[midPoint] Flexible Authentication - List of Identity Providers is empty
Frédéric Lohier
frederic at lohier.org
Thu Jul 15 19:35:36 CEST 2021
Yes, you are right, your IDP needs to provide the <name> attribute of your
users in an SAML attribute (in the midpoint SAML conf, you can specify the
SAML attribute containing the <name> with <nameOfUsernameAttribute>). Also,
you need to make sure you user has the appropriate authorization (roles) to
access the midpoint user interface.
-Frédéric
On Thu, Jul 15, 2021, 19:12 Gus Lou <gugalou38 at gmail.com> wrote:
> One more information
>
> I believe it might be the login format informed by the IdP versus the
> login expected by midpoint.
>
> *Debug Log:*
> 2021-07-15 14:05:59,112 [MODEL] [http-nio-127.0.0.1-8080-exec-5] DEBUG
> (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl):
> Signature validated with key from supplied credential
> 2021-07-15 14:05:59,125 [MODEL] [http-nio-127.0.0.1-8080-exec-5] INFO
> (com.evolveum.midpoint.web.security.provider.Saml2Provider): Authentication
> with saml module failed: web.security.provider.invalid
> 2021-07-15 14:05:59,126 [MODEL] [http-nio-127.0.0.1-8080-exec-5] ERROR
> (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider):
> Authentication (runtime) error: web.security.provider.invalid
> org.springframework.security.core.userdetails.UsernameNotFoundException:
> web.security.provider.invalid
> at
> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.getAndCheckPrincipal(AuthenticationEvaluatorImpl.java:263)
> at
> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticateUserPreAuthenticated(AuthenticationEvaluatorImpl.java:238)
> at
> com.evolveum.midpoint.web.security.provider.Saml2Provider.internalAuthentication(Saml2Provider.java:93)
> at
> com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
> at
> com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
> at jdk.internal.reflect.GeneratedMethodAccessor440.invoke(Unknown
> Source)
>
>
> Em qui., 15 de jul. de 2021 às 12:34, Gus Lou <gugalou38 at gmail.com>
> escreveu:
>
>> Hi Guys
>>
>> I identified an error in my settings, my metadata before looked like this:
>> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>>
>> After the correction, it looked like this:
>> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint
>>
>> Tip: use Midpoint's metadata generator:
>>
>> https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/
>>
>> Midpoint can generate metadata of SP. You can get it via the link:
>> http://
>> <midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata.
>>
>> Now I get another error:
>> * Invalid username and/or password*.
>>
>> I keep investigating, I've validated the username and password directly
>> in my identity provider and the credentials are correct.
>>
>> Best Regards
>>
>> Em qua., 14 de jul. de 2021 às 20:14, Gus Lou <gugalou38 at gmail.com>
>> escreveu:
>>
>>> Hi Frédéric
>>> Thank you for your help.
>>> I followed your recommendation and changed metadata to <pathtofile>.
>>> Now, Midpoint presented a new message:
>>> *Validation Errors: 1. Destination
>>> mismatch: https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>>> <https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint>*
>>>
>>> I'm validating the settings to understand what might be wrong.
>>>
>>> Best regards
>>>
>>> Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <
>>> frederic at lohier.org> escreveu:
>>>
>>>> Hello Gus,
>>>>
>>>> I had the same issue and this was because midpoint did/could not
>>>> download the IDP metadata specified in <metadataUrl> even though I could
>>>> download it via a curl command from the server.
>>>>
>>>> I ended up using the <pathToFile> with the IDP metadata stored locally
>>>> on the server.
>>>>
>>>> Strangely, I wasn't able to reproduce the bug when I wanted to file an
>>>> issue, but I did not spend too much time on it either.
>>>>
>>>> -Frédéric
>>>>
>>>> On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
>>>> midpoint at lists.evolveum.com> wrote:
>>>>
>>>>> Hi Guys
>>>>>
>>>>> I configured Midpoint to use Flex Authentication.
>>>>> In my configuration, I used the SAML2 module, when I try to
>>>>> authenticate to Midpoint I get the information
>>>>> *"List of Identity Providers is empty"*
>>>>> *"Select an Identity Provider"*
>>>>> I enabled debug to try to understand what might be wrong but I
>>>>> couldn't identify relevant information.
>>>>>
>>>>> *Midpoint Version:* 4.3.1
>>>>>
>>>>> *My Default Security Policy:*
>>>>>
>>>>> <securityPolicy
>>>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> xmlns:icfs="
>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>>> "
>>>>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>>> xmlns:ri="
>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>>> oid="00000000-0000-0000-0000-000000000120" version="36">
>>>>> <name>Default Security Policy</name>
>>>>> <authentication>
>>>>> <modules>
>>>>> <loginForm id="20">
>>>>> <name>internalLoginForm</name>
>>>>> <description>Internal username/password
>>>>> authentication, default user password, login form</description>
>>>>> </loginForm>
>>>>> <saml2 id="21">
>>>>> <name>mysamlsso</name>
>>>>> <description>My internal enterprise SAML-based SSO
>>>>> system.</description>
>>>>> <serviceProvider>
>>>>> <entityId>sp_midpoint</entityId>
>>>>> <signRequests>false</signRequests>
>>>>> <wantAssertionsSigned>false</wantAssertionsSigned>
>>>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>>>> <provider id="22">
>>>>> <entityId>
>>>>> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
>>>>> <alias>okta</alias>
>>>>> <metadata>
>>>>> <metadataUrl>
>>>>> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
>>>>> </metadataUrl>
>>>>> </metadata>
>>>>> <skipSslValidation>false</skipSslValidation>
>>>>> <linkText>oktapreview</linkText>
>>>>>
>>>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>>>
>>>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>>>> </provider>
>>>>> </serviceProvider>
>>>>> </saml2>
>>>>> </modules>
>>>>> <sequence id="23">
>>>>> <name>admin-gui-default</name>
>>>>> <description>
>>>>> Default GUI authentication sequence.
>>>>> We want to try company SSO, federation and internal.
>>>>> In that order.
>>>>> Just one of then need to be successful to let user in.
>>>>> </description>
>>>>> <channel>
>>>>> <channelId>
>>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>>> </channelId>
>>>>> <default>true</default>
>>>>> <urlSuffix>default</urlSuffix>
>>>>> </channel>
>>>>> <module id="25">
>>>>> <name>mysamlsso</name>
>>>>> <order>30</order>
>>>>> <necessity>sufficient</necessity>
>>>>> </module>
>>>>> </sequence>
>>>>> <sequence id="24">
>>>>> <name>admin-gui-emergency</name>
>>>>> <description>
>>>>> Special GUI authentication sequence that is using just
>>>>> the internal user password.
>>>>> It is used only in emergency. It allows to skip SAML
>>>>> authentication cycles, e.g. in case
>>>>> that the SAML authentication is redirecting the
>>>>> browser incorrectly.
>>>>> </description>
>>>>> <channel>
>>>>> <channelId>
>>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>>> </channelId>
>>>>> <default>false</default>
>>>>> <urlSuffix>emergency</urlSuffix>
>>>>> </channel>
>>>>> <requireAssignmentTarget
>>>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>>>> type="c:RoleType">
>>>>> <!-- Superuser -->
>>>>> </requireAssignmentTarget>
>>>>> <module id="27">
>>>>> <name>internalLoginForm</name>
>>>>> <order>10</order>
>>>>> <necessity>sufficient</necessity>
>>>>> </module>
>>>>> </sequence>
>>>>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>>>>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>>>>> </authentication>
>>>>> <credentials>
>>>>> <password>
>>>>> <minOccurs>0</minOccurs>
>>>>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>>>>
>>>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>>>> <lockoutDuration>PT15M</lockoutDuration>
>>>>> <valuePolicyRef xmlns:tns="
>>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>>>>> type="tns:ValuePolicyType">
>>>>> <!-- Default Password Policy -->
>>>>> </valuePolicyRef>
>>>>> </password>
>>>>> </credentials>
>>>>> </securityPolicy>
>>>>>
>>>>>
>>>>> *Midpoint.log:*
>>>>>
>>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
>>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>>> using the Java Services API
>>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>>> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
>>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>>> using the Java Services API
>>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>> initializer implementation:
>>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>>>
>>>>> Regards
>>>>>
>>>>> Gus
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210715/25777208/attachment-0001.htm>
More information about the midPoint
mailing list