[midPoint] Flexible Authentication - List of Identity Providers is empty
Gus Lou
gugalou38 at gmail.com
Thu Jul 15 19:12:48 CEST 2021
One more information
I believe it might be the login format informed by the IdP versus the login
expected by midpoint.
*Debug Log:*
2021-07-15 14:05:59,112 [MODEL] [http-nio-127.0.0.1-8080-exec-5] DEBUG
(org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl):
Signature validated with key from supplied credential
2021-07-15 14:05:59,125 [MODEL] [http-nio-127.0.0.1-8080-exec-5] INFO
(com.evolveum.midpoint.web.security.provider.Saml2Provider): Authentication
with saml module failed: web.security.provider.invalid
2021-07-15 14:05:59,126 [MODEL] [http-nio-127.0.0.1-8080-exec-5] ERROR
(com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider):
Authentication (runtime) error: web.security.provider.invalid
org.springframework.security.core.userdetails.UsernameNotFoundException:
web.security.provider.invalid
at
com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.getAndCheckPrincipal(AuthenticationEvaluatorImpl.java:263)
at
com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticateUserPreAuthenticated(AuthenticationEvaluatorImpl.java:238)
at
com.evolveum.midpoint.web.security.provider.Saml2Provider.internalAuthentication(Saml2Provider.java:93)
at
com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
at
com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
at jdk.internal.reflect.GeneratedMethodAccessor440.invoke(Unknown
Source)
Em qui., 15 de jul. de 2021 às 12:34, Gus Lou <gugalou38 at gmail.com>
escreveu:
> Hi Guys
>
> I identified an error in my settings, my metadata before looked like this:
> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>
> After the correction, it looked like this:
> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint
>
> Tip: use Midpoint's metadata generator:
>
> https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/
>
> Midpoint can generate metadata of SP. You can get it via the link:
> http://
> <midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata.
>
> Now I get another error:
> * Invalid username and/or password*.
>
> I keep investigating, I've validated the username and password directly in
> my identity provider and the credentials are correct.
>
> Best Regards
>
> Em qua., 14 de jul. de 2021 às 20:14, Gus Lou <gugalou38 at gmail.com>
> escreveu:
>
>> Hi Frédéric
>> Thank you for your help.
>> I followed your recommendation and changed metadata to <pathtofile>.
>> Now, Midpoint presented a new message:
>> *Validation Errors: 1. Destination
>> mismatch: https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>> <https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint>*
>>
>> I'm validating the settings to understand what might be wrong.
>>
>> Best regards
>>
>> Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <
>> frederic at lohier.org> escreveu:
>>
>>> Hello Gus,
>>>
>>> I had the same issue and this was because midpoint did/could not
>>> download the IDP metadata specified in <metadataUrl> even though I could
>>> download it via a curl command from the server.
>>>
>>> I ended up using the <pathToFile> with the IDP metadata stored locally
>>> on the server.
>>>
>>> Strangely, I wasn't able to reproduce the bug when I wanted to file an
>>> issue, but I did not spend too much time on it either.
>>>
>>> -Frédéric
>>>
>>> On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
>>> midpoint at lists.evolveum.com> wrote:
>>>
>>>> Hi Guys
>>>>
>>>> I configured Midpoint to use Flex Authentication.
>>>> In my configuration, I used the SAML2 module, when I try to
>>>> authenticate to Midpoint I get the information
>>>> *"List of Identity Providers is empty"*
>>>> *"Select an Identity Provider"*
>>>> I enabled debug to try to understand what might be wrong but I couldn't
>>>> identify relevant information.
>>>>
>>>> *Midpoint Version:* 4.3.1
>>>>
>>>> *My Default Security Policy:*
>>>>
>>>> <securityPolicy
>>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> xmlns:icfs="
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>> "
>>>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>> xmlns:ri="
>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>> oid="00000000-0000-0000-0000-000000000120" version="36">
>>>> <name>Default Security Policy</name>
>>>> <authentication>
>>>> <modules>
>>>> <loginForm id="20">
>>>> <name>internalLoginForm</name>
>>>> <description>Internal username/password authentication,
>>>> default user password, login form</description>
>>>> </loginForm>
>>>> <saml2 id="21">
>>>> <name>mysamlsso</name>
>>>> <description>My internal enterprise SAML-based SSO
>>>> system.</description>
>>>> <serviceProvider>
>>>> <entityId>sp_midpoint</entityId>
>>>> <signRequests>false</signRequests>
>>>> <wantAssertionsSigned>false</wantAssertionsSigned>
>>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>>> <provider id="22">
>>>> <entityId>
>>>> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
>>>> <alias>okta</alias>
>>>> <metadata>
>>>> <metadataUrl>
>>>> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
>>>> </metadataUrl>
>>>> </metadata>
>>>> <skipSslValidation>false</skipSslValidation>
>>>> <linkText>oktapreview</linkText>
>>>>
>>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>>
>>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>>> </provider>
>>>> </serviceProvider>
>>>> </saml2>
>>>> </modules>
>>>> <sequence id="23">
>>>> <name>admin-gui-default</name>
>>>> <description>
>>>> Default GUI authentication sequence.
>>>> We want to try company SSO, federation and internal. In
>>>> that order.
>>>> Just one of then need to be successful to let user in.
>>>> </description>
>>>> <channel>
>>>> <channelId>
>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>> </channelId>
>>>> <default>true</default>
>>>> <urlSuffix>default</urlSuffix>
>>>> </channel>
>>>> <module id="25">
>>>> <name>mysamlsso</name>
>>>> <order>30</order>
>>>> <necessity>sufficient</necessity>
>>>> </module>
>>>> </sequence>
>>>> <sequence id="24">
>>>> <name>admin-gui-emergency</name>
>>>> <description>
>>>> Special GUI authentication sequence that is using just
>>>> the internal user password.
>>>> It is used only in emergency. It allows to skip SAML
>>>> authentication cycles, e.g. in case
>>>> that the SAML authentication is redirecting the browser
>>>> incorrectly.
>>>> </description>
>>>> <channel>
>>>> <channelId>
>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>> </channelId>
>>>> <default>false</default>
>>>> <urlSuffix>emergency</urlSuffix>
>>>> </channel>
>>>> <requireAssignmentTarget
>>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>>> type="c:RoleType">
>>>> <!-- Superuser -->
>>>> </requireAssignmentTarget>
>>>> <module id="27">
>>>> <name>internalLoginForm</name>
>>>> <order>10</order>
>>>> <necessity>sufficient</necessity>
>>>> </module>
>>>> </sequence>
>>>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>>>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>>>> </authentication>
>>>> <credentials>
>>>> <password>
>>>> <minOccurs>0</minOccurs>
>>>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>>>
>>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>>> <lockoutDuration>PT15M</lockoutDuration>
>>>> <valuePolicyRef xmlns:tns="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>>>> type="tns:ValuePolicyType">
>>>> <!-- Default Password Policy -->
>>>> </valuePolicyRef>
>>>> </password>
>>>> </credentials>
>>>> </securityPolicy>
>>>>
>>>>
>>>> *Midpoint.log:*
>>>>
>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>> using the Java Services API
>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>> using the Java Services API
>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>> initializer implementation:
>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>>
>>>> Regards
>>>>
>>>> Gus
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210715/39b2ddac/attachment-0001.htm>
More information about the midPoint
mailing list