[midPoint] SAML2 Module Configuration

Graham Ballantyne grahamb at sfu.ca
Fri Jan 12 21:34:37 CET 2024


I just went through getting SAML working, after much trial and error. Here's my config: https://gist.github.com/grahamb/3b28efad1a2ca9dd8502d8061ada2f1e

I use midPoint Studio, and I'm storing the keystore credentials as encrypted secrets.

The config defines SAML as the default for the GUI, but also has an emergency "back door" login using internal accounts.

The best resource I found for this was in an Internet2 demo project; my config was mostly cribbed from there. https://github.internet2.edu/docker/midPoint_container/tree/master/demo/shibboleth/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy


–
Graham Ballantyne (he/him)
Identity & Access Management Architect —  IT Services
Simon Fraser University — Strand Hall 1001
8888 University Dr., Burnaby, B.C. V5A 1S6
grahamb at sfu.ca




On Jan 12, 2024, at 12:02, Nadim El-Khoury via midPoint <midpoint at lists.evolveum.com> wrote:

Hi Martin, Everyone

Thank you for the information. It is very helpful.
I have the following questions.
Is there a document that shows all of the XML entries that can be part of the security policy? I looked on the Evolveum site and could not find it.
The other question: can I put the security policy XML file in /opt/midpoint/post-initial-objects/securityPolicy or is it best to modify the security policy directly using the GUI?
Is there a working security SAML example that we can look at?


Best,

Nadim El-Khoury
Director of Networks, Systems, Infrastructure, and CISO
Springfield College
263 Alden Street
Springfield, MA 01109

On Fri, Jan 12, 2024 at 4:33 AM Martin Lízner via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> wrote:
Hi, it depends on your security policy. UrlSuffix could be e.g. "saml"

<image.png>
________________________________
Od: midPoint <midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>> za uživatele Nadim El-Khoury via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Odesláno: úterý 9. ledna 2024 4:17
Komu: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Kopie: Nadim El-Khoury <nel-khoury at springfield.edu<mailto:nel-khoury at springfield.edu>>
Předmět: [midPoint] SAML2 Module Configuration

Hi Everyone,

We are working on configuring the SAML2 module in Midpoint.
What is the <authenticationSequenceUrlSuffic> that is mentioned in section 2.1.10.7 (Generation of service provider metadata) of the flexible authentication configuration<https://docs.evolveum.com/midpoint/reference/support-4.8/security/authentication/flexible-authentication/configuration/#module-saml2>?

I really appreciate your help.

Best,

Nadim El-Khoury
Director of Networks, Systems, Infrastructure, and CISO
Springfield College
263 Alden Street
Springfield, MA 01109

--
"I’ve learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel." Maya Angelou
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint


--
"I’ve learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel." Maya Angelou
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240112/22ab9e0b/attachment.htm>


More information about the midPoint mailing list