[midPoint] Flexible Authentication - List of Identity Providers is empty
Gus Lou
gugalou38 at gmail.com
Thu Jul 15 17:34:26 CEST 2021
Hi Guys
I identified an error in my settings, my metadata before looked like this:
https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
After the correction, it looked like this:
https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint
Tip: use Midpoint's metadata generator:
https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/
Midpoint can generate metadata of SP. You can get it via the link:
http://
<midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata.
Now I get another error:
* Invalid username and/or password*.
I keep investigating, I've validated the username and password directly in
my identity provider and the credentials are correct.
Best Regards
Em qua., 14 de jul. de 2021 às 20:14, Gus Lou <gugalou38 at gmail.com>
escreveu:
> Hi Frédéric
> Thank you for your help.
> I followed your recommendation and changed metadata to <pathtofile>.
> Now, Midpoint presented a new message:
> *Validation Errors: 1. Destination
> mismatch: https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
> <https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint>*
>
> I'm validating the settings to understand what might be wrong.
>
> Best regards
>
> Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <frederic at lohier.org>
> escreveu:
>
>> Hello Gus,
>>
>> I had the same issue and this was because midpoint did/could not download
>> the IDP metadata specified in <metadataUrl> even though I could download it
>> via a curl command from the server.
>>
>> I ended up using the <pathToFile> with the IDP metadata stored locally on
>> the server.
>>
>> Strangely, I wasn't able to reproduce the bug when I wanted to file an
>> issue, but I did not spend too much time on it either.
>>
>> -Frédéric
>>
>> On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
>> midpoint at lists.evolveum.com> wrote:
>>
>>> Hi Guys
>>>
>>> I configured Midpoint to use Flex Authentication.
>>> In my configuration, I used the SAML2 module, when I try to authenticate
>>> to Midpoint I get the information
>>> *"List of Identity Providers is empty"*
>>> *"Select an Identity Provider"*
>>> I enabled debug to try to understand what might be wrong but I couldn't
>>> identify relevant information.
>>>
>>> *Midpoint Version:* 4.3.1
>>>
>>> *My Default Security Policy:*
>>>
>>> <securityPolicy
>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> xmlns:icfs="
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>> "
>>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>>> "
>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>> oid="00000000-0000-0000-0000-000000000120" version="36">
>>> <name>Default Security Policy</name>
>>> <authentication>
>>> <modules>
>>> <loginForm id="20">
>>> <name>internalLoginForm</name>
>>> <description>Internal username/password authentication,
>>> default user password, login form</description>
>>> </loginForm>
>>> <saml2 id="21">
>>> <name>mysamlsso</name>
>>> <description>My internal enterprise SAML-based SSO
>>> system.</description>
>>> <serviceProvider>
>>> <entityId>sp_midpoint</entityId>
>>> <signRequests>false</signRequests>
>>> <wantAssertionsSigned>false</wantAssertionsSigned>
>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>> <provider id="22">
>>> <entityId>
>>> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
>>> <alias>okta</alias>
>>> <metadata>
>>> <metadataUrl>
>>> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
>>> </metadataUrl>
>>> </metadata>
>>> <skipSslValidation>false</skipSslValidation>
>>> <linkText>oktapreview</linkText>
>>>
>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>
>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>> </provider>
>>> </serviceProvider>
>>> </saml2>
>>> </modules>
>>> <sequence id="23">
>>> <name>admin-gui-default</name>
>>> <description>
>>> Default GUI authentication sequence.
>>> We want to try company SSO, federation and internal. In
>>> that order.
>>> Just one of then need to be successful to let user in.
>>> </description>
>>> <channel>
>>> <channelId>
>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>> </channelId>
>>> <default>true</default>
>>> <urlSuffix>default</urlSuffix>
>>> </channel>
>>> <module id="25">
>>> <name>mysamlsso</name>
>>> <order>30</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> <sequence id="24">
>>> <name>admin-gui-emergency</name>
>>> <description>
>>> Special GUI authentication sequence that is using just
>>> the internal user password.
>>> It is used only in emergency. It allows to skip SAML
>>> authentication cycles, e.g. in case
>>> that the SAML authentication is redirecting the browser
>>> incorrectly.
>>> </description>
>>> <channel>
>>> <channelId>
>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>> </channelId>
>>> <default>false</default>
>>> <urlSuffix>emergency</urlSuffix>
>>> </channel>
>>> <requireAssignmentTarget
>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>> type="c:RoleType">
>>> <!-- Superuser -->
>>> </requireAssignmentTarget>
>>> <module id="27">
>>> <name>internalLoginForm</name>
>>> <order>10</order>
>>> <necessity>sufficient</necessity>
>>> </module>
>>> </sequence>
>>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>>> </authentication>
>>> <credentials>
>>> <password>
>>> <minOccurs>0</minOccurs>
>>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>>
>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>> <lockoutDuration>PT15M</lockoutDuration>
>>> <valuePolicyRef xmlns:tns="
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>>> type="tns:ValuePolicyType">
>>> <!-- Default Password Policy -->
>>> </valuePolicyRef>
>>> </password>
>>> </credentials>
>>> </securityPolicy>
>>>
>>>
>>> *Midpoint.log:*
>>>
>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>> using the Java Services API
>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>> using the Java Services API
>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>> (org.opensaml.core.config.InitializationService): Initializing module
>>> initializer implementation:
>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>
>>> Regards
>>>
>>> Gus
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210715/722d5de0/attachment-0001.htm>
More information about the midPoint
mailing list