[midPoint] Flexible Authentication - List of Identity Providers is empty
Gus Lou
gugalou38 at gmail.com
Thu Jul 15 01:14:23 CEST 2021
Hi Frédéric
Thank you for your help.
I followed your recommendation and changed metadata to <pathtofile>.
Now, Midpoint presented a new message:
*Validation Errors: 1. Destination
mismatch: https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
<https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint>*
I'm validating the settings to understand what might be wrong.
Best regards
Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <frederic at lohier.org>
escreveu:
> Hello Gus,
>
> I had the same issue and this was because midpoint did/could not download
> the IDP metadata specified in <metadataUrl> even though I could download it
> via a curl command from the server.
>
> I ended up using the <pathToFile> with the IDP metadata stored locally on
> the server.
>
> Strangely, I wasn't able to reproduce the bug when I wanted to file an
> issue, but I did not spend too much time on it either.
>
> -Frédéric
>
> On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Hi Guys
>>
>> I configured Midpoint to use Flex Authentication.
>> In my configuration, I used the SAML2 module, when I try to authenticate
>> to Midpoint I get the information
>> *"List of Identity Providers is empty"*
>> *"Select an Identity Provider"*
>> I enabled debug to try to understand what might be wrong but I couldn't
>> identify relevant information.
>>
>> *Midpoint Version:* 4.3.1
>>
>> *My Default Security Policy:*
>>
>> <securityPolicy
>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> "
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> oid="00000000-0000-0000-0000-000000000120" version="36">
>> <name>Default Security Policy</name>
>> <authentication>
>> <modules>
>> <loginForm id="20">
>> <name>internalLoginForm</name>
>> <description>Internal username/password authentication,
>> default user password, login form</description>
>> </loginForm>
>> <saml2 id="21">
>> <name>mysamlsso</name>
>> <description>My internal enterprise SAML-based SSO
>> system.</description>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <signRequests>false</signRequests>
>> <wantAssertionsSigned>false</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>> <provider id="22">
>> <entityId>
>> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
>> <alias>okta</alias>
>> <metadata>
>> <metadataUrl>
>> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
>> </metadataUrl>
>> </metadata>
>> <skipSslValidation>false</skipSslValidation>
>> <linkText>oktapreview</linkText>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>
>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>> </modules>
>> <sequence id="23">
>> <name>admin-gui-default</name>
>> <description>
>> Default GUI authentication sequence.
>> We want to try company SSO, federation and internal. In
>> that order.
>> Just one of then need to be successful to let user in.
>> </description>
>> <channel>
>> <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>> </channelId>
>> <default>true</default>
>> <urlSuffix>default</urlSuffix>
>> </channel>
>> <module id="25">
>> <name>mysamlsso</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="24">
>> <name>admin-gui-emergency</name>
>> <description>
>> Special GUI authentication sequence that is using just
>> the internal user password.
>> It is used only in emergency. It allows to skip SAML
>> authentication cycles, e.g. in case
>> that the SAML authentication is redirecting the browser
>> incorrectly.
>> </description>
>> <channel>
>> <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>> </channelId>
>> <default>false</default>
>> <urlSuffix>emergency</urlSuffix>
>> </channel>
>> <requireAssignmentTarget
>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>> type="c:RoleType">
>> <!-- Superuser -->
>> </requireAssignmentTarget>
>> <module id="27">
>> <name>internalLoginForm</name>
>> <order>10</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>> </authentication>
>> <credentials>
>> <password>
>> <minOccurs>0</minOccurs>
>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>
>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>> <lockoutDuration>PT15M</lockoutDuration>
>> <valuePolicyRef xmlns:tns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>> type="tns:ValuePolicyType">
>> <!-- Default Password Policy -->
>> </valuePolicyRef>
>> </password>
>> </credentials>
>> </securityPolicy>
>>
>>
>> *Midpoint.log:*
>>
>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>> using the Java Services API
>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.soap.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.saml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.saml.config.SAMLConfigurationInitializer
>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>> using the Java Services API
>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.soap.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.saml.config.XMLObjectProviderInitializer
>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.saml.config.SAMLConfigurationInitializer
>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>> (org.opensaml.core.config.InitializationService): Initializing module
>> initializer implementation:
>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>
>> Regards
>>
>> Gus
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210714/7a490174/attachment-0001.htm>
More information about the midPoint
mailing list