of the IdP (in this part
there is another error that I couldn't solve the midpoint displays the
internal address https://127.0.0.1/
Some Informations from my Lab:
Print-01 Midpoint - Authentatication GUI (the user john.doe, does not
exist at midpoint but exists at IdP)
Print-02
After I try to authenticate, I get the error message:
Couldn't authenticate user, reason: couldn't encode password.
Print-03
The link to the idp Okta is displaying the midpoint's internal address:
http://127.0.0.1:8080/
midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6
Instead of the hostname address:
http://midpoint-02.xyz.net
/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6
I believe it is some incorrect configuration on my reverse proxy - nginx
Print-04: Okta IdP SAML Configuration
Here is my main question, because in the fields:
Single sign on URL
Audience URI (SP Entity ID)
I need to report existing data in Midpoint, but I'm not sure where to get
this information.
My Security Policy Config:
I made the settings in the IdP, generated the metadata, encoded it in base
64 and put it in the Midpoint settings.
<authentication>
<modules>
<loginForm id="15">
<name>internalLoginForm</name>
<description>Internal username/password authentication,
default user password, login form</description>
</loginForm>
<saml2 id="16">
<name>oktaidp</name>
<description>My SAML-based SSO system.</description>
<network>
�� <readTimeout>10000</readTimeout>
<connectTimeout>5000</connectTimeout>
</network>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<signRequests>true</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
<keys/>
<provider id="17">
<entityId>http://www.okta.com/xxxxxxxxxxxx4x6
</entityId>
<alias>SSO-Okta</alias>
<metadata>
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
</metadata>
<skipSslValidation>true</skipSslValidation>
<linkText>Okta</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
</modules>
<sequence id="8">
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
We want to try company SSO, federation and internal. In
that order.
Just one of then need to be successful to let user in.
</description>
<channel>
<channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
<default>true</default>
<urlSuffix>default</urlSuffix>
</channel>
<module id="12">
<name>oktaidp</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
<module id="13">
<name>internalLoginForm</name>
<order>20</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<sequence id="9">
<name>admin-gui-emergency</name>
<description>
Special GUI authentication sequence that is using just the
internal user password.
It is used only in emergency. It allows to skip SAML
authentication cycles, e.g. in case
that the SAML authentication is redirecting the browser
incorrectly.
</description>
<channel>
<channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
<requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004" relation="org:default"
type="c:RoleType">
<!-- Superuser -->
</requireAssignmentTarget>
<module id="14">
<name>internalLoginForm</name>
<order>30</order>
<necessity>sufficient</necessity>
</module>
</sequence>
</authentication>
If anyone has any suggestions for solving the problem I would appreciate
it.
Regards
Gus
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
--
Alexandre R Zia
Security
www.ifood.com.br
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
[attachment "evolveum logo.png" deleted by Tomas Husar/Ibacz/cz]
[attachment "Facebook.png" deleted by Tomas Husar/Ibacz/cz] [attachment
"LinkedIn.png" deleted by Tomas Husar/Ibacz/cz] [attachment "Twitter.png"
deleted by Tomas Husar/Ibacz/cz]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15927 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 5939 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 6733 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 9973 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0008.png>
More information about the midPoint
mailing list