[midPoint] [EXTERNAL] Re: Flexible Authentication SAML2 - Azure Active Directory
Gus Lou
gugalou38 at gmail.com
Mon Jul 26 15:58:52 CEST 2021
Hi Santiago
Thanks for your answer.
Yes, I have two users in Midpoint and Okta IdP:
joana.midpoint at xyz.net
denis.midpoint at xyz.net
Both users have Midpoint Role: End Users assigned and Okta IdP Midpoint
Applications Integrations assigned too.
I am using a tool to debug Saml Trace. Saml request and response are done
successfully from midpoint to idp okta. But for some reason I couldn't
understand midpoint doesn't recognize the user in the saml response,
despite being exactly as registered.
I recreated the midpoint policy settings and the integration in IdP Okta
but to no avail.
I don't know what else to check.
I have attached my settings, prints and logs in case anyone else can help.
Em seg., 26 de jul. de 2021 às 04:40, Sanudo Martinez, Santiago <
Santiago.SanudoMartinez at ingrammicro.com> escreveu:
> Hi,
>
> Have you ensure you have any existing User inside midpoint platform with
> the name matching the mail that you are trying to retrieve?
>
>
>
> Regards,
>
>
>
> *Santiago Sañudo Martínez*
>
> Cloud Security Operations
>
> Plaza de Manuel Llano, Santander, Spain, 39011
>
>
>
> Twitter <http://bit.ly/IngramTwitter> | LinkedIn
> <http://bit.ly/IngramLinkedIN> | Facebook <http://bit.ly/IngramFacebook> |
> YouTube <http://bit.ly/IngramYouTube>
>
>
>
> This email may contain material that is confidential, and proprietary to
> Ingram Micro and subsidiaries, for the sole use of the intended recipient.
> Any review, reliance or distribution by others or forwarding without
> express permission is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
>
>
>
> *From:* Gus Lou <gugalou38 at gmail.com>
> *Sent:* Saturday, July 24, 2021 9:44 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* Pálos Gustáv <gustav.palos at gmail.com>; Sanudo Martinez, Santiago <
> Santiago.SanudoMartinez at ingrammicro.com>
> *Subject:* Re: [midPoint] [EXTERNAL] Re: Flexible Authentication SAML2 -
> Azure Active Directory
>
>
>
> Hi Guys
>
>
>
> Sending (metadata SP and IdP) attachments as they were dropped in the
> previous message.
>
>
>
> I'm investigating whether the information is correct:
>
>
>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>
>
>
> I've already tried other settings for example:
>
>
>
> <nameOfUsernameAttribute>mail</nameOfUsernameAttribute>
>
> <nameOfUsernameAttribute>username</nameOfUsernameAttribute>
>
> <nameOfUsernameAttribute>email</nameOfUsernameAttribute>
>
> <nameOfUsernameAttribute>emailAdress</nameOfUsernameAttribute>
>
>
>
> But after Midpoint's request and IdP's response, it keeps showing error:
> username/password invalid.
>
>
>
> Regards
>
>
>
> Gus
>
>
>
> Em sex., 23 de jul. de 2021 às 15:16, Gus Lou <gugalou38 at gmail.com>
> escreveu:
>
> Hi Santiago
>
>
>
> Did your SAML 2.0 Midpont and AzureAD authentication test work completely?
>
> I'm trying to do Midpoint integration with IdP Okta, but I get an error
> where it says the username or password is incorrect.
>
> I've already made several configurations and checked the Midpoint (SP) and
> Okta (IdP) metadata (attached), in both the emailAddress is configured as
> login.
>
> But I have not been successful so far.
>
>
>
> Regards
>
> Gus
>
>
>
> Em qui., 22 de jul. de 2021 às 13:07, Sanudo Martinez, Santiago via
> midPoint <midpoint at lists.evolveum.com> escreveu:
>
> Hi,
>
>
>
> It works great. Thanks a lot.
>
>
>
> Get Outlook for Android
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_AAb9ysg&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=ClKq7o94Dox3tyHgnpq_A5GkIMyPwCfRTBF8CJTWjPs&s=TTJRhjcHri9rj3yNqvTPC7UkDeTMZhochzHWhLRb0Ys&e=>
> ------------------------------
>
> *From:* Pálos Gustáv <gustav.palos at gmail.com>
> *Sent:* Thursday, July 22, 2021 2:05:22 PM
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Cc:* Sanudo Martinez, Santiago <Santiago.SanudoMartinez at ingrammicro.com>
> *Subject:* [EXTERNAL] Re: [midPoint] Flexible Authentication SAML2 -
> Azure Active Directory
>
>
>
> Hi,
>
>
>
> try to set up in systemConfiguration:
>
> <infrastructure>
> <publicHttpUrlPattern>
> https://host:port/midpoint</publicHttpUrlPattern>
> </infrastructure>
>
> best regards
>
>
>
> Gustav
>
>
>
> št 22. 7. 2021 o 14:01 Sanudo Martinez, Santiago via midPoint <
> midpoint at lists.evolveum.com> napísal(a):
>
> Hi,
>
> We are encountering a problem where we aren’t able to establish login
> using SAML authentication via Azure AD. We have a midpoint instance running
> in a VM with a Nginx proxy which currently redirects everything from http
> to https:
>
> # If the user access through the 80 port (default HTTP port), NGINX will
> redirect him to the 443 (HTTPS)
>
> server {
>
> listen 80;
>
> listen [::]:80;
>
> return 301 https://10.19.5.4
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__10.19.5.4&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=dQ4Zm5nfHPLnJWmYMW1UOBS6DTkLMSCqoNa8BTcVMck&e=>
> ;
>
> }
>
>
>
>
>
>
>
> # If the user access through the 443 port, NGINX will redirect him to
> https://localhost:
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__localhost-3A&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=1u3KlJNdYBRcKfKkYEm4UNFmmbyRwCtvjE92_LAjmtc&e=>8080
> where Kibana is running
>
> server {
>
> listen 443 default_server;
>
> listen [::]:443;
>
> ssl on;
>
> ssl_certificate /etc/pki/tls/certs/midpoint.pem;
>
> ssl_certificate_key /etc/pki/tls/private/midpoint.key;
>
> access_log /var/log/nginx/nginx.access.log;
>
> error_log /var/log/nginx/nginx.error.log;
>
> location / {
>
> proxy_pass http://localhost:8080/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=EZj1wIuc0WtF3lg5gL1JIywEuRd3PNnpmB6Ae-49U6U&e=>
> ;
>
> }
>
> }
>
>
>
> The Midpoint application is deployed at localhost as described in
> application.yml:
>
> spring:
>
> application:
>
> name: MidPoint
>
> main:
>
> # needed to override springSecurityFilterChain from Spring Security
>
> allow-bean-definition-overriding: true
>
> servlet:
>
> multipart:
>
> max-file-size: 100MB
>
> max-request-size: 100MB
>
> file-size-threshold: 256KB
>
> thymeleaf:
>
> cache: false
>
> server:
>
> address: localhost
>
> port: 8080
>
> tomcat:
>
> basedir: ${midpoint.home}
>
> max-http-post-size: 104857600 # in bytes
>
>
> With this, all the communication done to the Midpoint environment is done with port 443(HTTPS). We have created an app Enterpise at Azure Active Directory and we are configuring the SAML in order to login. To do so we have also establish the following securityPolicy:
>
> <securityPolicy xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=pKCiD3roafM1o6Z24y5lXNst9GrPlGgFExTNk4oJ140&e=> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=pKCiD3roafM1o6Z24y5lXNst9GrPlGgFExTNk4oJ140&e=> xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_connector_icf-2D1_resource-2Dschema-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=9vsQyAOprOQ7x1gXIMNF8yL_rdrhOFsO4pOqtBXsHPo&e=> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_org-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=0azoD7_FWtExRkcsW7xdXOhaXFMQsVD2LVCrZL_69yo&e=> xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__prism.evolveum.com_xml_ns_public_query-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=TtGgGgXn8I-d0wiDPUsOvL61VrhEH_bdM0t_TIjAcSk&e=> xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_resource_instance-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=c-NcpWqKsyaRYhTafumQZOSp43gyYnY_ocr6YasDcas&e=> xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__prism.evolveum.com_xml_ns_public_types-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=Vqet4MGMIEOxjZVQZa2da5hpExcxZZdkK0OReNV1wMw&e=> oid="00000000-0000-0000-0000-000000000120" version="18">
> <name>Default Security Policy</name>
> <metadata>
> <requestTimestamp>2020-12-01T12:00:15.108Z</requestTimestamp>
> <createTimestamp>2020-12-01T12:00:15.137Z</createTimestamp>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</createChannel <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init-253C_createChannel&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=7qKrVHD_DRAdtT327mzxDaDF6DO6RFkIUz-QvryaCZs&e=>>
> </metadata>
> <operationExecution id="1">
> <timestamp>2020-12-01T12:00:15.179Z</timestamp>
> <operation>
> <objectDelta>
> <t:changeType>add</t:changeType>
> <t:objectType>c:SecurityPolicyType</t:objectType>
> </objectDelta>
> <executionResult>
> <operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
> <status>success</status>
> <importance>normal</importance>
> <token>1000000000000000015</token>
> </executionResult>
> <objectName>Default Security Policy</objectName>
> </operation>
> <status>success</status>
> <channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</channel <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init-253C_channel&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=nnVR8BlwATkGJ8kHbXODbKcgV3ycXZiwl92nnNS1xwQ&e=>>
> </operationExecution>
> <iteration>0</iteration>
> <iterationToken/>
> <authentication>
> <modules>
> <loginForm >
> <name>internalLoginForm</name>
> <description>Internal username/password authentication, default user password, login form</description>
> </loginForm>
> <httpBasic >
> <name>internalBasic</name>
> <description>Internal username/password authentication, using HTTP basic auth</description>
> </httpBasic>
>
> <saml2 >
> <name>azureSsoSaml</name>
> <description>My internal enterprise SAML-based SSO system.</description>
> <network>
> <readTimeout>10000</readTimeout>
> <connectTimeout>5000</connectTimeout>
> </network>
>
> <serviceProvider>
> <entityId>sp_midpoint</entityId>
> <aliasForPath>sp_midpoint</aliasForPath>
>
> <provider>
> <entityId>https://sts.windows.net/484fa682-02f6-4ffa-8cea-f72692457936/</entityId <https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_-253c_entityId&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=-PcY9PmvgaaVT-1PYbR84LBQb_tahv5hX4YNrkvxwvA&e=>>
> <linkText>ssoazure</linkText>
> <alias>ssoazure</alias>
> <metadata>
> <metadataUrl>https://login.microsoftonline.com/484fa682-02f6-4ffa-8cea-f72692457936/federationmetadata/2007-06/federationmetadata.xml?appid=c1bacfd5-5041-4b02-aac3-fa76e0a3560e</metadataUrl <https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3Dc1bacfd5-2D5041-2D4b02-2Daac3-2Dfa76e0a3560e-253c_metadataUrl&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=4_TOIfHvsl30m6gL1oODBhLdwPMpNVuE2qSxOeRQH7A&e=>>
> </metadata>
> <skipSslValidation>true</skipSslValidation>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
> </provider>
> </serviceProvider>
> </saml2>
> </modules>
> <sequence id="8">
> <name>admin-gui-default</name>
> <description>
> Default GUI authentication sequence.
> We want to try company SSO, federation and internal. In that order.
> Just one of then need to be successful to let user in.
> </description>
> <channel>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user-253C_channelId&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=wXlujTt8k1qD0npPFbvW5kc8FRG19gIhj3l9PVKgp4I&e=>>
> <default>true</default>
> <urlSuffix>default</urlSuffix>
> </channel>
> <module>
> <name>azureSsoSaml</name>
> <order>30</order>
> <necessity>sufficient</necessity>
> </module>
>
>
> </sequence>
> <sequence id="9">
> <name>admin-gui-emergency</name>
> <description>
> Special GUI authentication sequence that is using just the internal user password.
> It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case
> that the SAML authentication is redirecting the browser incorrectly.
> </description>
> <channel>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user-253C_channelId&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=wXlujTt8k1qD0npPFbvW5kc8FRG19gIhj3l9PVKgp4I&e=>>
> <default>false</default>
> <urlSuffix>emergency</urlSuffix>
> </channel>
> <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType"/>
> <module id="14">
> <name>internalLoginForm</name>
> <order>30</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <sequence id="16">
> <name>rest</name>
> <description>
> Authentication sequence for REST service.
> </description>
> <channel>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23rest-253C_channelId&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=KvSgCH-OU7gkTStlJ86pRViHie1Md8XUuQgPfr9tpFM&e=>>
> <default>true</default>
> <urlSuffix>rest-default</urlSuffix>
> </channel>
> <module id="18">
> <name>internalBasic</name>
> <order>10</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <sequence id="17">
> <name>actuator</name>
> <description>
> Authentication sequence for actuator.
> </description>
> <channel>
> <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23actuator-253C_channelId&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=KlXh3Dbt_WQcv5Bm9__qXj5rv_-TdbZfGkgmObsguJo&e=>>
> <default>true</default>
> <urlSuffix>actuator-default</urlSuffix>
> </channel>
> <module id="19">
> <name>internalBasic</name>
> <order>10</order>
> <necessity>sufficient</necessity>
> </module>
> </sequence>
> <ignoredLocalPath>/actuator</ignoredLocalPath>
> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
> </authentication>
> <credentials>
> <password>
> <minOccurs>0</minOccurs>
> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
> <lockoutDuration>PT15M</lockoutDuration>
> <valuePolicyRef xmlns:tns=http://midpoint.evolveum.com/xml/ns/public/common/common-3 <https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=pKCiD3roafM1o6Z24y5lXNst9GrPlGgFExTNk4oJ140&e=> oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType"/>
> </password>
> </credentials>
> </securityPolicy>
>
>
>
> Regarding the Azure enterprise application saml config:
>
>
> Being the midpoint resource IP: 10.19.5.4.
>
>
> After I start I get the following error display:
>
>
>
> And if I select the identity provider it redirects me to:
>
>
>
> Any ideas?
>
> Regards,
>
>
>
> *Santiago Sañudo Martínez*
>
>
> La información contenida en este mensaje es confidencial. En caso de que
> reciba este mensaje por error le rogamos lo comunique a la mayor brevedad
> al emisor y proceda a su eliminación definitiva, absteniéndose de copiar,
> almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley
> Orgánica 15/1999, de Protección de Datos de Carácter Personal y en el
> Reglamento de Desarrollo 1720/2007, los datos personales que facilite a
> través de la dirección de correo indicada serán incorporados a un fichero
> titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado,
> 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). Mediante el envío de
> sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para
> el tratamiento de sus datos, con la finalidad de atender a su consulta y/o
> mantener la relación profesional, comercial, y/o contractual que en su caso
> establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso,
> rectificación, cancelación y oposición notificándolo por escrito a la
> dirección del remitente, o a la siguiente dirección de correo
> nuevascuentas at ingrammicro.es. De acuerdo con la Ley 34/2002, de Servicios
> de la Sociedad de la Información y de Comercio Electrónico, Vd. podrá
> oponerse en cualquier momento al tratamiento de sus datos con fines
> promocionales notificándonoslo por escrito a la dirección de correo
> mencionada.
>
> .................................................................................................................................................................................................................................................
> The information contained in this message is confidential. If you receive
> this message by error please notify it as soon as possible to the sender
> and proceed to their final elimination by not copy, store or distribute its
> content. In accordance of what is stated in the Law 15/1999, of Data
> Personal Protection and Regulation Rule 1720/2007, the personal data
> provided through the email address you entered will be included in a file
> owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1ª y 2ª
> pl. Business Park ( 08840-Viladecans). By submitting your data, you
> expressly give your consent to INGRAM MICRO, SLU, to the treatment of your
> data, in order to answer to your questions and / or keep the professional,
> commercial relationship and / or contractual set with INGRAM MICRO, SLU
> You can exercise your rights of access, rectification, cancellation and
> opposition by giving written notification to the sender address or to the
> following email: nuevascuentas at ingrammicro.es. According to Law 34/2002,
> of the Information Society and Electronic Commerce, you may object at any
> time to your data treatment for promotional purposes by notifying us in
> writing to the email address above.
> [Ingram_2818e5de]
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=wY8uDlYIFyen_JG8t9WJcfGH_-_rV6CB9IQqdaYLKS0&s=TRHFEc2tHt69L3kWUx8OBHrO6AxZt-o7vygCffCRdPk&e=>
>
>
>
>
> --
>
> s pozdravom
>
>
>
> Gustáv Pálos
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwMFaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=ClKq7o94Dox3tyHgnpq_A5GkIMyPwCfRTBF8CJTWjPs&s=4ZachGRGBwmpy3BkEe4Gi6kPYCFWODa9eg-LZqOWzj8&e=>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23721 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 26443 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 7651 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0008.png>
-------------- next part --------------
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="00000000-0000-0000-0000-000000000120" version="73">
<name>Default Security Policy</name>
<metadata>
<requestTimestamp>2021-07-06T19:01:09.755-03:00</requestTimestamp>
<createTimestamp>2021-07-06T19:01:09.775-03:00</createTimestamp>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</createChannel>
</metadata>
<operationExecution id="1">
<recordType>simple</recordType>
<timestamp>2021-07-06T19:01:09.822-03:00</timestamp>
<operation>
<objectDelta>
<t:changeType>add</t:changeType>
<t:objectType>c:SecurityPolicyType</t:objectType>
</objectDelta>
<executionResult>
<operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
<status>success</status>
<importance>normal</importance>
<token>1000000000000000018</token>
</executionResult>
<objectName>Default Security Policy</objectName>
</operation>
<status>success</status>
<channel>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init</channel>
</operationExecution>
<iteration>0</iteration>
<iterationToken/>
<authentication>
<modules>
<loginForm id="20">
<name>internalLoginForm</name>
<description>Internal username/password authentication, default user password, login form</description>
</loginForm>
<saml2 id="21">
<name>mysamlsso</name>
<description>My internal enterprise SAML-based SSO system.</description>
<serviceProvider>
<entityId>spmidpoint</entityId>
<aliasForPath>spmidpoint</aliasForPath>
<nameId>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</nameId>
<provider id="22">
<entityId>http://www.okta.com/exk3x80a0aHHzzf4A4x7</entityId>
<alias>okta</alias>
<metadata>
<pathToFile>/opt/midpoint-4.3.1/var/metadata.xml</pathToFile>
</metadata>
<skipSslValidation>true</skipSslValidation>
<linkText>oktapreview</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
</provider>
</serviceProvider>
</saml2>
</modules>
<sequence id="23">
<name>admin-gui-default</name>
<description>
Default GUI authentication sequence.
We want to try company SSO, federation and internal. In that order.
Just one of then need to be successful to let user in.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>true</default>
<urlSuffix>default</urlSuffix>
</channel>
<module id="25">
<name>mysamlsso</name>
<order>10</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<sequence id="24">
<name>admin-gui-emergency</name>
<description>
Special GUI authentication sequence that is using just the internal user password.
It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case
that the SAML authentication is redirecting the browser incorrectly.
</description>
<channel>
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
<requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType">
<!-- Superuser -->
</requireAssignmentTarget>
<module id="27">
<name>internalLoginForm</name>
<order>20</order>
<necessity>sufficient</necessity>
</module>
</sequence>
<ignoredLocalPath>/actuator</ignoredLocalPath>
<ignoredLocalPath>/actuator/health</ignoredLocalPath>
</authentication>
<credentials>
<password>
<minOccurs>0</minOccurs>
<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
<lockoutDuration>PT15M</lockoutDuration>
<valuePolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType">
<!-- Default Password Policy -->
</valuePolicyRef>
</password>
</credentials>
</securityPolicy>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint_End_User_role_members.PNG
Type: image/png
Size: 35707 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: midpoint_users.PNG
Type: image/png
Size: 43704 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0010.png>
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
ID="SPM13ce33e0-f5a4-4b6c-8896-6548433c62e3"
entityID="spmidpoint">
<md:SPSSODescriptor AuthnRequestsSigned="false"
ID="RDc96cd377-d4a2-45d5-ba8c-b6b1622cdee4"
WantAssertionsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://midpoint-03/midpoint/auth/default/mysamlsso/SSO/alias/spmidpoint"
index="0"
isDefault="true"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://midpoint-03/midpoint/auth/default/mysamlsso/SSO/alias/spmidpoint"
index="1"
isDefault="false"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor entityID="http://www.okta.com/exk3x80a0aHHzzf4A4x7" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02MDEzMDExHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMjAwODAxMDI0OTQwWhcNMzAwODAxMDI1MDQwWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjAxMzAxMRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
p6v8c5nefgueasOC8cobc7Byt5o3rr2BXMDpBQ91mWVSYhV3C2x1L6We+nZl/cKZvQUX3XQce+4o
ikI/xYEctyYdU3NQvUKl0J+QZ/1qu5E49nrLqGVrD4lqh5OrvzeBZ42Q0gqSd0vfeWZGTPFHyOuR
tgSBZelS9VUlC/jfKxBV1yCn8aJHx+oUt8EY/aTnmGSUWWeKNu9A4yWMaq+QakEk7vN6ysusIAoi
pZM9pXoEgy020nf/LTRXqXkmap7A1J3DGJDEf/B//ROfGTM8ppb/QDSJ9nOksVvK3tvDoC7ft+ae
9ew3GWRPu5lfkRUyYR6onP7EPrm56vENx5AzYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAc/04K
jDm/vERMECaEX7K/Ox9k7rCWaTd1Pm08ysmOn67e1XtdKIPqypu3UJ4fap3Ec+ahRO+/gCSlI6Ju
PZLTv33HOVsftrmifmmDoV8gll5m0WVrzBrNxqkOWatzy7VoaVm194ThwL5oi7UWWGXCmswxTrVu
xclgDDToyqh2QNB96Pblp5lRB7aIZFzKTLdLD4fdGtoLa6huJfcJ/rSLpZLfMVetmnkjqjXQ+XY9
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-601301.okta.com/app/dev-601301_midpoint_1/exk3x80a0aHHzzf4A4x7/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-601301.okta.com/app/dev-601301_midpoint_1/exk3x80a0aHHzzf4A4x7/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: okta_users.PNG
Type: image/png
Size: 43350 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210726/4efd5284/attachment-0011.png>
-------------- next part --------------
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Starting to unmarshall Apache XML-Security-based SignatureImpl element
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Constructing Apache XMLSignature object
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding canonicalization and signing algorithms, and HMAC output length to Signature
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding KeyInfo to Signature
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Starting to unmarshall Apache XML-Security-based SignatureImpl element
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Constructing Apache XMLSignature object
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding canonicalization and signing algorithms, and HMAC output length to Signature
2021-07-26 10:52:51,154 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding KeyInfo to Signature
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Starting to unmarshall Apache XML-Security-based SignatureImpl element
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Constructing Apache XMLSignature object
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding canonicalization and signing algorithms, and HMAC output length to Signature
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding KeyInfo to Signature
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Starting to unmarshall Apache XML-Security-based SignatureImpl element
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Constructing Apache XMLSignature object
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding canonicalization and signing algorithms, and HMAC output length to Signature
2021-07-26 10:52:51,156 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.impl.SignatureUnmarshaller): Adding KeyInfo to Signature
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Building credential from keystore entry for entityID signing-0, usage type UNSPECIFIED
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Processing TrustedCertificateEntry from keystore
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry): Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion for criteria class org.opensaml.core.criterion.EntityIdCriterion
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.SignatureValidationProvider): Using a validation provider of implementation: org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Attempting to validate signature using key from supplied credential
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Accessing XMLSignature object
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2021-07-26 10:52:51,158 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2021-07-26 10:52:51,163 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Signature validated with key from supplied credential
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Building credential from keystore entry for entityID signing-0, usage type UNSPECIFIED
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Processing TrustedCertificateEntry from keystore
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry): Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion for criteria class org.opensaml.core.criterion.EntityIdCriterion
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.SignatureValidationProvider): Using a validation provider of implementation: org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Attempting to validate signature using key from supplied credential
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Accessing XMLSignature object
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2021-07-26 10:52:51,165 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2021-07-26 10:52:51,170 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Signature validated with key from supplied credential
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Building credential from keystore entry for entityID signing-0, usage type UNSPECIFIED
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.impl.KeyStoreCredentialResolver): Processing TrustedCertificateEntry from keystore
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.security.credential.criteria.impl.EvaluableCredentialCriteriaRegistry): Registry located evaluable criteria class org.opensaml.security.credential.criteria.impl.EvaluableEntityIDCredentialCriterion for criteria class org.opensaml.core.criterion.EntityIdCriterion
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.SignatureValidationProvider): Using a validation provider of implementation: org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Attempting to validate signature using key from supplied credential
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Accessing XMLSignature object
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validating signature with signature algorithm URI: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
2021-07-26 10:52:51,173 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
2021-07-26 10:52:51,179 [MODEL] [http-nio-127.0.0.1-8080-exec-10] DEBUG (org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl): Signature validated with key from supplied credential
2021-07-26 10:52:51,184 [MODEL] [http-nio-127.0.0.1-8080-exec-10] INFO (com.evolveum.midpoint.web.security.provider.Saml2Provider): Authentication with saml module failed: web.security.provider.invalid
2021-07-26 10:52:51,184 [MODEL] [http-nio-127.0.0.1-8080-exec-10] ERROR (com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider): Authentication (runtime) error: web.security.provider.invalid
org.springframework.security.core.userdetails.UsernameNotFoundException: web.security.provider.invalid
at com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.getAndCheckPrincipal(AuthenticationEvaluatorImpl.java:263)
at com.evolveum.midpoint.model.impl.security.AuthenticationEvaluatorImpl.authenticateUserPreAuthenticated(AuthenticationEvaluatorImpl.java:238)
at com.evolveum.midpoint.web.security.provider.Saml2Provider.internalAuthentication(Saml2Provider.java:93)
at com.evolveum.midpoint.web.security.provider.MidPointAbstractAuthenticationProvider.authenticate(MidPointAbstractAuthenticationProvider.java:92)
at com.evolveum.midpoint.web.security.MidpointProviderManager.authenticate(MidpointProviderManager.java:58)
at jdk.internal.reflect.GeneratedMethodAccessor436.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:137)
at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:124)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
at com.sun.proxy.$Proxy177.authenticate(Unknown Source)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201)
at org.springframework.security.saml.provider.service.authentication.SamlAuthenticationResponseFilter.attemptAuthentication(SamlAuthenticationResponseFilter.java:105)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:222)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationResponseFilter.doFilter(MidpointSamlAuthenticationResponseFilter.java:70)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at org.springframework.security.saml.provider.service.SamlAuthenticationRequestFilter.doFilterInternal(SamlAuthenticationRequestFilter.java:89)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at org.springframework.security.saml.provider.SamlMetadataFilter.doFilterInternal(SamlMetadataFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at org.springframework.security.saml.provider.config.ThreadLocalSamlConfigurationFilter.doFilterInternal(ThreadLocalSamlConfigurationFilter.java:42)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at com.evolveum.midpoint.web.security.filter.RedirectForLoginPagesWithAuthenticationFilter.doFilterInternal(RedirectForLoginPagesWithAuthenticationFilter.java:39)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter$VirtualFilterChain.doFilter(MidpointAuthFilter.java:418)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter.doFilterInternal(MidpointAuthFilter.java:226)
at com.evolveum.midpoint.web.security.filter.MidpointAuthFilter.doFilter(MidpointAuthFilter.java:109)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:169)
at com.evolveum.midpoint.web.security.filter.TranslateExceptionFilter.doFilterInternal(TranslateExceptionFilter.java:32)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:147)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy$VirtualFilterChain.doFilter(MidpointFilterChainProxy.java:171)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy.doFilterInternal(MidpointFilterChainProxy.java:95)
at com.evolveum.midpoint.web.security.filter.MidpointFilterChainProxy.doFilter(MidpointFilterChainProxy.java:60)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.evolveum.midpoint.web.boot.TrailingSlashRedirectingFilter.doFilterInternal(TrailingSlashRedirectingFilter.java:60)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at com.evolveum.midpoint.web.boot.NodeIdHeaderValve.invoke(NodeIdHeaderValve.java:46)
at com.evolveum.midpoint.web.boot.TomcatRootValve.invoke(TomcatRootValve.java:62)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
-------------- next part --------------
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://midpoint-03/midpoint/auth/default/mysamlsso/SSO/alias/spmidpoint"
Destination="https://dev-601301.okta.com/app/dev-601301_midpoint_1/exk3x80a0aHHzzf4A4x7/sso/saml"
ForceAuthn="false"
ID="ARQ44511cc-c203-4dd4-8540-d7283faf39e3"
IsPassive="false"
IssueInstant="2021-07-26T13:52:49.869Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spmidpoint</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
/>
</saml2p:AuthnRequest>
-------------- next part --------------
<saml2p:Response Destination="https://midpoint-03/midpoint/auth/default/mysamlsso/SSO/alias/spmidpoint"
ID="id6937532991194374553402775"
InResponseTo="ARQ44511cc-c203-4dd4-8540-d7283faf39e3"
IssueInstant="2021-07-26T13:52:50.817Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk3x80a0aHHzzf4A4x7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id6937532991194374553402775">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>RekulMG/HFwep7mRM3WWHK6hOLV8r6YAf5cm/R1QOYQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>nQI7ln4vWlwpQVkt1ayFhmXj9wRD0qjbhT31zlkNBnpyuXuad2BngvcWPvBUlGqw7GrgAhZzXG47aVm8HUBDn02HKFNDDSvjZkIJ6vsD0cLf4nRyP/K43wzCTNgGE/1w0l1gUOHJP8HXd+OjJPcoKFwENBTPk4BgDTRQc5zfLBP6c8/MixiZInWcW9VMAip5LU4WMTL3b6ECvrKjhrmCKDZsq6oTrPngSrHq4Ax7qTwaCG5at9trUsS8E1tt6OhC9U+LX4jDRGZx7V8xMD2biKahJSc81d0axSbBrLxTqwkBmY/uTkbT57gMEsiSttTyiP0mXhM8R/ClDZIqL3oPnw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02MDEzMDExHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMjAwODAxMDI0OTQwWhcNMzAwODAxMDI1MDQwWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjAxMzAxMRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
p6v8c5nefgueasOC8cobc7Byt5o3rr2BXMDpBQ91mWVSYhV3C2x1L6We+nZl/cKZvQUX3XQce+4o
ikI/xYEctyYdU3NQvUKl0J+QZ/1qu5E49nrLqGVrD4lqh5OrvzeBZ42Q0gqSd0vfeWZGTPFHyOuR
tgSBZelS9VUlC/jfKxBV1yCn8aJHx+oUt8EY/aTnmGSUWWeKNu9A4yWMaq+QakEk7vN6ysusIAoi
pZM9pXoEgy020nf/LTRXqXkmap7A1J3DGJDEf/B//ROfGTM8ppb/QDSJ9nOksVvK3tvDoC7ft+ae
9ew3GWRPu5lfkRUyYR6onP7EPrm56vENx5AzYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAc/04K
jDm/vERMECaEX7K/Ox9k7rCWaTd1Pm08ysmOn67e1XtdKIPqypu3UJ4fap3Ec+ahRO+/gCSlI6Ju
PZLTv33HOVsftrmifmmDoV8gll5m0WVrzBrNxqkOWatzy7VoaVm194ThwL5oi7UWWGXCmswxTrVu
xclgDDToyqh2QNB96Pblp5lRB7aIZFzKTLdLD4fdGtoLa6huJfcJ/rSLpZLfMVetmnkjqjXQ+XY9
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="id693753299126415644244679"
IssueInstant="2021-07-26T13:52:50.817Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.okta.com/exk3x80a0aHHzzf4A4x7</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id693753299126415644244679">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>Mq9nTKRe7BenuRERb+ARwjyP0MY95boJshU4eyv/yG4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>cWUFaX5nvxqZT+CNIg8ki/mQpW5cwfdAzWvav7co7OgjaDWNeKK//QtVGZCkmHxL4e5bS/7G0bPqxTy/RZe0R3zB0nuCtbHwNojYguoKM4gVYIoWUeApXOpo0/uaAa67ulRMsbOvBwEhH9fy+EaSmtvMMaGdKRqSrM3V4WbpT9ymONZQ0+HxFxkwkzNgzS+ysKNHkSS4zJQl97fr1a7qYWQjZQ4LpAJpSKQSyBJpBjYZgvi9AT+6bjUHzDsXBKA5Ef5Ih46d/1M5TXJ/eRcuMDH+KG/+XU1HBnxpPopt4R57GYAbXRyFcQhOhIywZxEljbhroy324IH+l10EmaqY5g==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02MDEzMDExHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMjAwODAxMDI0OTQwWhcNMzAwODAxMDI1MDQwWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjAxMzAxMRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
p6v8c5nefgueasOC8cobc7Byt5o3rr2BXMDpBQ91mWVSYhV3C2x1L6We+nZl/cKZvQUX3XQce+4o
ikI/xYEctyYdU3NQvUKl0J+QZ/1qu5E49nrLqGVrD4lqh5OrvzeBZ42Q0gqSd0vfeWZGTPFHyOuR
tgSBZelS9VUlC/jfKxBV1yCn8aJHx+oUt8EY/aTnmGSUWWeKNu9A4yWMaq+QakEk7vN6ysusIAoi
pZM9pXoEgy020nf/LTRXqXkmap7A1J3DGJDEf/B//ROfGTM8ppb/QDSJ9nOksVvK3tvDoC7ft+ae
9ew3GWRPu5lfkRUyYR6onP7EPrm56vENx5AzYQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAc/04K
jDm/vERMECaEX7K/Ox9k7rCWaTd1Pm08ysmOn67e1XtdKIPqypu3UJ4fap3Ec+ahRO+/gCSlI6Ju
PZLTv33HOVsftrmifmmDoV8gll5m0WVrzBrNxqkOWatzy7VoaVm194ThwL5oi7UWWGXCmswxTrVu
xclgDDToyqh2QNB96Pblp5lRB7aIZFzKTLdLD4fdGtoLa6huJfcJ/rSLpZLfMVetmnkjqjXQ+XY9
DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">denis.midpoint at xyz.net</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="ARQ44511cc-c203-4dd4-8540-d7283faf39e3"
NotOnOrAfter="2021-07-26T13:57:50.817Z"
Recipient="https://midpoint-03/midpoint/auth/default/mysamlsso/SSO/alias/spmidpoint"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-07-26T13:47:50.817Z"
NotOnOrAfter="2021-07-26T13:57:50.817Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>spmidpoint</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-07-26T13:52:50.817Z"
SessionIndex="ARQ44511cc-c203-4dd4-8540-d7283faf39e3"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="uid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>denis.midpoint at xyz.net</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
More information about the midPoint
mailing list