[midPoint] Active Directory - Flexible Authentication

Gus Lou gugalou38 at gmail.com
Tue Oct 6 17:15:47 CEST 2020 

Hi Lucas

I removed the settings suggested by you and now I can authenticate to the
MP with the Active Directory account and password.
Thank you very much.

My Final *"Default Security Policy"* with Flexible Authentication Active
Directory Implementation:

<securityPolicy
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
oid="00000000-0000-0000-0000-000000000120" version="1">

    <name>Default Security Policy</name>
    <authentication>
        <modules>
            <loginForm id="1">
                <name>internalLoginForm</name>
                <description>Internal username/password
authentication, default user password, login form</description>
            </loginForm>
            <ldap id="23">
                <name>ldapAuth</name>
                <host>ldaps://10.0.0.4:636/dc=xyz,dc=net</host>

<userDn>CN=svc_midpoint,OU=Service,OU=Users,OU=CompanyA,OU=Holding,DC=xyz,DC=net</userDn>
                <userPassword>
                            <t:cipherValue>XXXXX</t:cipherValue>
                </userPassword>
                <search>
                    <pattern>(sAMAccountName={0})</pattern>
                    <namingAttr>sAMAccountName</namingAttr>
                    <subtree>true</subtree>
                </search>
            </ldap>
        </modules>
        <sequence id="1">
            <name>admin-gui-default</name>
            <description>
                Default GUI authentication sequence.
                We want to try company SSO, federation and internal.
In that order.
                Just one of then need to be successful to let user in.
            </description>
            <channel>

<channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>true</default>
                <urlSuffix>default</urlSuffix>
            </channel>
            <module id="5">
                <name>ldapAuth</name>
                <order>20</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <sequence id="2">
            <name>admin-gui-emergency</name>
            <description>
                Special GUI authentication sequence that is using just
the internal user password.
                It is used only in emergency. It allows to skip SAML
authentication cycles, e.g. in case
                that the SAML authentication is redirecting the
browser incorrectly.
            </description>
            <channel>

<channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
                <default>false</default>
                <urlSuffix>emergency</urlSuffix>
            </channel>
            <requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004" relation="org:default"
type="c:RoleType">
                <!-- Superuser -->
            </requireAssignmentTarget>
            <module id="6">
                <name>internalLoginForm</name>
                <order>30</order>
                <necessity>sufficient</necessity>
            </module>
        </sequence>
        <ignoredLocalPath>/actuator</ignoredLocalPath>
        <ignoredLocalPath>/actuator/health</ignoredLocalPath>
    </authentication>
    <credentials>
        <password>
            <minOccurs>0</minOccurs>
            <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
            <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
            <lockoutDuration>PT15M</lockoutDuration>
            <valuePolicyRef
xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-0000-0000-000000000003" relation="org:default"
type="tns:ValuePolicyType">
                <!-- Default Password Policy -->
            </valuePolicyRef>
        </password>
    </credentials>
</securityPolicy>


Regards

Gus








Em ter., 6 de out. de 2020 às 03:50, Lukas Skublik via midPoint <
midpoint at lists.evolveum.com> escreveu:

> Hello Gus,
> please remove sequence with id="7" and id="8" or add module for
> 'internalBasic' to securityPolicy->authentication->modules, because
> module with name 'internalBasic' miss in your configuration.
>
> Best regards,
> Lukas Skublik
>
> On 6. 10. 2020 1:16, Gus Lou via midPoint wrote:
> > Hello Gus,
> > when you want use only ldap module, you need remove module
> > 'internalLoginForm' from sequence 'admin-gui-default'. Or when you
> > want use both then change order for one module. Same order is
> > supported only for httpModules and for channels of rest and actuator.
> >
> > Best regards,
> > Lukas Skublik
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201006/e5ba76b8/attachment.htm>

More information about the midPoint mailing list