[midPoint] Midpoint SSO SAML2 failing after migrating to 4.4 version

Frédéric Lohier frederic at lohier.org
Mon Jan 17 14:10:10 CET 2022


Hello,

SAML integration is broken in Midpoint 4.4.
I opened 3 issues :

https://jira.evolveum.com/browse/MID-7538
https://jira.evolveum.com/browse/MID-7537
https://jira.evolveum.com/browse/MID-7536

You should try to update Midpoint to 4.4.1-Snapshot (doing it myself too to
confirm the fix).

-Frederic


On Mon, Jan 17, 2022, 13:54 Sanudo Martinez, Santiago via midPoint <
midpoint at lists.evolveum.com> wrote:

> Any ideas regarding what may be causing the error?
>
> Regards,
>
> Santiago Sañudo Martínez
> Cloud Security Operations
> Plaza de Manuel Llano, Santander, Spain, 39011
>
>
> Twitter | LinkedIn | Facebook | YouTube
>
> This email may contain material that is confidential, and proprietary to
> Ingram Micro and subsidiaries, for the sole use of the intended recipient.
> Any review, reliance or distribution by others or forwarding without
> express permission is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
>
> -----Original Message-----
> From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of
> midpoint-request at lists.evolveum.com
> Sent: Friday, January 14, 2022 10:04 AM
> To: midpoint at lists.evolveum.com
> Subject: [EXTERNAL]midPoint Digest, Vol 117, Issue 12
>
> Send midPoint mailing list submissions to
>         midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=07NFlgncQdYgR6uj-6raZ325AxynlQkraK7z9Nzd5BQ&e=
> or, via email, send a message with subject or body 'help' to
>         midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
>         midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
>    1. Native Repository Webinar and December Webinar Recording
>       (Evolveum Marketing)
>    2. Midpoint SSO SAML2 failing after migrating to 4.4 version
>       (Sanudo Martinez, Santiago)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Jan 2022 16:48:14 +0100
> From: Evolveum Marketing <vera at evolveum.com>
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: [midPoint] Native Repository Webinar and December Webinar
>         Recording
> Message-ID: <d5891f00-c09c-0981-7852-09126d7b1e4c at evolveum.com>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Dear midPoint community,
>
> We hope you had nice holidays. Start the new year with our series of
> online webinars that follow Katarina Bolemant’s presentation of what’s new
> in midPoint 4.4, midScale results and other interesting topics (the
> recording is available here:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_KpgurGKTyzg&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=LrooLX4SVpygoTyyNBaLrD4onImsBU7BnBg74wUfdx0&e=
> ).
>
> The closest webinar is dedicated to Native PostgreSQL repository and is
> led by Richard Richter, our Java Developer. The webinar will cover what
> midPoint repository is and why we decided to reimplement it once more.
> Richard will talk about major changes inside as well as outside of the
> repository, how to switch to it and how to use it. The SQL audit will not
> be forgotten either including its new table partitioning.
>
> *Please reserve the date:*
>
> January 20 (Thursday), 4PM CET (10AM EST)
>
> *Zoom link:
> *
> https://urldefense.proofpoint.com/v2/url?u=https-3A__us02web.zoom.us_j_85268854299-3Fpwd-3DOEdZVmMrdzVDZzk5WlAzNjMzMExWUT09&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=05vMgOGnP4mQSzKg9IuwIMo3ucH1_J0Bsh0Bs9iHrDo&e=
>
> *Meeting ID: *852 6885 4299*
> Password: *302604
>
> See you there!
>
> --
>
> Veronika Kolpascikova
> Marketing Specialist
> evolveum.com
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220113_3ed29ea8_attachment-2D0001.htm&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=IUU4KbMJ2FNDGXpnekEwPBrpeJFce2NrShtPbEPhbQQ&e=
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 14 Jan 2022 09:02:10 +0000
> From: "Sanudo Martinez, Santiago"
>         <Santiago.SanudoMartinez at ingrammicro.com>
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: [midPoint] Midpoint SSO SAML2 failing after migrating to 4.4
>         version
> Message-ID:
>         <
> PH0PR10MB56829CA0DC065D9F8670A140E7549 at PH0PR10MB5682.namprd10.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> I've migrated from version 4.2 to 4.4. When I was running 4.2 I had SSO
> with SAML properly configure as following:
>
> <securityPolicy xmlns="
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=MWsoc1JBC4fw0tZQDPFKiuO8DobVqoItQHNTY8RTXjo&e=
> " xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
> http://prism.evolveum.com/xml/ns/public/types-3"
> oid="00000000-0000-0000-0000-000000000120" version="18">
>     <name>Default Security Policy</name>
>     <authentication>
>         <modules>
>             <loginForm >
>                 <name>internalLoginForm</name>
>                 <description>Internal username/password authentication,
> default user password, login form</description>
>             </loginForm>
>             <httpBasic >
>                 <name>internalBasic</name>
>                 <description>Internal username/password authentication,
> using HTTP basic auth</description>
>             </httpBasic>
>
>             <saml2 >
>                 <name>azureSsoSaml</name>
>                 <description>My internal enterprise SAML-based SSO
> system.</description>
>                 <network>
>                     <readTimeout>10000</readTimeout>
>                     <connectTimeout>5000</connectTimeout>
>                 </network>
>
>                 <serviceProvider>
>                     <entityId>sp_midpoint</entityId>
>                     <signRequests>true</signRequests>
>                     <wantAssertionsSigned>true</wantAssertionsSigned>
>                     <singleLogoutEnabled>true</singleLogoutEnabled>
>                     <nameId>TRANSIENT</nameId>
>                     <provider>
>                         <entityId>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=JuvEH63EBxTdw77jm6cp4tpmey7KRu90UsW01NrPCU8&e=
> </entityId>
>                         <linkText>ssoazure</linkText>
>                         <alias>ssoazure</alias>
>                         <metadata>
>                             <metadataUrl>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3Dc1bacfd5-2D5041-2D4b02-2Daac3-2Dfa76e0a3560e&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=oDoIOesF3a8lG0lxyLdA39mk3TzhJ3LUGN4Ra6T_ejA&e=
> </metadataUrl>
>                         </metadata>
>                         <skipSslValidation>true</skipSslValidation>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>
> <nameOfUsernameAttribute>employeeid</nameOfUsernameAttribute>
>                     </provider>
>                 </serviceProvider>
>             </saml2>
>         </modules>
>         <sequence id="8">
>             <name>admin-gui-default</name>
>             <description>
>                 Default GUI authentication sequence.
>                 We want to try company SSO, federation and internal. In
> that order.
>                 Just one of then need to be successful to let user in.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>default</urlSuffix>
>             </channel>
>             <module>
>                 <name>azureSsoSaml</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>
>
>         </sequence>
>         <sequence id="9">
>             <name>admin-gui-emergency</name>
>             <description>
>                 Special GUI authentication sequence that is using just the
> internal user password.
>                 It is used only in emergency. It allows to skip SAML
> authentication cycles, e.g. in case
>                 that the SAML authentication is redirecting the browser
> incorrectly.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
> </channelId>
>                 <default>false</default>
>                 <urlSuffix>emergency</urlSuffix>
>             </channel>
>             <requireAssignmentTarget
> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
> type="c:RoleType"/>
>             <module id="14">
>                 <name>internalLoginForm</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <sequence id="16">
>             <name>rest</name>
>             <description>
>                 Authentication sequence for REST service.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23rest&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=5sE74Tw77T4ksUfi_jdo-Fp0St9fjTkWxvxfCWe9n3s&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>rest-default</urlSuffix>
>             </channel>
>             <module id="18">
>                 <name>internalBasic</name>
>                 <order>10</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <sequence id="17">
>             <name>actuator</name>
>             <description>
>                 Authentication sequence for actuator.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23actuator&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Hg4qx2bcnP0X5rjaDOk66v7c50YeHcDOBK3LmfB5U9U&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>actuator-default</urlSuffix>
>             </channel>
>             <module id="19">
>                 <name>internalBasic</name>
>                 <order>10</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <ignoredLocalPath>/actuator</ignoredLocalPath>
>         <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>     </authentication>
>     <credentials>
>         <password>
>             <minOccurs>0</minOccurs>
>             <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>             <lockoutDuration>PT15M</lockoutDuration>
>             <valuePolicyRef xmlns:tns="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
> type="tns:ValuePolicyType"/>
>         </password>
>     </credentials>
> </securityPolicy>
>
>
> The main issue is that after upgrading to 4.4 it started to failed. I've
> seen that it keeps failing even with the proper changes mentioned at the
> documentation of the 4.4 version (
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.evolveum.com_midpoint_reference_security_authentication_flexible-2Dauthentication_configuration_-23complete-2Dconfiguration-2Dexamples&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=bVtpo5rOi0yHgmpqdZfu5tdo7P_rr8lJWUfozoM147A&e=
> ) and the previous ones (
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.evolveum.com_midpoint_reference_security_authentication_flexible-2Dauthentication_configuration-2Dbefore-2D4-2D4_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=dRF6gUWdB_uEDwGcvM88xXc3YOZm526EQ-GuPFb6q-M&e=
> ) which end up making the following configuration:
>
> <securityPolicy xmlns=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=MWsoc1JBC4fw0tZQDPFKiuO8DobVqoItQHNTY8RTXjo&e=
> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> xmlns:icfs=
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3 xmlns:q=
> http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=
> http://prism.evolveum.com/xml/ns/public/types-3
> oid="00000000-0000-0000-0000-000000000120" version="18">
>     <name>Default Security Policy</name>
>     <metadata>
>         <requestTimestamp>2020-12-01T12:00:15.108Z</requestTimestamp>
>         <createTimestamp>2020-12-01T12:00:15.137Z</createTimestamp>
>         <createChannel>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=V-iOvPx_eVd3ly8tQszHDoXyni3VK9kadBTjnTlcfkw&e=
> </createChannel>
>     </metadata>
>     <operationExecution id="1">
>         <timestamp>2020-12-01T12:00:15.179Z</timestamp>
>         <operation>
>             <objectDelta>
>                 <t:changeType>add</t:changeType>
>                 <t:objectType>c:SecurityPolicyType</t:objectType>
>             </objectDelta>
>             <executionResult>
>
> <operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
>                 <status>success</status>
>                 <importance>normal</importance>
>                 <token>1000000000000000015</token>
>             </executionResult>
>             <objectName>Default Security Policy</objectName>
>         </operation>
>         <status>success</status>
>         <channel>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=V-iOvPx_eVd3ly8tQszHDoXyni3VK9kadBTjnTlcfkw&e=
> </channel>
>     </operationExecution>
>     <iteration>0</iteration>
>     <iterationToken/>
>     <authentication>
>         <modules>
>             <loginForm >
>                 <name>internalLoginForm</name>
>                 <description>Internal username/password authentication,
> default user password, login form</description>
>             </loginForm>
>             <httpBasic >
>                 <name>internalBasic</name>
>                 <description>Internal username/password authentication,
> using HTTP basic auth</description>
>             </httpBasic>
>
>             <saml2>
>                 <name>azureSsoSaml</name>
>                 <description>My internal enterprise SAML-based SSO
> system.</description>
>                 <network>
>                     <readTimeout>10000</readTimeout>
>                     <connectTimeout>5000</connectTimeout>
>                 </network>
>
>                 <serviceProvider>
>                     <entityId>sp_midpoint</entityId>
>                     <signRequests>false</signRequests>
>                     <identityProvider>
>                         <entityId>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=LGnTR7IvPsXLC6ehcJRKfVcnbFHnpSWo14WJ4Foa954&e=
> </entityId<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_-253c_entityId&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=9RAThS5sjNWke9-zD6-xfROeZDXvi3kevQGxM8cvDno&e=
> >>
>                         <linkText>ssoazure</linkText>
>                         <metadata>
>                             <metadataUrl>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3De684382b-2D6768-2D430b-2D842a-2D76ba91d49c74&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=knC-NHcfOeDbREC1ggIvr_rHeczD_YodwFj_VbY1hJM&e=
> </metadataUrl<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3De684382b-2D6768-2D430b-2D842a-2D76ba91d49c74-253c_metadataUrl&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=vHVNRYwEzUc6WVvRWfz9cZ500A77Zca2KnRaZv-txHQ&e=
> >>
>                         </metadata>
>
> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>
> <nameOfUsernameAttribute>employeeid</nameOfUsernameAttribute>
>                     </identityProvider>
>                 </serviceProvider>
>             </saml2>
>         </modules>
>         <sequence id="8">
>             <name>admin-gui-default</name>
>             <description>
>                 Default GUI authentication sequence.
>                 We want to try company SSO, federation and internal. In
> that order.
>                 Just one of then need to be successful to let user in.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>default</urlSuffix>
>             </channel>
>             <module>
>                 <name>azureSsoSaml</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>
>
>         </sequence>
>         <sequence id="9">
>             <name>admin-gui-emergency</name>
>             <description>
>                 Special GUI authentication sequence that is using just the
> internal user password.
>                 It is used only in emergency. It allows to skip SAML
> authentication cycles, e.g. in case
>                 that the SAML authentication is redirecting the browser
> incorrectly.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
> </channelId>
>                 <default>false</default>
>                 <urlSuffix>emergency</urlSuffix>
>             </channel>
>             <requireAssignmentTarget
> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
> type="c:RoleType"/>
>             <module id="14">
>                 <name>internalLoginForm</name>
>                 <order>30</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <sequence id="16">
>             <name>rest</name>
>             <description>
>                 Authentication sequence for REST service.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23rest&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=5sE74Tw77T4ksUfi_jdo-Fp0St9fjTkWxvxfCWe9n3s&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>rest-default</urlSuffix>
>             </channel>
>             <module id="18">
>                 <name>internalBasic</name>
>                 <order>10</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <sequence id="17">
>             <name>actuator</name>
>             <description>
>                 Authentication sequence for actuator.
>             </description>
>             <channel>
>                 <channelId>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23actuator&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Hg4qx2bcnP0X5rjaDOk66v7c50YeHcDOBK3LmfB5U9U&e=
> </channelId>
>                 <default>true</default>
>                 <urlSuffix>actuator-default</urlSuffix>
>             </channel>
>             <module id="19">
>                 <name>internalBasic</name>
>                 <order>10</order>
>                 <necessity>sufficient</necessity>
>             </module>
>         </sequence>
>         <ignoredLocalPath>/actuator</ignoredLocalPath>
>         <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>     </authentication>
>     <credentials>
>         <password>
>             <minOccurs>0</minOccurs>
>             <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>
> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>             <lockoutDuration>PT15M</lockoutDuration>
>             <valuePolicyRef xmlns:tns=
> http://midpoint.evolveum.com/xml/ns/public/common/common-3
> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
> type="tns:ValuePolicyType"/>
>         </password>
>     </credentials>
> </securityPolicy>
>
> Pretty much, only the saml2 module has changed and the <provider> tag is
> also changed to the new one at 4.4 version, <identityProvider>. The problem
> is that is doesn't even redirect me to the Azure SSO login webpage and
> crashes:
>
> [cid:image002.png at 01D8092D.82BD1E00]
>
> Attaching as well the midpoin.log where you can see that it fails to load
> the module filters. [cid:image003.png at 01D8092D.C8AFC390]
>
> Regards,
>
> Santiago Sañudo Martínez
> Cloud Security Operations
> Plaza de Manuel Llano, Santander, Spain, 39011
>
> [cid:image001.jpg at 01D8092D.1F088520]
> Twitter<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramTwitter&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Bmk7vELnxVjduUxcfggYEXng7BjWWvJwvcxu8xzwcPg&e=
> > | LinkedIn<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramLinkedIN&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=SCHEjInPAx9IfggQ-BkV4VNUFKCJuQSqikQHqdxGkus&e=
> > | Facebook<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramFacebook&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lAKRl9KEK-JdS6tOF3wJmN5Ph-Hbj0wiaUeY-KekC1g&e=
> > | YouTube<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramYouTube&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=vQAP439IVPAidAf4r3CiLeYyaXhckyjdaGo1SUGj0tQ&e=
> >
>
> This email may contain material that is confidential, and proprietary to
> Ingram Micro and subsidiaries, for the sole use of the intended recipient.
> Any review, reliance or distribution by others or forwarding without
> express permission is strictly prohibited. If you are not the intended
> recipient, please contact the sender and delete all copies.
>
>
> La información contenida en este mensaje es confidencial. En caso de que
> reciba este mensaje por error le rogamos lo comunique a la mayor brevedad
> al emisor y proceda a su eliminación definitiva, absteniéndose de copiar,
> almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley
> Orgánica 15/1999, de Protección de Datos de Carácter Personal y en el
> Reglamento de Desarrollo 1720/2007, los datos personales que facilite a
> través de la dirección de correo indicada serán incorporados a un fichero
> titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado,
> 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). Mediante el envío de
> sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para
> el tratamiento de sus datos, con la finalidad de atender a su consulta y/o
> mantener la relación profesional, comercial, y/o contractual que en su caso
> establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso,
> rectificación, cancelación y oposición notificándolo por escrito a la
> dirección del remitente, o a la siguiente dirección de correo
> nuevascuentas at ingrammicro.es. De acuerdo con la Ley 34/2002, de Servicios
> de la Sociedad de la Información y de Comercio Electrónico, Vd. podrá
> oponerse en cualquier momento al tratamiento de sus datos con fines
> promocionales notificándonoslo por escrito a la dirección de correo
> mencionada.
>
> .................................................................................................................................................................................................................................................
> The information contained in this message is confidential. If you receive
> this message by error please notify it as soon as possible to the sender
> and proceed to their final elimination by not copy, store or distribute its
> content. In accordance of what is stated in the Law 15/1999, of Data
> Personal Protection and Regulation Rule 1720/2007, the personal data
> provided through the email address you entered will be included in a file
> owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1ª y 2ª
> pl. Business Park ( 08840-Viladecans). By submitting your data, you
> expressly give your consent to INGRAM MICRO, SLU, to the treatment of your
> data, in order to answer to your questions and / or keep the professional,
> commercial relationship  and / or contractual set with INGRAM MICRO, SLU
> You can exercise your rights of access, rectification, cancellation and
> opposition by giving written notification to the sender address or to  the
> following email:  nuevascuentas at ingrammicro.es. According to Law 34/2002,
> of the Information Society and Electronic Commerce, you may object at any
> time to your data treatment for promotional purposes by notifying us in
> writing to the email address above.
> [Ingram_2818e5de]
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.htm&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=ZuQv2nj4f0IjvRMomJlliX34UvLNfqyanE7vPkjz_4Y&e=
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 2057 bytes
> Desc: image001.jpg
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.jpg&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=ZlPVwWeH5wofQJm_n7mXYOw47DxYkY3y2fr_7ET9vi8&e=
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image002.png
> Type: image/png
> Size: 31753 bytes
> Desc: image002.png
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.png&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=rGqAIc8fJ0dYU9ieIUdY2eP3iTiHLakduKJBKO_SXu8&e=
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image003.png
> Type: image/png
> Size: 164887 bytes
> Desc: image003.png
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment-2D0001.png&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=OewBdHkEXmGAhlet2zVUyU54TJPS9tSAPG2dMdQxxXU&e=
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: midpoint.log
> Type: application/octet-stream
> Size: 46319 bytes
> Desc: midpoint.log
> URL: <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.obj&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=75iymYiMsTfhvRWRQpkcxmnINJVdgOSXNRfLYROkJus&e=
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=07NFlgncQdYgR6uj-6raZ325AxynlQkraK7z9Nzd5BQ&e=
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 117, Issue 12
> *****************************************
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220117/3869d940/attachment-0001.htm>


More information about the midPoint mailing list