[midPoint] How To Enable SAML Single Logout in Midpoint
Gus Lou
gugalou38 at gmail.com
Thu Aug 5 21:58:28 CEST 2021
Hi Guys
I was able to successfully integrate midpoint authentication via saml with
idp okta.
Now I'm trying to configure midpoint with saml single logout.
I enabled the single logout option in midpoint and imported the x509
certificate from midpoint into IdP Okta.
But when I try to log out from midpoint the request is sent successfully to
the IdP, I get the response from the IdP Okta but the midpoint does not log
out and starts the authentication again.
The midpoint log did not show any errors or warnings.
In contact with Okta support I was instructed to configure in midpoint, the
logout url generated by IdP Okta. I analyzed the midpoint documentation
(Flexible Authentication) and did not find information on where and if it
is possible/necessary to inform the logout url generated by the IdP.
I have attached my security policy configuration.
Regards
Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210805/0c6cac53/attachment.htm>
-------------- next part --------------
<authentication>
<modules>
<loginForm id="20">
<name>internalLoginForm</name>
<description>Internal username/password authentication, default user password, login form</description>
</loginForm>
<saml2 id="21">
<name>mysamlsso</name>
<description>My internal enterprise SAML-based SSO system.</description>
<serviceProvider>
<entityId>spmidpoint</entityId>
<aliasForPath>spmidpoint</aliasForPath>
<signRequests>true</signRequests>
<wantAssertionsSigned>true</wantAssertionsSigned>
<singleLogoutEnabled>true</singleLogoutEnabled>
<nameId>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</nameId>
<keys>
<activeKeyStoreKey>
<keyStorePath>/opt/midpoint-4.3.1/var/sign-midpoint.jks</keyStorePath>
<keyStorePassword>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>nonononononononononononon</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>nonononononononononononon</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</keyStorePassword>
<keyAlias>midpoint-03</keyAlias>
<keyPassword>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>nonononononononononononon</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>nonononononononononononon</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</keyPassword>
</activeKeyStoreKey>
<standByKeyStoreKey id="29">
<type>signing</type>
<keyStorePath>/opt/midpoint-4.3.1/var/sign-midpoint.jks</keyStorePath>
<keyStorePassword>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>nonononononononononononon</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>nonononononononononononon</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</keyStorePassword>
<keyAlias>midpoint-03</keyAlias>
<keyPassword>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>nonononononononononononon</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>nonononononononononononon</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</keyPassword>
</standByKeyStoreKey>
</keys>
<provider id="22">
<entityId>http://www.okta.com/exk3x80a0aHHzzf4A4x7</entityId>
<alias>okta</alias>
<metadata>
<pathToFile>/opt/midpoint-4.3.1/var/metadata.xml</pathToFile>
</metadata>
<skipSslValidation>true</skipSslValidation>
<linkText>oktapreview</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
</modules>
<sequence id="23">
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
We want to try company SSO, federation and internal. In that order.
Just one of then need to be successful to let user in.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>true</default>
<urlSuffix>default</urlSuffix>
</channel>
<module id="25">
<name>mysamlsso</name>
<order>10</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<sequence id="24">
<name>admin-gui-emergency</name>
<description>
Special GUI authentication sequence that is using just the internal user password.
It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case
that the SAML authentication is redirecting the browser incorrectly.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
<requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
<!-- Superuser -->
</requireAssignmentTarget>
<module id="27">
<name>internalLoginForm</name>
<order>20</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<ignoredLocalPath>/actuator</ignoredLocalPath>
<ignoredLocalPath>/actuator/health</ignoredLocalPath>
</authentication>
More information about the midPoint
mailing list