[midPoint] SAML authentication return URL
Eetu Salpaharju
Eetu.Salpaharju at tietokeskus.fi
Fri Jul 14 15:36:16 CEST 2023
Thank you for the reply!
I already had Default hostname setting in place. That doesn't seem to have any effect on return url. Host and protocol seems to come from Tomcat as you say. No luck this far though to get it work.
This far I've tried following settings.
My nginx configuration, as far as I see it should have all needed set_header -parameters:
server {
listen 443 ssl;
server_name midpoint.example.com;
ssl_certificate /etc/ssl/certs/midpoint.crt;
ssl_certificate_key /etc/pki/private/midpoint.key;
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I've tried to use $scheme variable instead of https in X-Forwarded-Proto, but no difference.
Then I read about tomcat settings from here. https://docs.evolveum.com/midpoint/devel/guides/environment/embedded-tomcat/
And in case Tomcat didn't read headers, I created application.yml file having these settings:
server:
tomcat:
accesslog:
directory: accesslogs
enabled: true
pattern: common
prefix: access_log
suffix: .log
port-header: X-Forwarded-Port
remote-ip-header: X-Forwarded-For
protocol-header: X-Forwarded-Proto
protocol-header-https-value: https
redirect-context-root: true
This configuration file is in use. I can tell because now there is accesslog -directory in Midpoint home. But still no difference. Tomcat / Midpoint reads hostname from headers as it should but protocol is still always http in return url.
- Eetu
________________________________________
From: Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh>
Sent: 14 July 2023 14:07
To: midPoint General Discussion
Cc: Eetu Salpaharju
Subject: AW: SAML authentication return URL
Hi Eetu,
I think it could be a miss configuration of your nginx. Please check this: https://community.sonarsource.com/t/saml-error-with-nginx-reverse-proxy/46324<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.sonarsource.com%2Ft%2Fsaml-error-with-nginx-reverse-proxy%2F46324&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=AW3FEXhGJYLr7IU%2FM%2BT5TU5tQElOGoUxDktZXuebAfg%3D&reserved=0> (It is not midPoint, but covered the same problem).
On midpoint site you can check, if you have set the “Default hostname” in system configuration • Infrastructure to you Reverse Proxy address (https://midpoint.example.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmidpoint.example.com%2F&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=1pyKpFj7wL3fFUTWTrpltVvYhrDCP8BNB%2Fs0IBhZxL4%3D&reserved=0>).
Good Luck!
Kind regards,
Fabian
--
Fabian Noll-Dukiewicz
Spezialist Identity & Access Management | Geschäftsführer
Tel.: +49 152 244 63 211
Email: fabian.noll-dukiewicz at veryfy.gmbh
Web: https://veryfy.gmbh<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fveryfy.gmbh%2F&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6FVptzybn%2FyPq3WOB3hC0eN%2B0uT7ViI2oqrjW6twhp4%3D&reserved=0>
Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Eetu Salpaharju via midPoint <midpoint at lists.evolveum.com>
Datum: Freitag, 14. Juli 2023 um 12:53
An: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Eetu Salpaharju <Eetu.Salpaharju at tietokeskus.fi>
Betreff: [midPoint] SAML authentication return URL
Hello,
I'm deploying SAML2 authentication against Microsoft Azure AD.
My network configuration is using nginx server as reverse proxy like this. Both Midpoint and nginx are running on the same server.
user ---https://midpoint.example.com---> nginx ---http://localhost:8080---> Midpoint
Now Midpoint sends following return URL to Azure: http://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmidpoint.example.com%2Fmidpoint%2Fauth%2Fdefault%2Fazure_auth%2FSSO%2Falias%2Faad&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MkNISZit2WAOCqzCh25oBikYnNuyz6ifxRUoZXRIoTI%3D&reserved=0> . The problem is that return url is using http instead of https. The return url should be https://midpoint.example.com/midpoint/auth/default/azure_auth/SSO/alias/aad<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmidpoint.example.com%2Fmidpoint%2Fauth%2Fdefault%2Fazure_auth%2FSSO%2Falias%2Faad&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5nOzQa6WDYpC4CtzpyR%2B3MjWTEscrAxuuQ%2BA8t9fX2E%3D&reserved=0> .
Where could I define base url or similar attribute so return URL would be with https protocol? For reference, my authenticator configuration is below.
<authentication>
...
<modules>
...
<saml2 id="10">
<identifier>azure_auth</identifier>
<description>Authentication against AzureAD tenant.</description>
<focusType>UserType</focusType>
<serviceProvider id="11">
<entityId>**ApplicationID from Azure**</entityId>
<aliasForPath>aad</aliasForPath>
<identityProvider>
<entityId>**ApplicationID from Azure**</entityId>
<metadata>
<pathToFile>/var/midpoint/auth/azure_metadata.xml</pathToFile>
</metadata>
<linkText>Microsoft Azure</linkText>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
<nameOfUsernameAttribute>emailAddress</nameOfUsernameAttribute>
</identityProvider>
</serviceProvider>
</saml2>
</modules>
....
</authentication>
Thank you in advance for helping with this one.
- Eetu
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.evolveum.com%2Fmailman%2Flistinfo%2Fmidpoint&data=05%7C01%7CEetu.Salpaharju%40tietokeskus.fi%7Ce14333b51946419691ef08db845a83fc%7C779fd0ca906749da89919cde176b7f1d%7C0%7C0%7C638249297567704301%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Ksr0o5MQp6B3U81LI7hA9bxK5qXpNc16KORhlPPNC%2FU%3D&reserved=0>
More information about the midPoint
mailing list