[midPoint] Flexible Authentication - List of Identity Providers is empty
Frédéric Lohier
frederic at lohier.org
Tue Jul 13 08:29:49 CEST 2021
Hello Gus,
I had the same issue and this was because midpoint did/could not download
the IDP metadata specified in <metadataUrl> even though I could download it
via a curl command from the server.
I ended up using the <pathToFile> with the IDP metadata stored locally on
the server.
Strangely, I wasn't able to reproduce the bug when I wanted to file an
issue, but I did not spend too much time on it either.
-Frédéric
On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
midpoint at lists.evolveum.com> wrote:
> Hi Guys
>
> I configured Midpoint to use Flex Authentication.
> In my configuration, I used the SAML2 module, when I try to authenticate
> to Midpoint I get the information
> *"List of Identity Providers is empty"*
> *"Select an Identity Provider"*
> I enabled debug to try to understand what might be wrong but I couldn't
> identify relevant information.
>
> *Midpoint Version:* 4.3.1
>
> *My Default Security Policy:*
>
> <securityPolicy
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> "
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> oid="00000000-0000-0000-0000-000000000120" version="36">
> <name>Default Security Policy</name>
> <authentication>
> <modules>
> <loginForm id="20">
> <name>internalLoginForm</name>
> <description>Internal username/password authentication,
> default user password, login form</description>
> </loginForm>
> <saml2 id="21">
> <name>mysamlsso</name>
> <description>My internal enterprise SAML-based SSO
> system.</description>
> <serviceProvider>
> <entityId>sp_midpoint</entityId>
> <signRequests>false</signRequests>
> <wantAssertionsSigned>false</wantAssertionsSigned>
> <singleLogoutEnabled>true</singleLogoutEnabled>
> <provider id="22">
> <entityId>
> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
> <alias>okta</alias>
> <metadata>
> <metadataUrl>
> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
> </metadataUrl>
> </metadata>
> <skipSslValidation>false</skipSslValidation>
> <linkText>oktapreview</linkText>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
> </provider>
> </serviceProvider>
> </saml2>
> </modules>
> <sequence id="23">
> <name>admin-gui-default</name>
> <description>
> Default GUI authentication sequence.
> We want to try company SSO, federation and internal. In
> that order.
> Just one of then need to be successful to let user in.
> </description>
> <channel>
> <channelId>
> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
> </channelId>
> <default>true</default>
> <urlSuffix>default</urlSuffix>
> </channel>
> <module id="25">
> <name>mysamlsso</name>
> <order>30</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <sequence id="24">
> <name>admin-gui-emergency</name>
> <description>
> Special GUI authentication sequence that is using just the
> internal user password.
> It is used only in emergency. It allows to skip SAML
> authentication cycles, e.g. in case
> that the SAML authentication is redirecting the browser
> incorrectly.
> </description>
> <channel>
> <channelId>
> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
> </channelId>
> <default>false</default>
> <urlSuffix>emergency</urlSuffix>
> </channel>
> <requireAssignmentTarget
> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
> type="c:RoleType">
> <!-- Superuser -->
> </requireAssignmentTarget>
> <module id="27">
> <name>internalLoginForm</name>
> <order>10</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <ignoredLocalPath>/actuator</ignoredLocalPath>
> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
> </authentication>
> <credentials>
> <password>
> <minOccurs>0</minOccurs>
> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
> <lockoutDuration>PT15M</lockoutDuration>
> <valuePolicyRef xmlns:tns="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
> type="tns:ValuePolicyType">
> <!-- Default Password Policy -->
> </valuePolicyRef>
> </password>
> </credentials>
> </securityPolicy>
>
>
> *Midpoint.log:*
>
> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
> using the Java Services API
> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.soap.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.xml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.xml.config.GlobalParserPoolInitializer
> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.metrics.impl.MetricRegistryInitializer
> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xacml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.saml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.saml.config.SAMLConfigurationInitializer
> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
> using the Java Services API
> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.soap.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.xml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.xml.config.GlobalParserPoolInitializer
> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.core.metrics.impl.MetricRegistryInitializer
> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xacml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.saml.config.XMLObjectProviderInitializer
> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.saml.config.SAMLConfigurationInitializer
> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
> (org.opensaml.core.config.InitializationService): Initializing module
> initializer implementation:
> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>
> Regards
>
> Gus
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210713/4ef2586e/attachment-0001.htm>
More information about the midPoint
mailing list