[midPoint] Flexible Authentication - List of Identity Providers is empty
Gus Lou
gugalou38 at gmail.com
Fri Jul 16 05:00:41 CEST 2021
Hi Frédéric
Thank you again.
I added the items in the midpoint default security policy:
<saml2 id="21">
<name>mysamlsso</name>
<description>My internal enterprise SAML-based SSO
system.</description>
<serviceProvider>
<entityId>sp_midpoint</entityId>
<signRequests>false</signRequests>
<wantAssertionsSigned>false</wantAssertionsSigned>
*
<nameId>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</nameId>*
<provider id="22">
<entityId>https://www.okta.com/d721K5vASKoJ4x6exko4
</entityId>
<alias>okta</alias>
<metadata>
<pathToFile>/opt/midpoint-4.3.1/var/metadata.xml</pathToFile>
</metadata>
<skipSslValidation>true</skipSslValidation>
<linkText>oktapreview</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
*<nameOfUsernameAttribute>UserName</nameOfUsernameAttribute>*
</provider>
</serviceProvider>
</saml2>
And I gave the end user midpoint role permission to the user
joana.midpoint at xyz.net
But the error remains. *Invalid username and/or password.*
*My SAML IdP Sumary Response:*
Issuer = http://www.okta.com/d721K5vASKoJ4x6exko4
Subject = joana.midpoint at xyz.net
NameID = joana.midpoint at xyz.net AttributeStatement:
* UserName = joana.midpoint at xyz.net
Do you have any more ideas?
Best Regards
Gus
Em qui., 15 de jul. de 2021 às 14:35, Frédéric Lohier <frederic at lohier.org>
escreveu:
> Yes, you are right, your IDP needs to provide the <name> attribute of your
> users in an SAML attribute (in the midpoint SAML conf, you can specify the
> SAML attribute containing the <name> with <nameOfUsernameAttribute>).
> Also, you need to make sure you user has the appropriate authorization
> (roles) to access the midpoint user interface.
>
> -Frédéric
>
> On Thu, Jul 15, 2021, 19:12 Gus Lou <gugalou38 at gmail.com> wrote:
>
>> One more information
>>
>> I believe it might be the login format informed by the IdP versus the
>> login expected by midpoint.
>>
>> *Debug Log:*
>> 2021-07-15 14:05:59,112 [MODEL] [http-nio-127.0.0.1-8080-exec-5] DEBUG
>> (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl):
>> Signature validated with key from supplied credential
>> 2021-07-15 14:05:59,125 [MODEL] [http-nio-127.0.0.1-8080-exec-5] INFO
>> (com.evolveum.midpoint.web.security.provider.Saml2Provider): Authentication
>> with saml module failed: web.security.provider.invalid
>> 2021-07-15 14:05:59,126 [MODEL] [http-nio-127.0.0.1-8080-exec-5] ERROR
>> (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider):
>> Authentication (runtime) error: web.security.provider.invalid
>> org.springframework.security.core.userdetails.UsernameNotFoundException:
>> web.security.provider.invalid
>> at
>> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.getAndCheckPrincipal(AuthenticationEvaluatorImpl.java:263)
>> at
>> com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticateUserPreAuthenticated(AuthenticationEvaluatorImpl.java:238)
>> at
>> com.evolveum.midpoint.web.security.provider.Saml2Provider.internalAuthentication(Saml2Provider.java:93)
>> at
>> com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
>> at
>> com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
>> at jdk.internal.reflect.GeneratedMethodAccessor440.invoke(Unknown
>> Source)
>>
>>
>> Em qui., 15 de jul. de 2021 às 12:34, Gus Lou <gugalou38 at gmail.com>
>> escreveu:
>>
>>> Hi Guys
>>>
>>> I identified an error in my settings, my metadata before looked like
>>> this:
>>> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>>>
>>> After the correction, it looked like this:
>>>
>>> https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint
>>>
>>> Tip: use Midpoint's metadata generator:
>>>
>>> https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/
>>>
>>> Midpoint can generate metadata of SP. You can get it via the link:
>>> http://
>>> <midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata.
>>>
>>> Now I get another error:
>>> * Invalid username and/or password*.
>>>
>>> I keep investigating, I've validated the username and password directly
>>> in my identity provider and the credentials are correct.
>>>
>>> Best Regards
>>>
>>> Em qua., 14 de jul. de 2021 às 20:14, Gus Lou <gugalou38 at gmail.com>
>>> escreveu:
>>>
>>>> Hi Frédéric
>>>> Thank you for your help.
>>>> I followed your recommendation and changed metadata to <pathtofile>.
>>>> Now, Midpoint presented a new message:
>>>> *Validation Errors: 1. Destination
>>>> mismatch: https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint
>>>> <https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint>*
>>>>
>>>> I'm validating the settings to understand what might be wrong.
>>>>
>>>> Best regards
>>>>
>>>> Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <
>>>> frederic at lohier.org> escreveu:
>>>>
>>>>> Hello Gus,
>>>>>
>>>>> I had the same issue and this was because midpoint did/could not
>>>>> download the IDP metadata specified in <metadataUrl> even though I could
>>>>> download it via a curl command from the server.
>>>>>
>>>>> I ended up using the <pathToFile> with the IDP metadata stored locally
>>>>> on the server.
>>>>>
>>>>> Strangely, I wasn't able to reproduce the bug when I wanted to file an
>>>>> issue, but I did not spend too much time on it either.
>>>>>
>>>>> -Frédéric
>>>>>
>>>>> On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <
>>>>> midpoint at lists.evolveum.com> wrote:
>>>>>
>>>>>> Hi Guys
>>>>>>
>>>>>> I configured Midpoint to use Flex Authentication.
>>>>>> In my configuration, I used the SAML2 module, when I try to
>>>>>> authenticate to Midpoint I get the information
>>>>>> *"List of Identity Providers is empty"*
>>>>>> *"Select an Identity Provider"*
>>>>>> I enabled debug to try to understand what might be wrong but I
>>>>>> couldn't identify relevant information.
>>>>>>
>>>>>> *Midpoint Version:* 4.3.1
>>>>>>
>>>>>> *My Default Security Policy:*
>>>>>>
>>>>>> <securityPolicy
>>>>>> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>>> xmlns:icfs="
>>>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>>>> "
>>>>>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>>>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>>>> xmlns:ri="
>>>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>>>> oid="00000000-0000-0000-0000-000000000120" version="36">
>>>>>> <name>Default Security Policy</name>
>>>>>> <authentication>
>>>>>> <modules>
>>>>>> <loginForm id="20">
>>>>>> <name>internalLoginForm</name>
>>>>>> <description>Internal username/password
>>>>>> authentication, default user password, login form</description>
>>>>>> </loginForm>
>>>>>> <saml2 id="21">
>>>>>> <name>mysamlsso</name>
>>>>>> <description>My internal enterprise SAML-based SSO
>>>>>> system.</description>
>>>>>> <serviceProvider>
>>>>>> <entityId>sp_midpoint</entityId>
>>>>>> <signRequests>false</signRequests>
>>>>>> <wantAssertionsSigned>false</wantAssertionsSigned>
>>>>>> <singleLogoutEnabled>true</singleLogoutEnabled>
>>>>>> <provider id="22">
>>>>>> <entityId>
>>>>>> https://www.okta.com/d721K5vASKoJ4x6exko4</entityId>
>>>>>> <alias>okta</alias>
>>>>>> <metadata>
>>>>>> <metadataUrl>
>>>>>> https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata
>>>>>> </metadataUrl>
>>>>>> </metadata>
>>>>>> <skipSslValidation>false</skipSslValidation>
>>>>>> <linkText>oktapreview</linkText>
>>>>>>
>>>>>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>>>>>
>>>>>> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>>>>>> </provider>
>>>>>> </serviceProvider>
>>>>>> </saml2>
>>>>>> </modules>
>>>>>> <sequence id="23">
>>>>>> <name>admin-gui-default</name>
>>>>>> <description>
>>>>>> Default GUI authentication sequence.
>>>>>> We want to try company SSO, federation and internal.
>>>>>> In that order.
>>>>>> Just one of then need to be successful to let user in.
>>>>>> </description>
>>>>>> <channel>
>>>>>> <channelId>
>>>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>>>> </channelId>
>>>>>> <default>true</default>
>>>>>> <urlSuffix>default</urlSuffix>
>>>>>> </channel>
>>>>>> <module id="25">
>>>>>> <name>mysamlsso</name>
>>>>>> <order>30</order>
>>>>>> <necessity>sufficient</necessity>
>>>>>> </module>
>>>>>> </sequence>
>>>>>> <sequence id="24">
>>>>>> <name>admin-gui-emergency</name>
>>>>>> <description>
>>>>>> Special GUI authentication sequence that is using
>>>>>> just the internal user password.
>>>>>> It is used only in emergency. It allows to skip SAML
>>>>>> authentication cycles, e.g. in case
>>>>>> that the SAML authentication is redirecting the
>>>>>> browser incorrectly.
>>>>>> </description>
>>>>>> <channel>
>>>>>> <channelId>
>>>>>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>>>>>> </channelId>
>>>>>> <default>false</default>
>>>>>> <urlSuffix>emergency</urlSuffix>
>>>>>> </channel>
>>>>>> <requireAssignmentTarget
>>>>>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>>>>>> type="c:RoleType">
>>>>>> <!-- Superuser -->
>>>>>> </requireAssignmentTarget>
>>>>>> <module id="27">
>>>>>> <name>internalLoginForm</name>
>>>>>> <order>10</order>
>>>>>> <necessity>sufficient</necessity>
>>>>>> </module>
>>>>>> </sequence>
>>>>>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>>>>>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>>>>>> </authentication>
>>>>>> <credentials>
>>>>>> <password>
>>>>>> <minOccurs>0</minOccurs>
>>>>>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>>>>>
>>>>>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>>>>> <lockoutDuration>PT15M</lockoutDuration>
>>>>>> <valuePolicyRef xmlns:tns="
>>>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>>>>>> type="tns:ValuePolicyType">
>>>>>> <!-- Default Password Policy -->
>>>>>> </valuePolicyRef>
>>>>>> </password>
>>>>>> </credentials>
>>>>>> </securityPolicy>
>>>>>>
>>>>>>
>>>>>> *Midpoint.log:*
>>>>>>
>>>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO
>>>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>>>> using the Java Services API
>>>>>> 2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>>>> 2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>>>> 2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>>>> 2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>>>> 2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>>>> 2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO
>>>>>> (org.opensaml.core.config.InitializationService): Initializing OpenSAML
>>>>>> using the Java Services API
>>>>>> 2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.soap.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.JavaCryptoValidationInitializer
>>>>>> 2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer
>>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer
>>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer
>>>>>> 2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.xml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.xml.config.GlobalParserPoolInitializer
>>>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.core.metrics.impl.MetricRegistryInitializer
>>>>>> 2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xacml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.saml.config.XMLObjectProviderInitializer
>>>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.saml.config.SAMLConfigurationInitializer
>>>>>> 2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG
>>>>>> (org.opensaml.core.config.InitializationService): Initializing module
>>>>>> initializer implementation:
>>>>>> org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Gus
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210716/c08f54fb/attachment-0001.htm>
More information about the midPoint
mailing list