[midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?

Frédéric Lohier frederic at lohier.org
Mon May 3 14:28:02 CEST 2021


Hello,

I am also experiencing some unnecessary friction configuring SAML
authentication.
The flexible authentication is a very complete and very well documented
feature, but it is missing the process to generate the SAML SP Metadata. I
opened the jira issue MID-7026 (https://jira.evolveum.com/browse/MID-7026)
before I found the fix by myself with some guessing.

You can generate the SP Metadata using the following URL :
https://<midpoint-host>/midpoint/auth/<authentication
sequence urlSuffix>/<SAML2 module name>/metadata

-Frederic

On Fri, Aug 21, 2020 at 11:46 AM <tomas.husar at ibask.eu> wrote:

> Thank you Radovan for response,
>
> I appreciated that midPoint is opensource and this SAML client
> functionality is there.
>
> You are absolutely right that SAML is rather complex, first days when i
> start to study it i just drawn archimate pictures because I tried to
> uderstand  which entityID belongs to IDP and which to SP, who is Issuer and
> who consumer.
> Next thing was that our SAML authority uses mixured properties names and
> sometimes i had to use old properties convention, and sometimes new one
>
>
> t*omas at 4a9c4a32f364 : /etc/cas/saml$ cas.prop.exist idp.entity*
> *cas.authn.saml-idp.entity-id**=casEntityID*
> *cas.authn.saml-idp.entityId**=192.168.56.101/cassId2
> <http://192.168.56.101/cassId2>*
> *#cas.authn.samlIdp**.entityId=**http://192.168.56.101/midpoint*
> <http://192.168.56.101/midpoint>
> *cas.authn.samlIdp.entityId=192.168.56.101/cassId3
> <http://192.168.56.101/cassId3>*
>
> *tomas at 4a9c4a32f364 : /etc/cas/saml$ cas.prop.exist issuer*
> *cas.saml-core**.issuer=casEntityID*
> *cas.samlCore**.issuer=192.168.56.101/cassI3
> <http://192.168.56.101/cassI3>*
> *cas.samlResponse**.issuer=192.168.56.101/cassI4
> <http://192.168.56.101/cassI4>*
> *cas.saml.response**.issuer=casEntityID*
>
>
> Finally the communication was established and now I have to manage the
> process of receiving the response on the side of midPoint. And what is for
> me couriouse, is that IDP EntityId which was well known for midpoint during
> generating "PageSamlSelect" is unknown in process of filtering the
> response.
>
> Now I am reading your open sources I am hoping will find why it happened.
> Yours code is very well structured and I am able to understand to it much
> more better then to code of Appereo CAS. You know I am not coder, i just
> read the code and in this case I apreciate that you developers use all best
> practices in structuring and naming classes.
>
> I hope I will find the fine solution for combo Midpoint with Apereo CAS as
> IDP
>
> Tomas
>
>
>
> From:        "Radovan Semancik" <radovan.semancik at evolveum.com>
> To:        midpoint at lists.evolveum.com
> Date:        20. 08. 2020 18:50
> Subject:        Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
> Sent by:        "midPoint" <midpoint-bounces at lists.evolveum.com>
> ------------------------------
>
>
>
> Hello Tomas,
> SAML client functionality *is* avilable as part of midPoint and as all the
> feature is *is* part of midPoint source code.
> However, as you certainly know, SAML is a complex protocol. There are
> variations and dialects, there are lot of configuration options. Not every
> client works with every identity provider. That may also be the case here.
> Maybe there is a need for special configuration. Maybe there is a bug in
> midPoint code. Maybe there is a bug or misconfiguration on the identity
> provider side. Maybe it is something entirely different. There are just too
> many options to consider in a short mail. Lukas has already shown good will
> and tried to help. As he indicated, the problem is not obvious and more
> time and effort is needed to analyze the issue. As Martina explained, Lukas
> does not have that time available for you as that time is reserved for
> midPoint subscribers.
> MidPoint is open and free software. You can go ahead and do pretty much
> anything that you want with midPoint. MidPoint is free, but our services
> are not. If you want to dedicate a time of one of our engineers to focus on
> your specific problem then you have to pay for that time.
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
> On 20. 8. 2020 18:27, *tomas.husar at ibask.eu* <tomas.husar at ibask.eu> wrote:
> Hallo Martina,
>
> can I understand to your post in this way, that this feature* (midPoint
> is recognising and processing SAML response from external IDM system) * is
> not actually available on midpoint git-repository and  it needs analytic
> and development effort which goes beyond support covered in this mailing
> list?
>
> Tomas
>
>
>
> From:        "Martina Benckova" *<mbenckova at evolveum.com>*
> <mbenckova at evolveum.com>
> To:        *midpoint at lists.evolveum.com* <midpoint at lists.evolveum.com>
> Date:        20. 08. 2020 13:22
> Subject:        Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
> Sent by:        "midPoint" *<midpoint-bounces at lists.evolveum.com>*
> <midpoint-bounces at lists.evolveum.com>
> ------------------------------
>
>
>
> Hi Gus,
>
> Let me join the communication.
>
> Lukas tried to help you within limited time that he could dedicate to the
> community. His main responsibilities are development activities to make
> midPoint even better for the whole community. Based on this he mainly
> follows Jira tickets of platform subscribers and customers with active
> product support.
>
> On the other hand, if you would like to engage our team with the issue,
> and provide detailed analysis with possible solution, you might be
> interested in our commercial services. In case of activated a services, we
> dedicate available techie to help our customer with their issues.
> We provide different services for different purposes.
> Would you be interested?
>
> Best regards,
> * Martina Benckova* | Sales Manager
> <https://evolveum.com/>
> *mbenckova at evolveum.com* <mbenckova at evolveum.com> | *www.evolveum.com*
> <http://www.evolveum.com>
> tel: +421 948 940 888
> <https://www.facebook.com/evolveum/>
> <https://www.linkedin.com/company/evolveum> <https://twitter.com/Evolveum>
>
> Disclaimer:
>
> The contents of this e-mail and attachment(s) thereto are confidential and
> intended for the named recipient(s) only. It shall not attach any liability
> on the originator or Evolveum s.r.o. or its affiliates. Any views or
> opinions presented in this email are solely those of the author and may not
> necessarily reflect the opinions of Evolveum s.r.o. or its affiliates. Any
> form of reproduction, dissemination, copying, disclosure, modification,
> distribution and / or publication of this message without the prior written
> consent of the author of this e-mail is strictly prohibited. If you have
> received this email in error please delete it and notify the sender
> immediately.
>
>
>
> ------------------------------
>
> * From: *"Lukas Skublik" *<lukas.skublik at evolveum.com>*
> <lukas.skublik at evolveum.com>
> * To: **midpoint at lists.evolveum.com* <midpoint at lists.evolveum.com>
> * Sent: *Thursday, August 20, 2020 9:37:04 AM
> * Subject: *Re: [midPoint] Midpoint - SAML 2.0 - Okta IdP - Flex-Auth?
>
> Hello Gus,
> I analysed log file, but I found nothing relevant.
>
> Regards,
> Lukas Skublik.
> On 19. 8. 2020 15:10, Gus Lou wrote:
> Hi Lukas
>
> I activated the debug level in the midpoint log, but found nothing
> relevant.
> I attached the log for analysis
> Thank you very much
>
> Em qua., 19 de ago. de 2020 às 02:54, Lukas Skublik <
> *lukas.skublik at evolveum.com* <lukas.skublik at evolveum.com>> escreveu:
> Hello Gus,
> can you send me your log file. Maybe you see wrong error message.
> Regards
> Lukas Skublik
> On 18. 8. 2020 23:35, Gus Lou wrote:
> Hi Alexandre
>
> Thank you very much
>
> I made the modifications suggested by you and Lukas.
> Something is still wrong, after authenticating with the IdP and returning
> to the midpoint I get the message:
> Midpoint saml module doesn't receive response from Identity Provider
> server ..
> The strange thing is that through the Saml Tracer tool, I can verify that
> there was a request and a response.
>
>
>
> Saml Request:
>
> <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> AssertionConsumerServiceURL="
> *http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta*
> <http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta>"
> Destination="
> *https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml*
> <https://dev-601301.okta.com/app/xyzdev601301_midpoint_1/xxxxxx4x6/sso/saml>
> " ForceAuthn="false" ID="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IsPassive
> ="false" IssueInstant="2020-08-18T21:14:01.266Z" ProtocolBinding=
> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <
> saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> sp_midpoint</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format=
> "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </
> saml2p:AuthnRequest>
>
> Saml Response:
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="
> *http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta*
> <http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta>"
> ID="id369598233453735443745710" InResponseTo=
> "ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" IssueInstant=
> "2020-08-18T21:14:02.181Z" Version="2.0" > <saml2:Issuer xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion" Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
> *http://www.okta.com/xxxxxxxxxxx4x6* <http://www.okta.com/xxxxxxxxxxx4x6>
> </saml2:Issuer> <ds:Signature xmlns:ds="
> *http://www.w3.org/2000/09/xmldsig#* <http://www.w3.org/2000/09/xmldsig#>"
> > <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="
> *http://www.w3.org/2001/10/xml-exc-c14n#*
> <http://www.w3.org/2001/10/xml-exc-c14n#>" /> <ds:SignatureMethod
> Algorithm="*http://www.w3.org/2001/04/xmldsig-more#rsa-sha256*
> <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>" /> <ds:Reference URI=
> "#id369598233453735443745710"> <ds:Transforms> <ds:Transform Algorithm="
> *http://www.w3.org/2000/09/xmldsig#enveloped-signature*
> <http://www.w3.org/2000/09/xmldsig#enveloped-signature>" /> <ds:Transform
> Algorithm="*http://www.w3.org/2001/10/xml-exc-c14n#*
> <http://www.w3.org/2001/10/xml-exc-c14n#>" /> </ds:Transforms> <
> ds:DigestMethod Algorithm="*http://www.w3.org/2001/04/xmlenc#sha256*
> <http://www.w3.org/2001/04/xmlenc#sha256>" /> <ds:DigestValue>
> eOe03vp5gwQQ/4RERzhnfkVpxbxfb8Ek0OQHbyNXcL4=</ds:DigestValue> </
> ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
> Opuurv0kgPnDHbxXpe2wzDhDJs6tGoRrHLc+XwIUpxtyLxwh+/4QBPmanZUWepBygLOM223ql7vfpD6e37Zr1iWNAA7Dub9Dc2HIo8igDB1i7wRSvJGWaX+BZLc8mF+CQ9jLT3vinalejcfGicVOS06CygG3ztb7QlBZJmj
> </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
> ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p=
> "urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value=
> "urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <
> saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID=
> "id3695982334609027802744130" IssueInstant="2020-08-18T21:14:02.181Z"
> Version="2.0" > <saml2:Issuer xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion" Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >
> *http://www.okta.com/xxxxxxxxx4x6* <http://www.okta.com/xxxxxxxxx4x6></
> saml2:Issuer> <ds:Signature xmlns:ds="*http://www.w3.org/2000/09/xmldsig#*
> <http://www.w3.org/2000/09/xmldsig#>"> <ds:SignedInfo> <
> ds:CanonicalizationMethod Algorithm="
> *http://www.w3.org/2001/10/xml-exc-c14n#*
> <http://www.w3.org/2001/10/xml-exc-c14n#>" /> <ds:SignatureMethod
> Algorithm="*http://www.w3.org/2001/04/xmldsig-more#rsa-sha256*
> <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>" /> <ds:Reference URI=
> "#id3695982334609027802744130"> <ds:Transforms> <ds:Transform Algorithm="
> *http://www.w3.org/2000/09/xmldsig#enveloped-signature*
> <http://www.w3.org/2000/09/xmldsig#enveloped-signature>" /> <ds:Transform
> Algorithm="*http://www.w3.org/2001/10/xml-exc-c14n#*
> <http://www.w3.org/2001/10/xml-exc-c14n#>" /> </ds:Transforms> <
> ds:DigestMethod Algorithm="*http://www.w3.org/2001/04/xmlenc#sha256*
> <http://www.w3.org/2001/04/xmlenc#sha256>" /> <ds:DigestValue>
> g8vVhT6anU1xJOXQH9IrsOIpWG1YZN9GVIWFXVd9zFk=</ds:DigestValue> </
> ds:Reference> </ds:SignedInfo> <ds:SignatureValue>
> nFK/0DyI7SpavUD3FPdr7BU1wSMIJl3NR4efPDKfZeZMhPGOX3lurD5lHSceulzGLcZbsOmPnEn1pLsFCOefihVC/SmkNNBHB/uCbKdrgmcQ4Q+xuBEuoUXopG80Xx3sMWZa0lSRAgAcM0sJb6EynmyifxBJ4n0/P9/ANIH
> </ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAXOn7be0MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
> A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
> DY2IxhhuxGPHLqFT/YfO/RmJd9keXfM9lIiJl1+9N8eFskiMwUlV0RriPU9GEGt2fJRZxZqw/c7A
> 9u92XgEJLCIVs0onGbhUfoI5r702fcEM</ds:X509Certificate> </ds:X509Data> </
> ds:KeyInfo> </ds:Signature> <saml2:Subject xmlns:saml2=
> "urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format=
> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">*john.doe at xyz.net*
> <john.doe at xyz.net></saml2:NameID> <saml2:SubjectConfirmation Method=
> "urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData
> InResponseTo="ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" NotOnOrAfter=
> "2020-08-18T21:19:02.181Z" Recipient="
> *http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta*
> <http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta>"
> /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore=
> "2020-08-18T21:09:02.181Z" NotOnOrAfter="2020-08-18T21:19:02.181Z" > <
> saml2:AudienceRestriction> <saml2:Audience>okta</saml2:Audience> </
> saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant=
> "2020-08-18T21:14:02.181Z" SessionIndex=
> "ARQ271eea6-dbee-4ff2-9bc7-d119aa71b00b" > <saml2:AuthnContext> <
> saml2:AuthnContextClassRef>
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
> saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement>
> </saml2:Assertion> </saml2p:Response>
>
>
> ---------------------------------------------------------------------------------------------
>
>
> Regards
>
> Gus
>
> Em ter., 18 de ago. de 2020 às 02:28, Alexandre Zia <
> *alexandre.zia at ifood.com.br* <alexandre.zia at ifood.com.br>> escreveu:
> I've just changed a few things, based on your config,
>
> <saml2>
>    <name>oktaidp</name>
>    <description>Enterprise SAML-based SSO system</description>
>    <network>
>        <readTimeout>10000</readTimeout>
>        <connectTimeout>5000</connectTimeout>
>    </network>
>    <serviceProvider>
>        <entityId>sp_midpoint</entityId>
>        <aliasForPath>okta</aliasForPath>
>        <signRequests>false</signRequests>
>        <wantAssertionsSigned>true</wantAssertionsSigned>
>        <singleLogoutEnabled>true</singleLogoutEnabled>
>
>  <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId>
>        <provider>
>             <entityId>*http://www.okta.com/xxxxxxxxxxxx4x6*
> <http://www.okta.com/xxxxxxxxxxxx4x6></entityId>
>            <alias>SSO-Okta</alias>
>            <metadata>
>                <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml>
>            </metadata>
>            <skipSslValidation>false</skipSslValidation>
>            <linkText>Okta</linkText>
>
>  <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>            <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>        </provider>
>    </serviceProvider>
> </saml2>
>
>
> And your ACS url will be something like this:
> *http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta*
> <http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta>
>
>
>
>
>
> On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <*gugalou38 at gmail.com*
> <gugalou38 at gmail.com>> wrote:
> Hi Luca
> Thank you very much for your help. I had not configured this option yet.
> I did the suggested configuration, now the link to the IdP in the midpoint
> interface is correct.
> But when I click on the link to the IdP and do the authentication and get
> the reply back to the midpoint I get an error:
> * Midpoint saml module doesn't receive response from Identity Provider
> server.*
> * Authentication failed, and as a consequence was restarted authentication
> flow*
> (probably due to the fact that the midpoint ACS url in the IdP is not
> correct.)
>
> I need to find out what the Midpoint Assertion Consumer Service (ACS) URL
> is to report on the IdP.
>
> Print Screen after IdP Authentication failed
> [image: image.png]
>
> Regards
>
> Gus
>
> Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <
> *lukas.skublik at evolveum.com* <lukas.skublik at evolveum.com>> escreveu:
> Hello Gus,
>
> you try configure attribute
> systemConfiguration/infrastructure/publicHttpUrlPattern to '
> *http://midpoint-02.xyz.net/midpoint*
> <http://midpoint-02.xyz.net/midpoint>'.
>
> Regards,
> Lukas Skublik
> On 6. 8. 2020 0:00, Gus Lou wrote:
> Hi Guys
> Anyone here already integrated Midpoint with Okta's solution to provide
> Midpoint authentication through the SAML 2.0 protocol?
> I created a free developer account on Okta and I am trying to make the
> SAML settings following the guidelines below:
>
> * Midpoint Wiki:*
>
> *https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration*
> <https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration>
>
> * Git Example Security-policy-flexible-authentication:*
>
> *https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml*
> <https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml>
>
> * Okta Example - SAML Spring Security:*
> *https://developer.okta.com/code/java/spring_security_saml/*
> <https://developer.okta.com/code/java/spring_security_saml/>
> *https://github.com/oktadeveloper/okta-spring-boot-saml-example*
> <https://github.com/oktadeveloper/okta-spring-boot-saml-example>
>
> I understand that Okta is the Identity Provider IdP and Midpoint is the
> Service Provider SP.
> After trying to make the settings I had some doubts:
>
> What is the Midpoint uri that receives the IdP response?
> What is the Midpoint url that I should use to perform the authentication
> of the IdP (Okta). Because when I try to inform an existing user in the IdP
> an error appears and a screen with the link of the IdP (in this part there
> is another error that I couldn't solve the midpoint displays the internal
> address *https://127.0.0.1/* <https://127.0.0.1/>
>
> Some Informations from my Lab:
>
> * Print-01 Midpoint - Authentatication GUI* (the user john.doe, does not
> exist at midpoint but exists at IdP)
> [image: image.png]
>
> * Print-02 *
> After I try to authenticate, I get the error message:
> * Couldn't authenticate user, reason: couldn't encode password.*
> [image: image.png]
>
> * Print-03*
> The link to the idp Okta is displaying the midpoint's internal address:
> *http://127.0.0.1:8080/* <http://127.0.0.1:8080/>
> midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%*2Fwww.okta.com*
> <http://2fwww.okta.com/>%2Fexko4d721K5vASKoJ4x6
>
> Instead of the hostname address:
> *http://midpoint-02.xyz.net* <http://midpoint-02.xyz.net/>
> /midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%*2Fwww.okta.com*
> <http://2fwww.okta.com/>%2Fexko4d721K5vASKoJ4x6
>
> I believe it is some incorrect configuration on my reverse proxy - nginx
> [image: image.png]
>
> * Print-04: Okta IdP SAML Configuration*
> Here is my main question, because in the fields:
>
>    1. Single sign on URL
>    2. Audience URI (SP Entity ID)
>
> I need to report existing data in Midpoint, but I'm not sure where to get
> this information.
> [image: image.png]
>
>
>
> * My Security Policy Config:*
> I made the settings in the IdP, generated the metadata, encoded it in base
> 64 and put it in the Midpoint settings.
>
> <authentication>
>         <modules>
>             <loginForm id="15">
>                 <name>internalLoginForm</name>
>                 <description>Internal username/password authentication,
> default user password, login form</description>
>             </loginForm>
>             <saml2 id="16">
>                 <name>oktaidp</name>
>                 <description>My SAML-based SSO system.</description>
>                 <network>
> ��                   <readTimeout>10000</readTimeout>
>                     <connectTimeout>5000</connectTimeout>
>                 </network>
>                 <serviceProvider>
>                     <entityId>sp_midpoint</entityId>
>                     <signRequests>true</signRequests>
>                     <wantAssertionsSigned>true</wantAssertionsSigned>
>                     <singleLogoutEnabled>true</singleLogoutEnabled>
>
> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId>
>                     <keys/>
>                     <provider id="17">
>                         <entityId>*http://www.okta.com/xxxxxxxxxxxx4x6*
> <http://www.okta.com/xxxxxxxxxxxx4x6></entityId>
>                         <alias>SSO-Okta</alias>
>                         <metadata>
>
> <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml>
>                         </metadata>
>                         <skipSslValidation>true</skipSslValidation>
>                         <linkText>Okta</linkText>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>
> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
>                     </provider>
>                 </serviceProvider>
>             </saml2>
>         </modules>
>         <sequence id="8">
>             <name>admin-gui-default</name>
>             <description>
>                 Default GUI authentication sequence.
>                 We want to try company SSO, federation and internal. In
> that order.
>                 Just one of then need to be successful to let user in.
>             </description>
>             <channel>
>                 <channelId>
> *http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user*
> <http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user>
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>default</urlSuffix>
>             </channel>
>             <module id="12">
>                 <name>oktaidp</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>             <module id="13">
>                 <name>internalLoginForm</name>
>                 <order>20</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <sequence id="9">
>             <name>admin-gui-emergency</name>
>             <description>
>                 Special GUI authentication sequence that is using just the
> internal user password.
>                 It is used only in emergency. It allows to skip SAML
> authentication cycles, e.g. in case
>                 that the SAML authentication is redirecting the browser
> incorrectly.
>             </description>
>             <channel>
>                 <channelId>
> *http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user*
> <http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user>
> </channelId>
>                 <default>false</default>
>                 <urlSuffix>emergency</urlSuffix>
>             </channel>
>             <requireAssignmentTarget
> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
> type="c:RoleType">
>                 <!-- Superuser -->
>             </requireAssignmentTarget>
>             <module id="14">
>                 <name>internalLoginForm</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>     </authentication>
>
>
> If anyone has any suggestions for solving the problem I would appreciate
> it.
>
> Regards
>
> Gus
>
>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
> --
> Alexandre R Zia
> *Security*
> *www.ifood.com.br* <https://www.ifood.com.br/>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
>
> [attachment "evolveum logo.png" deleted by Tomas Husar/Ibacz/cz]
> [attachment "Facebook.png" deleted by Tomas Husar/Ibacz/cz] [attachment
> "LinkedIn.png" deleted by Tomas Husar/Ibacz/cz] [attachment "Twitter.png"
> deleted by Tomas Husar/Ibacz/cz]
>
> _______________________________________________
> midPoint mailing list
> *midPoint at lists.evolveum.com* <midPoint at lists.evolveum.com>
> *https://lists.evolveum.com/mailman/listinfo/midpoint*
> <https://lists.evolveum.com/mailman/listinfo/midpoint>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 15927 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 5939 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 6733 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 9973 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 44374 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 40189 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0014.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 36057 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0015.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 44752 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0016.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 88974 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210503/44a89ae2/attachment-0017.png>


More information about the midPoint mailing list