[midPoint] SAML2 and Red Hat SSO

tomas.husar at ibask.eu tomas.husar at ibask.eu
Wed May 26 06:53:44 CEST 2021 

Hi Frederic.


All 3 users which I am using in tests paralely exists in RH SSO and 
midPoint. with same basic atributes. 
I am able to log in midPoint when I change the sequence to work with 
loginForm
all 3 users have assignement to EndUser role with GUI priviledges.
this anonymouse users appeared there because 
com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator.decide 
is calling MidPointPrincipal principal = 
getPrincipalFromAuthentication(authentication, object, configAttributes);

>From my point of view it looks so that something is missing inside my 
reqests and hence the MidPointGuiAuthorizationEvaluator.decide do not 
return with PASS but invoke some getPrincipalFromAuthentication(
authentication, object, configAttributes);

So the signing is not working correctly? At time beiing i decided do basic 
tests it without signing






From:   "Frédéric Lohier" <frederic at lohier.org>
To:     "midPoint General Discussion" <midpoint at lists.evolveum.com>
Cc:     tomas.husar at ibask.eu
Date:   25. 05. 2021 23:09
Subject:        Re: [midPoint] SAML2 and Red Hat SSO



Hello,

It looks like your "anonymous user" does not has any GUI authorization. 
Did you make sure that your anonymous user already exists in Midpoint and 
has a role with some GUI authorizations?

By the way, if you manage to make the SAML SP signing work, please let me 
know, this is still a blocker for me.

-Frederic

On Tue, May 25, 2021, 20:43 Tomáš via midPoint <
midpoint at lists.evolveum.com> wrote:
Hallo I would like to inform if somebody did not strugle with simmilar 
trouble. 

I am trying toi work with midPoint as Service Procider and RH SSo as 
Identity provider,

I succesfuly did folowing: 
apply saml2 modul and sequence 
json.securityPolicy.authentication.sequence[0].module.name = "rhSamlSso300
"; 
json.securityPolicy.authentication.modules.saml2[1].name = "rhSamlSso300";
exchanged metadata between midPoint and Rh SSO 
midPoint sent request to Rh SSO 
RH SSO displayed loginForm, 
RH sent response to midPoint 
with expected username (AttributeStatement: * username = thus ) 
But midpoint is unable to to make authorisation decison with following 
stack. 
com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator.decide



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint[attachment "noname" 
deleted by Tomas Husar/Ibacz/cz] 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210526/e0082c39/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 25823 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210526/e0082c39/attachment-0001.gif>

More information about the midPoint mailing list