[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?

tomas.husar at ibask.eu tomas.husar at ibask.eu
Thu Aug 20 18:27:26 CEST 2020


Hallo Martina,

can I understand to your post in this way, that this feature (midPoint is 
recognising and processing SAML response from external IDM system)  is not 
actually available on midpoint git-repository and  it needs analytic and 
development effort which goes beyond support covered in this mailing list?

Tomas



From:   "Martina Benckova" <mbenckova at evolveum.com>
To:     midpoint at lists.evolveum.com
Date:   20. 08. 2020 13:22
Subject:        Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
Sent by:        "midPoint" <midpoint-bounces at lists.evolveum.com>



Hi Gus,

Let me join the communication.

Lukas tried to help you within limited time that he could dedicate to the 
community. His main responsibilities are development activities to make 
midPoint even better for the whole community. Based on this he mainly 
follows Jira tickets of platform subscribers and customers with active 
product support.

On the other hand, if you would like to engage our team with the issue, 
and provide detailed analysis with possible solution, you might be 
interested in our commercial services. In case of activated a services, we 
dedicate available techie to help our customer with their issues.
We provide different services for different purposes.
Would you be interested?

Best regards,
Martina Benckova | Sales Manager

mbenckova at evolveum.com | www.evolveum.com 
tel: +421 948 940 888
  
Disclaimer:
The contents of this e-mail and attachment(s) thereto are confidential and 
intended for the named recipient(s) only. It shall not attach any 
liability on the originator or Evolveum s.r.o. or its affiliates. Any 
views or opinions presented in this email are solely those of the author 
and may not necessarily reflect the opinions of Evolveum s.r.o. or its 
affiliates. Any form of reproduction, dissemination, copying, disclosure, 
modification, distribution and / or publication of this message without 
the prior written consent of the author of this e-mail is strictly 
prohibited. If you have received this email in error please delete it and 
notify the sender immediately.


From: "Lukas Skublik" <lukas.skublik at evolveum.com>
To: midpoint at lists.evolveum.com
Sent: Thursday, August 20, 2020 9:37:04 AM
Subject: Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?

Hello Gus,
I analysed log file, but I found nothing relevant. 

Regards,
Lukas Skublik.
On 19. 8. 2020 15:10, Gus Lou wrote:
Hi Lukas

I activated the debug level in the midpoint log, but found nothing 
relevant.
I attached the log for analysis
Thank you very much

Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,
can you send me your log file. Maybe you see wrong error message.
Regards
Lukas Skublik
On 18. 8. 2020 23:35, Gus Lou wrote:
Hi Alexandre

Thank you very much 

I made the modifications suggested by you and Lukas.
Something is still wrong, after authenticating with the IdP and returning 
to the midpoint I get the message:
Midpoint saml module doesn't receive response from Identity Provider 
server ..
The strange thing is that through the Saml Tracer tool, I can verify that 
there was a request and a response.



Saml Request:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
AssertionConsumerServiceURL="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta" 
Destination="
https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml
" ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive
="false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
sp_midpoint</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
saml2p:AuthnRequest>

Saml Response:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
Destination="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta" 
ID="id369598233453735443745710" InResponseTo=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
"2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG 
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
"urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
"urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
"id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z" 
Version="2.0" > <saml2:Issuer xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
http://www.okta.com/xxxxxxxxx4x6</saml2:Issuer> <ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <
ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm=
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI=
"#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <
ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <
ds:DigestValue>g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</
ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>
MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG 
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU 
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A 
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">john.doe at xyz.net</
saml2:NameID> <saml2:SubjectConfirmation Method=
"urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData 
InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
"2020-08-18T21:19:02.181Z" Recipient="
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta" 
/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore=
"2020-08-18T21:09:02.181Z" NotOnOrAfter="2020-08-18T21:19:02.181Z" > <
saml2:AudienceRestriction> <saml2:Audience>okta</saml2:Audience> </
saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
"2020-08-18T21:14:02.181Z" SessionIndex=
"ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> 
</saml2:Assertion> </saml2p:Response>

---------------------------------------------------------------------------------------------


Regards

Gus

Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
alexandre.zia at ifood.com.br> escreveu:
I've just changed a few things, based on your config, 

<saml2>
    <name>oktaidp</name>
    <description>Enterprise SAML-based SSO system</description>
    <network>
        <readTimeout>10000</readTimeout>
        <connectTimeout>5000</connectTimeout>
    </network>
    <serviceProvider>
        <entityId>sp_midpoint</entityId>
        <aliasForPath>okta</aliasForPath>
        <signRequests>false</signRequests>
        <wantAssertionsSigned>true</wantAssertionsSigned>
        <singleLogoutEnabled>true</singleLogoutEnabled>
 <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
        <provider>
             <entityId>http://www.okta.com/xxxxxxxxxxxx4x6</entityId>
            <alias>SSO-Okta</alias>
            <metadata>
                <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
            </metadata>
            <skipSslValidation>false</skipSslValidation>
            <linkText>Okta</linkText>
 
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
            <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
        </provider>
    </serviceProvider>
</saml2>


And your ACS url will be something like this:  
http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta





On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <gugalou38 at gmail.com> wrote:
Hi Luca
Thank you very much for your help. I had not configured this option yet. 
I did the suggested configuration, now the link to the IdP in the midpoint 
interface is correct.
But when I click on the link to the IdP and do the authentication and get 
the reply back to the midpoint I get an error:
Midpoint saml module doesn't receive response from Identity Provider 
server.
Authentication failed, and as a consequence was restarted authentication 
flow
(probably due to the fact that the midpoint ACS url in the IdP is not 
correct.)

I need to find out what the Midpoint Assertion Consumer Service (ACS) URL 
is to report on the IdP.

Print Screen after IdP Authentication failed


Regards

Gus

Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
lukas.skublik at evolveum.com> escreveu:
Hello Gus,

you try configure attribute 
systemConfiguration/infrastructure/publicHttpUrlPattern to '
http://midpoint-02.xyz.net/midpoint'.

Regards,
Lukas Skublik
On 6. 8. 2020 0:00, Gus Lou wrote:
Hi Guys 
Anyone here already integrated Midpoint with Okta's solution to provide 
Midpoint authentication through the SAML 2.0 protocol?
I created a free developer account on Okta and I am trying to make the 
SAML settings following the guidelines below:

Midpoint Wiki: 
https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration

Git Example Security-policy-flexible-authentication: 
https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml

Okta Example - SAML Spring Security:
https://developer.okta.com/code/java/spring_security_saml/
https://github.com/oktadeveloper/okta-spring-boot-saml-example

I understand that Okta is the Identity Provider IdP and Midpoint is the 
Service Provider SP.
After trying to make the settings I had some doubts:

What is the Midpoint uri that receives the IdP response?
What is the Midpoint url that I should use to perform the authentication 
of the IdP (Okta). Because when I try to inform an existing user in the 
IdP an error appears and a screen with the link of the IdP (in this part 
there is another error that I couldn't solve the midpoint displays the 
internal address https://127.0.0.1/

Some Informations from my Lab:

Print-01 Midpoint - Authentatication GUI (the user john.doe, does not 
exist at midpoint but exists at IdP)


Print-02 
After I try to authenticate, I get the error message:
Couldn't authenticate user, reason: couldn't encode password.


Print-03
The link to the idp Okta is displaying the midpoint's internal address:
http://127.0.0.1:8080/
midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6

Instead of the hostname address:
http://midpoint-02.xyz.net
/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%2Fwww.okta.com
%2Fexko4d721K5vASKoJ4x6

I believe it is some incorrect configuration on my reverse proxy - nginx


Print-04: Okta IdP SAML Configuration
Here is my main question, because in the fields:
Single sign on URL
Audience URI (SP Entity ID)
I need to report existing data in Midpoint, but I'm not sure where to get 
this information.




My Security Policy Config:
I made the settings in the IdP, generated the metadata, encoded it in base 
64 and put it in the Midpoint settings.

<authentication>
        <modules>
            <loginForm id="15">
                <name>internalLoginForm</name>
                <description>Internal username/password authentication, 
default user password, login form</description>
            </loginForm>
            <saml2 id="16">
                <name>oktaidp</name>
                <description>My SAML-based SSO system.</description>
                <network>
��                   <readTimeout>10000</readTimeout>
                    <connectTimeout>5000</connectTimeout>
                </network>
                <serviceProvider>
                    <entityId>sp_midpoint</entityId>
                    <signRequests>true</signRequests>
                    <wantAssertionsSigned>true</wantAssertionsSigned>
                    <singleLogoutEnabled>true</singleLogoutEnabled>
 <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
                    <keys/>
                    <provider id="17">
                        <entityId>http://www.okta.com/xxxxxxxxxxxx4x6
</entityId>
                        <alias>SSO-Okta</alias>
                        <metadata>
 
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
                        </metadata>
                        <skipSslValidation>true</skipSslValidation>
                        <linkText>Okta</linkText>
 
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
 <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
                    </provider>
                </serviceProvider>
            </saml2>
        </modules>
        <sequence id="8">
            <name>admin-gui-default</name>
            <description>
                Default GUI authentication sequence.
                We want to try company SSO, federation and internal. In 
that order.
                Just one of then need to be successful to let user in.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
                <default>true</default>
                <urlSuffix>default</urlSuffix>
            </channel>
            <module id="12">
                <name>oktaidp</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
            <module id="13">
                <name>internalLoginForm</name>
                <order>20</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="9">
            <name>admin-gui-emergency</name>
            <description>
                Special GUI authentication sequence that is using just the 
internal user password.
                It is used only in emergency. It allows to skip SAML 
authentication cycles, e.g. in case
                that the SAML authentication is redirecting the browser 
incorrectly.
            </description>
            <channel>
                <channelId>
http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user
</channelId>
                <default>false</default>
                <urlSuffix>emergency</urlSuffix>
            </channel>
            <requireAssignmentTarget 
oid="00000000-0000-0000-0000-000000000004" relation="org:default" 
type="c:RoleType">
                <!-- Superuser -->
            </requireAssignmentTarget>
            <module id="14">
                <name>internalLoginForm</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
    </authentication>


If anyone has any suggestions for solving the problem I would appreciate 
it.

Regards

Gus



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


-- 


Alexandre R Zia

Security





www.ifood.com.br

 





_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

[attachment "evolveum logo.png" deleted by Tomas Husar/Ibacz/cz] 
[attachment "Facebook.png" deleted by Tomas Husar/Ibacz/cz] [attachment 
"LinkedIn.png" deleted by Tomas Husar/Ibacz/cz] [attachment "Twitter.png" 
deleted by Tomas Husar/Ibacz/cz] 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 15927 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 5939 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 6733 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 9973 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200820/3a3d91c6/attachment-0008.png>


More information about the midPoint mailing list