<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Guys<div><div>Anyone here already integrated Midpoint with Okta's solution to provide Midpoint authentication through the SAML 2.0 protocol?</div><div>I created a free developer account on Okta and I am trying to make the SAML settings following the guidelines below:</div><div><br></div><div><b>Midpoint Wiki:</b> </div><div><a href="https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration">https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration</a></div><div><br></div><div><b>Git Example Security-policy-flexible-authentication:</b> </div><div><a href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml">https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml</a></div><div><br></div><div><b>Okta Example - SAML Spring Security:</b></div><div><a href="https://developer.okta.com/code/java/spring_security_saml/">https://developer.okta.com/code/java/spring_security_saml/</a></div><div><a href="https://github.com/oktadeveloper/okta-spring-boot-saml-example">https://github.com/oktadeveloper/okta-spring-boot-saml-example</a></div><div><br></div><div>I understand that Okta is the Identity Provider IdP and Midpoint is the Service Provider SP.</div><div>After trying to make the settings I had some doubts:</div><div><br></div><div>What is the Midpoint uri that receives the IdP response?</div><div>What is the Midpoint url that I should use to perform the authentication of the IdP (Okta). Because when I try to inform an existing user in the IdP an error appears and a screen with the link of the IdP (in this part there is another error that I couldn't solve the midpoint displays the internal address <a href="https://127.0.0.1/">https://127.0.0.1/</a></div></div><div><br></div><div>Some Informations from my Lab:</div><div><br></div><div><b>Print-01 Midpoint - Authentatication GUI</b> (the user john.doe, does not exist at midpoint but exists at IdP)</div><div><div><img src="cid:ii_kdhuoqla0" alt="image.png" width="541" height="190"><br></div></div><div><br></div><div><b>Print-02 </b></div><div><div>After I try to authenticate, I get the error message:</div><div><i><u><font color="#ff0000" style="background-color:rgb(243,243,243)">Couldn't authenticate user, reason: couldn't encode password.</font></u></i></div></div><div><div><img src="cid:ii_kdhusgan1" alt="image.png" width="541" height="207"><br></div></div><div><br></div><div><b>Print-03</b></div><div><div>The link to the idp Okta is displaying the midpoint's internal address:</div><div><b><font color="#ff0000"><a href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a></font></b>midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div><div><br></div><div>Instead of the hostname address:</div><div><b><font color="#0000ff"><a href="http://midpoint-02.xyz.net">http://midpoint-02.xyz.net</a></font></b>/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div><div><br></div><div>I believe it is some incorrect configuration on my reverse proxy - nginx</div></div><div><div><div><img src="cid:ii_kdhwh7273" alt="image.png" width="541" height="178"><br></div></div></div><div><br></div><div><b>Print-04: Okta IdP SAML Configuration</b></div><div><div>Here is my main question, because in the fields:</div><div><ol><li>Single sign on URL</li><li>Audience URI (SP Entity ID)</li></ol></div><div>I need to report existing data in Midpoint, but I'm not sure where to get this information.</div></div><div><div><img src="cid:ii_kdhwu6b56" alt="image.png" width="541" height="357"><br></div></div><div><div><br></div></div><div><div><br></div></div><div><br></div><div><b>My Security Policy Config:</b></div><div>I made the settings in the IdP, generated the metadata, encoded it in base 64 and put it in the Midpoint settings.<br></div><div><b><br></b></div><div><div><authentication></div><div>        <modules></div><div>            <loginForm id="15"></div><div>                <name>internalLoginForm</name></div><div>                <description>Internal username/password authentication, default user password, login form</description></div><div>            </loginForm></div><div>            <saml2 id="16"></div><div>                <name>oktaidp</name></div><div>                <description>My SAML-based SSO system.</description></div><div>                <network></div><div>                    <readTimeout>10000</readTimeout></div><div>                    <connectTimeout>5000</connectTimeout></div><div>                </network></div><div>                <serviceProvider></div><div>                    <entityId>sp_midpoint</entityId></div><div>                    <signRequests>true</signRequests></div><div>                    <wantAssertionsSigned>true</wantAssertionsSigned></div><div>                    <singleLogoutEnabled>true</singleLogoutEnabled></div><div>                    <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId></div><div>                    <keys/></div><div>                    <provider id="17"></div><div>                        <entityId><a href="http://www.okta.com/xxxxxxxxxxxx4x6">http://www.okta.com/xxxxxxxxxxxx4x6</a></entityId></div><div>                        <alias>SSO-Okta</alias></div><div>                        <metadata></div><div>                            <xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml></div><div>                        </metadata></div><div>                        <skipSslValidation>true</skipSslValidation></div><div>                        <linkText>Okta</linkText></div><div>                        <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding></div><div>                        <nameOfUsernameAttribute>uid</nameOfUsernameAttribute></div><div>                    </provider></div><div>                </serviceProvider></div><div>            </saml2></div><div>        </modules></div><div>        <sequence id="8"></div><div>            <name>admin-gui-default</name></div><div>            <description></div><div>                Default GUI authentication sequence.</div><div>                We want to try company SSO, federation and internal. In that order.</div><div>                Just one of then need to be successful to let user in.</div><div>            </description></div><div>            <channel></div><div>                <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div><div>                <default>true</default></div><div>                <urlSuffix>default</urlSuffix></div><div>            </channel></div><div>            <module id="12"></div><div>                <name>oktaidp</name></div><div>                <order>30</order></div><div>                <necessity>sufficient</necessity></div><div>            </module></div><div>            <module id="13"></div><div>                <name>internalLoginForm</name></div><div>                <order>20</order></div><div>                <necessity>sufficient</necessity></div><div>            </module></div><div>        </sequence></div><div>        <sequence id="9"></div><div>            <name>admin-gui-emergency</name></div><div>            <description></div><div>                Special GUI authentication sequence that is using just the internal user password.</div><div>                It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case</div><div>                that the SAML authentication is redirecting the browser incorrectly.</div><div>            </description></div><div>            <channel></div><div>                <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div><div>                <default>false</default></div><div>                <urlSuffix>emergency</urlSuffix></div><div>            </channel></div><div>            <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType"></div><div>                <!-- Superuser --></div><div>            </requireAssignmentTarget></div><div>            <module id="14"></div><div>                <name>internalLoginForm</name></div><div>                <order>30</order></div><div>                <necessity>sufficient</necessity></div><div>            </module></div><div>        </sequence></div><div>    </authentication></div></div><div><br></div><div><br></div><div>If anyone has any suggestions for solving the problem I would appreciate it.<br></div><div><br></div><div>Regards</div><div><br></div><div>Gus</div><div><br></div><div><br></div></div></div></div></div></div></div></div></div></div></div>