[midPoint] Midpoint SSO SAML2 failing after migrating to 4.4 version
Frédéric Lohier
frederic at lohier.org
Mon Jan 17 14:28:49 CET 2022
Correction, you should try with tomorrow's snapshot, the fixes were
comitted this morning.
On Mon, Jan 17, 2022, 14:10 Frédéric Lohier <frederic at lohier.org> wrote:
> Hello,
>
> SAML integration is broken in Midpoint 4.4.
> I opened 3 issues :
>
> https://jira.evolveum.com/browse/MID-7538
> https://jira.evolveum.com/browse/MID-7537
> https://jira.evolveum.com/browse/MID-7536
>
> You should try to update Midpoint to 4.4.1-Snapshot (doing it myself too
> to confirm the fix).
>
> -Frederic
>
>
> On Mon, Jan 17, 2022, 13:54 Sanudo Martinez, Santiago via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Any ideas regarding what may be causing the error?
>>
>> Regards,
>>
>> Santiago Sañudo Martínez
>> Cloud Security Operations
>> Plaza de Manuel Llano, Santander, Spain, 39011
>>
>>
>> Twitter | LinkedIn | Facebook | YouTube
>>
>> This email may contain material that is confidential, and proprietary to
>> Ingram Micro and subsidiaries, for the sole use of the intended recipient.
>> Any review, reliance or distribution by others or forwarding without
>> express permission is strictly prohibited. If you are not the intended
>> recipient, please contact the sender and delete all copies.
>>
>> -----Original Message-----
>> From: midPoint <midpoint-bounces at lists.evolveum.com> On Behalf Of
>> midpoint-request at lists.evolveum.com
>> Sent: Friday, January 14, 2022 10:04 AM
>> To: midpoint at lists.evolveum.com
>> Subject: [EXTERNAL]midPoint Digest, Vol 117, Issue 12
>>
>> Send midPoint mailing list submissions to
>> midpoint at lists.evolveum.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=07NFlgncQdYgR6uj-6raZ325AxynlQkraK7z9Nzd5BQ&e=
>> or, via email, send a message with subject or body 'help' to
>> midpoint-request at lists.evolveum.com
>>
>> You can reach the person managing the list at
>> midpoint-owner at lists.evolveum.com
>>
>> When replying, please edit your Subject line so it is more specific than
>> "Re: Contents of midPoint digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Native Repository Webinar and December Webinar Recording
>> (Evolveum Marketing)
>> 2. Midpoint SSO SAML2 failing after migrating to 4.4 version
>> (Sanudo Martinez, Santiago)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 13 Jan 2022 16:48:14 +0100
>> From: Evolveum Marketing <vera at evolveum.com>
>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>> Subject: [midPoint] Native Repository Webinar and December Webinar
>> Recording
>> Message-ID: <d5891f00-c09c-0981-7852-09126d7b1e4c at evolveum.com>
>> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>>
>> Dear midPoint community,
>>
>> We hope you had nice holidays. Start the new year with our series of
>> online webinars that follow Katarina Bolemant’s presentation of what’s new
>> in midPoint 4.4, midScale results and other interesting topics (the
>> recording is available here:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_KpgurGKTyzg&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=LrooLX4SVpygoTyyNBaLrD4onImsBU7BnBg74wUfdx0&e=
>> ).
>>
>> The closest webinar is dedicated to Native PostgreSQL repository and is
>> led by Richard Richter, our Java Developer. The webinar will cover what
>> midPoint repository is and why we decided to reimplement it once more.
>> Richard will talk about major changes inside as well as outside of the
>> repository, how to switch to it and how to use it. The SQL audit will not
>> be forgotten either including its new table partitioning.
>>
>> *Please reserve the date:*
>>
>> January 20 (Thursday), 4PM CET (10AM EST)
>>
>> *Zoom link:
>> *
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__us02web.zoom.us_j_85268854299-3Fpwd-3DOEdZVmMrdzVDZzk5WlAzNjMzMExWUT09&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=05vMgOGnP4mQSzKg9IuwIMo3ucH1_J0Bsh0Bs9iHrDo&e=
>>
>> *Meeting ID: *852 6885 4299*
>> Password: *302604
>>
>> See you there!
>>
>> --
>>
>> Veronika Kolpascikova
>> Marketing Specialist
>> evolveum.com
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220113_3ed29ea8_attachment-2D0001.htm&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=IUU4KbMJ2FNDGXpnekEwPBrpeJFce2NrShtPbEPhbQQ&e=
>> >
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Fri, 14 Jan 2022 09:02:10 +0000
>> From: "Sanudo Martinez, Santiago"
>> <Santiago.SanudoMartinez at ingrammicro.com>
>> To: midPoint General Discussion <midpoint at lists.evolveum.com>
>> Subject: [midPoint] Midpoint SSO SAML2 failing after migrating to 4.4
>> version
>> Message-ID:
>> <
>> PH0PR10MB56829CA0DC065D9F8670A140E7549 at PH0PR10MB5682.namprd10.prod.outlook.com
>> >
>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi,
>>
>> I've migrated from version 4.2 to 4.4. When I was running 4.2 I had SSO
>> with SAML properly configure as following:
>>
>> <securityPolicy xmlns="
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=MWsoc1JBC4fw0tZQDPFKiuO8DobVqoItQHNTY8RTXjo&e=
>> " xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
>> http://prism.evolveum.com/xml/ns/public/types-3"
>> oid="00000000-0000-0000-0000-000000000120" version="18">
>> <name>Default Security Policy</name>
>> <authentication>
>> <modules>
>> <loginForm >
>> <name>internalLoginForm</name>
>> <description>Internal username/password authentication,
>> default user password, login form</description>
>> </loginForm>
>> <httpBasic >
>> <name>internalBasic</name>
>> <description>Internal username/password authentication,
>> using HTTP basic auth</description>
>> </httpBasic>
>>
>> <saml2 >
>> <name>azureSsoSaml</name>
>> <description>My internal enterprise SAML-based SSO
>> system.</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <signRequests>true</signRequests>
>> <wantAssertionsSigned>true</wantAssertionsSigned>
>> <singleLogoutEnabled>true</singleLogoutEnabled>
>> <nameId>TRANSIENT</nameId>
>> <provider>
>> <entityId>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=JuvEH63EBxTdw77jm6cp4tpmey7KRu90UsW01NrPCU8&e=
>> </entityId>
>> <linkText>ssoazure</linkText>
>> <alias>ssoazure</alias>
>> <metadata>
>> <metadataUrl>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_484fa682-2D02f6-2D4ffa-2D8cea-2Df72692457936_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3Dc1bacfd5-2D5041-2D4b02-2Daac3-2Dfa76e0a3560e&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=oDoIOesF3a8lG0lxyLdA39mk3TzhJ3LUGN4Ra6T_ejA&e=
>> </metadataUrl>
>> </metadata>
>> <skipSslValidation>true</skipSslValidation>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>
>> <nameOfUsernameAttribute>employeeid</nameOfUsernameAttribute>
>> </provider>
>> </serviceProvider>
>> </saml2>
>> </modules>
>> <sequence id="8">
>> <name>admin-gui-default</name>
>> <description>
>> Default GUI authentication sequence.
>> We want to try company SSO, federation and internal. In
>> that order.
>> Just one of then need to be successful to let user in.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>default</urlSuffix>
>> </channel>
>> <module>
>> <name>azureSsoSaml</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>>
>>
>> </sequence>
>> <sequence id="9">
>> <name>admin-gui-emergency</name>
>> <description>
>> Special GUI authentication sequence that is using just
>> the internal user password.
>> It is used only in emergency. It allows to skip SAML
>> authentication cycles, e.g. in case
>> that the SAML authentication is redirecting the browser
>> incorrectly.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
>> </channelId>
>> <default>false</default>
>> <urlSuffix>emergency</urlSuffix>
>> </channel>
>> <requireAssignmentTarget
>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>> type="c:RoleType"/>
>> <module id="14">
>> <name>internalLoginForm</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="16">
>> <name>rest</name>
>> <description>
>> Authentication sequence for REST service.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23rest&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=5sE74Tw77T4ksUfi_jdo-Fp0St9fjTkWxvxfCWe9n3s&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>rest-default</urlSuffix>
>> </channel>
>> <module id="18">
>> <name>internalBasic</name>
>> <order>10</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="17">
>> <name>actuator</name>
>> <description>
>> Authentication sequence for actuator.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23actuator&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Hg4qx2bcnP0X5rjaDOk66v7c50YeHcDOBK3LmfB5U9U&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>actuator-default</urlSuffix>
>> </channel>
>> <module id="19">
>> <name>internalBasic</name>
>> <order>10</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>> </authentication>
>> <credentials>
>> <password>
>> <minOccurs>0</minOccurs>
>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>
>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>> <lockoutDuration>PT15M</lockoutDuration>
>> <valuePolicyRef xmlns:tns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>> type="tns:ValuePolicyType"/>
>> </password>
>> </credentials>
>> </securityPolicy>
>>
>>
>> The main issue is that after upgrading to 4.4 it started to failed. I've
>> seen that it keeps failing even with the proper changes mentioned at the
>> documentation of the 4.4 version (
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.evolveum.com_midpoint_reference_security_authentication_flexible-2Dauthentication_configuration_-23complete-2Dconfiguration-2Dexamples&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=bVtpo5rOi0yHgmpqdZfu5tdo7P_rr8lJWUfozoM147A&e=
>> ) and the previous ones (
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.evolveum.com_midpoint_reference_security_authentication_flexible-2Dauthentication_configuration-2Dbefore-2D4-2D4_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=dRF6gUWdB_uEDwGcvM88xXc3YOZm526EQ-GuPFb6q-M&e=
>> ) which end up making the following configuration:
>>
>> <securityPolicy xmlns=
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_common-2D3&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=MWsoc1JBC4fw0tZQDPFKiuO8DobVqoItQHNTY8RTXjo&e=
>> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> xmlns:icfs=
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
>> xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3 xmlns:ri=
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 xmlns:t=
>> http://prism.evolveum.com/xml/ns/public/types-3
>> oid="00000000-0000-0000-0000-000000000120" version="18">
>> <name>Default Security Policy</name>
>> <metadata>
>> <requestTimestamp>2020-12-01T12:00:15.108Z</requestTimestamp>
>> <createTimestamp>2020-12-01T12:00:15.137Z</createTimestamp>
>> <createChannel>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=V-iOvPx_eVd3ly8tQszHDoXyni3VK9kadBTjnTlcfkw&e=
>> </createChannel>
>> </metadata>
>> <operationExecution id="1">
>> <timestamp>2020-12-01T12:00:15.179Z</timestamp>
>> <operation>
>> <objectDelta>
>> <t:changeType>add</t:changeType>
>> <t:objectType>c:SecurityPolicyType</t:objectType>
>> </objectDelta>
>> <executionResult>
>>
>> <operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
>> <status>success</status>
>> <importance>normal</importance>
>> <token>1000000000000000015</token>
>> </executionResult>
>> <objectName>Default Security Policy</objectName>
>> </operation>
>> <status>success</status>
>> <channel>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23init&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=V-iOvPx_eVd3ly8tQszHDoXyni3VK9kadBTjnTlcfkw&e=
>> </channel>
>> </operationExecution>
>> <iteration>0</iteration>
>> <iterationToken/>
>> <authentication>
>> <modules>
>> <loginForm >
>> <name>internalLoginForm</name>
>> <description>Internal username/password authentication,
>> default user password, login form</description>
>> </loginForm>
>> <httpBasic >
>> <name>internalBasic</name>
>> <description>Internal username/password authentication,
>> using HTTP basic auth</description>
>> </httpBasic>
>>
>> <saml2>
>> <name>azureSsoSaml</name>
>> <description>My internal enterprise SAML-based SSO
>> system.</description>
>> <network>
>> <readTimeout>10000</readTimeout>
>> <connectTimeout>5000</connectTimeout>
>> </network>
>>
>> <serviceProvider>
>> <entityId>sp_midpoint</entityId>
>> <signRequests>false</signRequests>
>> <identityProvider>
>> <entityId>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=LGnTR7IvPsXLC6ehcJRKfVcnbFHnpSWo14WJ4Foa954&e=
>> </entityId<
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sts.windows.net_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_-253c_entityId&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=9RAThS5sjNWke9-zD6-xfROeZDXvi3kevQGxM8cvDno&e=
>> >>
>> <linkText>ssoazure</linkText>
>> <metadata>
>> <metadataUrl>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3De684382b-2D6768-2D430b-2D842a-2D76ba91d49c74&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=knC-NHcfOeDbREC1ggIvr_rHeczD_YodwFj_VbY1hJM&e=
>> </metadataUrl<
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__login.microsoftonline.com_b44641f9-2De36e-2D4d7f-2Da3c4-2Deb3b991b6120_federationmetadata_2007-2D06_federationmetadata.xml-3Fappid-3De684382b-2D6768-2D430b-2D842a-2D76ba91d49c74-253c_metadataUrl&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=vHVNRYwEzUc6WVvRWfz9cZ500A77Zca2KnRaZv-txHQ&e=
>> >>
>> </metadata>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>
>> <nameOfUsernameAttribute>employeeid</nameOfUsernameAttribute>
>> </identityProvider>
>> </serviceProvider>
>> </saml2>
>> </modules>
>> <sequence id="8">
>> <name>admin-gui-default</name>
>> <description>
>> Default GUI authentication sequence.
>> We want to try company SSO, federation and internal. In
>> that order.
>> Just one of then need to be successful to let user in.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>default</urlSuffix>
>> </channel>
>> <module>
>> <name>azureSsoSaml</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>>
>>
>> </sequence>
>> <sequence id="9">
>> <name>admin-gui-emergency</name>
>> <description>
>> Special GUI authentication sequence that is using just
>> the internal user password.
>> It is used only in emergency. It allows to skip SAML
>> authentication cycles, e.g. in case
>> that the SAML authentication is redirecting the browser
>> incorrectly.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23user&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lPFoLqcmAFMpYbA-ovXO5w_Gep9jFC_Y80GFG0pT1Wc&e=
>> </channelId>
>> <default>false</default>
>> <urlSuffix>emergency</urlSuffix>
>> </channel>
>> <requireAssignmentTarget
>> oid="00000000-0000-0000-0000-000000000004" relation="org:default"
>> type="c:RoleType"/>
>> <module id="14">
>> <name>internalLoginForm</name>
>> <order>30</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="16">
>> <name>rest</name>
>> <description>
>> Authentication sequence for REST service.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23rest&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=5sE74Tw77T4ksUfi_jdo-Fp0St9fjTkWxvxfCWe9n3s&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>rest-default</urlSuffix>
>> </channel>
>> <module id="18">
>> <name>internalBasic</name>
>> <order>10</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <sequence id="17">
>> <name>actuator</name>
>> <description>
>> Authentication sequence for actuator.
>> </description>
>> <channel>
>> <channelId>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__midpoint.evolveum.com_xml_ns_public_common_channels-2D3-23actuator&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Hg4qx2bcnP0X5rjaDOk66v7c50YeHcDOBK3LmfB5U9U&e=
>> </channelId>
>> <default>true</default>
>> <urlSuffix>actuator-default</urlSuffix>
>> </channel>
>> <module id="19">
>> <name>internalBasic</name>
>> <order>10</order>
>> <necessity>sufficient</necessity>
>> </module>
>> </sequence>
>> <ignoredLocalPath>/actuator</ignoredLocalPath>
>> <ignoredLocalPath>/actuator/health</ignoredLocalPath>
>> </authentication>
>> <credentials>
>> <password>
>> <minOccurs>0</minOccurs>
>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>
>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>> <lockoutDuration>PT15M</lockoutDuration>
>> <valuePolicyRef xmlns:tns=
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>> type="tns:ValuePolicyType"/>
>> </password>
>> </credentials>
>> </securityPolicy>
>>
>> Pretty much, only the saml2 module has changed and the <provider> tag is
>> also changed to the new one at 4.4 version, <identityProvider>. The problem
>> is that is doesn't even redirect me to the Azure SSO login webpage and
>> crashes:
>>
>> [cid:image002.png at 01D8092D.82BD1E00]
>>
>> Attaching as well the midpoin.log where you can see that it fails to load
>> the module filters. [cid:image003.png at 01D8092D.C8AFC390]
>>
>> Regards,
>>
>> Santiago Sañudo Martínez
>> Cloud Security Operations
>> Plaza de Manuel Llano, Santander, Spain, 39011
>>
>> [cid:image001.jpg at 01D8092D.1F088520]
>> Twitter<
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramTwitter&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=Bmk7vELnxVjduUxcfggYEXng7BjWWvJwvcxu8xzwcPg&e=
>> > | LinkedIn<
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramLinkedIN&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=SCHEjInPAx9IfggQ-BkV4VNUFKCJuQSqikQHqdxGkus&e=
>> > | Facebook<
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramFacebook&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=lAKRl9KEK-JdS6tOF3wJmN5Ph-Hbj0wiaUeY-KekC1g&e=
>> > | YouTube<
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_IngramYouTube&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=vQAP439IVPAidAf4r3CiLeYyaXhckyjdaGo1SUGj0tQ&e=
>> >
>>
>> This email may contain material that is confidential, and proprietary to
>> Ingram Micro and subsidiaries, for the sole use of the intended recipient.
>> Any review, reliance or distribution by others or forwarding without
>> express permission is strictly prohibited. If you are not the intended
>> recipient, please contact the sender and delete all copies.
>>
>>
>> La información contenida en este mensaje es confidencial. En caso de que
>> reciba este mensaje por error le rogamos lo comunique a la mayor brevedad
>> al emisor y proceda a su eliminación definitiva, absteniéndose de copiar,
>> almacenar o difundir su contenido. De acuerdo con lo establecido en la Ley
>> Orgánica 15/1999, de Protección de Datos de Carácter Personal y en el
>> Reglamento de Desarrollo 1720/2007, los datos personales que facilite a
>> través de la dirección de correo indicada serán incorporados a un fichero
>> titularidad de INGRAM MICRO, S.L.U., con domicilio en C/ Antonio Machado,
>> 78-80 1ª y 2ª pl. Business Park ( 08840-Viladecans). Mediante el envío de
>> sus datos, Ud. otorga su consentimiento expreso a INGRAM MICRO, S.L.U, para
>> el tratamiento de sus datos, con la finalidad de atender a su consulta y/o
>> mantener la relación profesional, comercial, y/o contractual que en su caso
>> establezca con INGRAM MICRO, S.L.U. Puede ejercitar sus derechos de acceso,
>> rectificación, cancelación y oposición notificándolo por escrito a la
>> dirección del remitente, o a la siguiente dirección de correo
>> nuevascuentas at ingrammicro.es. De acuerdo con la Ley 34/2002, de
>> Servicios de la Sociedad de la Información y de Comercio Electrónico, Vd.
>> podrá oponerse en cualquier momento al tratamiento de sus datos con fines
>> promocionales notificándonoslo por escrito a la dirección de correo
>> mencionada.
>>
>> .................................................................................................................................................................................................................................................
>> The information contained in this message is confidential. If you receive
>> this message by error please notify it as soon as possible to the sender
>> and proceed to their final elimination by not copy, store or distribute its
>> content. In accordance of what is stated in the Law 15/1999, of Data
>> Personal Protection and Regulation Rule 1720/2007, the personal data
>> provided through the email address you entered will be included in a file
>> owned by INGRAM MICRO, SLU, located at C/ Antonio Machado, 78-80 1ª y 2ª
>> pl. Business Park ( 08840-Viladecans). By submitting your data, you
>> expressly give your consent to INGRAM MICRO, SLU, to the treatment of your
>> data, in order to answer to your questions and / or keep the professional,
>> commercial relationship and / or contractual set with INGRAM MICRO, SLU
>> You can exercise your rights of access, rectification, cancellation and
>> opposition by giving written notification to the sender address or to the
>> following email: nuevascuentas at ingrammicro.es. According to Law
>> 34/2002, of the Information Society and Electronic Commerce, you may object
>> at any time to your data treatment for promotional purposes by notifying us
>> in writing to the email address above.
>> [Ingram_2818e5de]
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.htm&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=ZuQv2nj4f0IjvRMomJlliX34UvLNfqyanE7vPkjz_4Y&e=
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: image001.jpg
>> Type: image/jpeg
>> Size: 2057 bytes
>> Desc: image001.jpg
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.jpg&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=ZlPVwWeH5wofQJm_n7mXYOw47DxYkY3y2fr_7ET9vi8&e=
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: image002.png
>> Type: image/png
>> Size: 31753 bytes
>> Desc: image002.png
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.png&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=rGqAIc8fJ0dYU9ieIUdY2eP3iTiHLakduKJBKO_SXu8&e=
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: image003.png
>> Type: image/png
>> Size: 164887 bytes
>> Desc: image003.png
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment-2D0001.png&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=OewBdHkEXmGAhlet2zVUyU54TJPS9tSAPG2dMdQxxXU&e=
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: midpoint.log
>> Type: application/octet-stream
>> Size: 46319 bytes
>> Desc: midpoint.log
>> URL: <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_pipermail_midpoint_attachments_20220114_21c9c4ab_attachment.obj&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=75iymYiMsTfhvRWRQpkcxmnINJVdgOSXNRfLYROkJus&e=
>> >
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.evolveum.com_mailman_listinfo_midpoint&d=DwIGaQ&c=--1RjWWBW4Kf6aBAaj53vPItwfT0BR1YjSDV46P5EvE&r=02nQn_XF01OYsg7KWPE9n6CNvfs_QyztKbAlcXkYqvqpvrlKyhGRLNIt3vGj5sdE&m=a2cp3xU7TwqafuyZw8tLIBKzHbfiOxWybh4GfN0KT19Eege6xn7_le96BZO3hxAP&s=07NFlgncQdYgR6uj-6raZ325AxynlQkraK7z9Nzd5BQ&e=
>>
>>
>> ------------------------------
>>
>> End of midPoint Digest, Vol 117, Issue 12
>> *****************************************
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220117/76cd6882/attachment-0001.htm>
More information about the midPoint
mailing list