[midPoint] Flexible Authentication - SAML Error
Yakov Revyakin
yrevyakin at gmail.com
Fri Mar 10 10:41:36 CET 2023
What I can see is that you renamed default sequence and probably, in this
way, removed default sequence for GUI
On Fri, 10 Mar 2023 at 11:38, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> Hi Ujjwal,
> The best way to solve all problems of SAML-configuration is Java-debugger.
> I spent last week trying to set up SAML and believe me - debugger was the
> only way to solve problems.
>
>
> On Thu, 9 Mar 2023 at 10:15, JOSHI Ujjwal via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Hi Team,
>>
>>
>>
>> I’m trying to update default Security Policy to enable Single-Sign-On.
>> Below is the updated Security Policy.
>>
>>
>>
>> <securityPolicy xmlns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
>> http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"
>> oid="00000000-0000-0000-0000-000000000120" version="1">
>>
>> <name>Default Security Policy</name>
>>
>> <metadata>
>>
>> <requestTimestamp>2023-02-15T12:51:37.349+05:30</requestTimestamp>
>>
>> <createTimestamp>2023-02-15T12:51:37.359+05:30</createTimestamp>
>>
>> <createChannel>
>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init
>> </createChannel>
>>
>> </metadata>
>>
>> <operationExecution id="1">
>>
>> <recordType>simple</recordType>
>>
>> <timestamp>2023-02-15T12:51:37.382+05:30</timestamp>
>>
>> <operation>
>>
>> <objectDelta>
>>
>> <t:changeType>add</t:changeType>
>>
>> <t:objectType>c:SecurityPolicyType</t:objectType>
>>
>> </objectDelta>
>>
>> <executionResult>
>>
>>
>> <operation>com.evolveum.midpoint.model.impl.lens.ChangeExecutor.executeDelta</operation>
>>
>> <status>success</status>
>>
>> <importance>normal</importance>
>>
>> <token>1000000000000000015</token>
>>
>> </executionResult>
>>
>> <objectName>Default Security Policy</objectName>
>>
>> </operation>
>>
>> <status>success</status>
>>
>> <channel>
>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#init
>> </channel>
>>
>> </operationExecution>
>>
>> <iteration>0</iteration>
>>
>> <iterationToken/>
>>
>> <authentication>
>>
>> <!-- Definition of
>> AUTHENTICATION methods that midPoint supports.
>>
>> Credentials
>> in this section are considered to be read-only. -->
>>
>> <modules>
>>
>> <!--
>> Definition and configuration of all authentication modules that can be used
>> in the system -->
>>
>> <saml2>
>>
>>
>> <name>mySamlSso</name>
>>
>>
>> <description>My internal enterprise SAML-based SSO system.</description>
>>
>>
>> <serviceProvider>
>>
>>
>> <entityId>midpoint</entityId>
>>
>>
>> <signRequests>false</signRequests>
>>
>>
>> <identityProvider>
>>
>>
>> <entityId>
>> https://spedemo-sasidp.stademo.com/auth/realms/M4RSUTEDKN-STA</entityId>
>>
>>
>> <metadata>
>>
>>
>> <metadataUrl>
>> https://spedemo-sasidp.stademo.com/auth/realms/M4RSUTEDKN-STA/protocol/saml/descriptor
>> </metadataUrl>
>>
>>
>> </metadata>
>>
>>
>> <linkText>STA</linkText>
>>
>>
>>
>> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
>>
>>
>> <nameOfUsernameAttribute>email</nameOfUsernameAttribute>
>>
>>
>> </identityProvider>
>>
>>
>> </serviceProvider>
>>
>>
>> <!-- ... other SAML configuration that the module needs -->
>>
>> </saml2>
>>
>> </modules>
>>
>> <sequence>
>>
>>
>> <name>admin-gui-default-test1111</name>
>>
>> <description>
>>
>>
>> Default GUI authentication sequence.
>>
>>
>> We want to try company SSO, federation and internal. In that order.
>>
>>
>> Just one of then need to be successful to let user in.
>>
>> </description>
>>
>> <channel>
>>
>>
>> <channelId>
>> http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user
>> </channelId>
>>
>>
>> <default>true</default>
>>
>>
>> <urlSuffix>default</urlSuffix>
>>
>> </channel>
>>
>> <nodeGroup
>> oid="05b6933a-b7fc-4543-b8fa-fd8b278ff9ee" relation="org:default"
>> type="c:ArchetypeType"/>
>>
>> <module>
>>
>>
>> <name>mySamlSso</name>
>>
>>
>> <order>30</order>
>>
>>
>> <necessity>sufficient</necessity>
>>
>> </module>
>>
>> </sequence>
>>
>> </authentication>
>>
>> <credentials>
>>
>> <password>
>>
>> <minOccurs>0</minOccurs>
>>
>> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
>>
>>
>> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
>>
>> <lockoutDuration>PT15M</lockoutDuration>
>>
>> <valuePolicyRef xmlns:tns="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> oid="00000000-0000-0000-0000-000000000003" relation="org:default"
>> type="tns:ValuePolicyType">
>>
>> <!-- Default Password Policy -->
>>
>> </valuePolicyRef>
>>
>> </password>
>>
>> </credentials>
>>
>> </securityPolicy>
>>
>>
>>
>> But I’m getting below error in *midpoint.log*
>>
>> *Error: Couldn't find filters for sequence admin-gui-default*
>>
>>
>>
>> Can you please suggest what could be the possible reason for this error.
>>
>>
>>
>> Thanks!
>>
>> Best Regards,
>>
>> Ujjwal
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230310/fac2e121/attachment-0001.htm>
More information about the midPoint
mailing list