<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Gus,<br>
<br>
you try configure attribute
systemConfiguration/infrastructure/publicHttpUrlPattern to
'<a class="moz-txt-link-freetext" href="http://midpoint-02.xyz.net/midpoint">http://midpoint-02.xyz.net/midpoint</a>'.<br>
<br>
Regards,<br>
Lukas Skublik<br>
</p>
<div class="moz-cite-prefix">On 6. 8. 2020 0:00, Gus Lou wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+XZjGT_j1iMMTG2V2R_Ja1zgOyok8AJ_Dn5Zj31qY3ooH_JdQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Guys
<div>
<div>Anyone here already integrated Midpoint
with Okta's solution to provide Midpoint
authentication through the SAML 2.0
protocol?</div>
<div>I created a free developer account on
Okta and I am trying to make the SAML
settings following the guidelines below:</div>
<div><br>
</div>
<div><b>Midpoint Wiki:</b> </div>
<div><a
href="https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration"
moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration</a></div>
<div><br>
</div>
<div><b>Git Example
Security-policy-flexible-authentication:</b> </div>
<div><a
href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml"
moz-do-not-send="true">https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml</a></div>
<div><br>
</div>
<div><b>Okta Example - SAML Spring Security:</b></div>
<div><a
href="https://developer.okta.com/code/java/spring_security_saml/"
moz-do-not-send="true">https://developer.okta.com/code/java/spring_security_saml/</a></div>
<div><a
href="https://github.com/oktadeveloper/okta-spring-boot-saml-example"
moz-do-not-send="true">https://github.com/oktadeveloper/okta-spring-boot-saml-example</a></div>
<div><br>
</div>
<div>I understand that Okta is the Identity
Provider IdP and Midpoint is the Service
Provider SP.</div>
<div>After trying to make the settings I had
some doubts:</div>
<div><br>
</div>
<div>What is the Midpoint uri that receives
the IdP response?</div>
<div>What is the Midpoint url that I should
use to perform the authentication of the
IdP (Okta). Because when I try to inform
an existing user in the IdP an error
appears and a screen with the link of the
IdP (in this part there is another error
that I couldn't solve the midpoint
displays the internal address <a
href="https://127.0.0.1/"
moz-do-not-send="true">https://127.0.0.1/</a></div>
</div>
<div><br>
</div>
<div>Some Informations from my Lab:</div>
<div><br>
</div>
<div><b>Print-01 Midpoint - Authentatication
GUI</b> (the user john.doe, does not exist
at midpoint but exists at IdP)</div>
<div>
<div><img
src="cid:part6.BE5B2C52.ADA3B44F@evolveum.com"
alt="image.png" class="" width="541"
height="190"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-02 </b></div>
<div>
<div>After I try to authenticate, I get the
error message:</div>
<div><i><u><font
style="background-color:rgb(243,243,243)"
color="#ff0000">Couldn't
authenticate user, reason: couldn't
encode password.</font></u></i></div>
</div>
<div>
<div><img
src="cid:part7.E520C019.62087EF2@evolveum.com"
alt="image.png" class="" width="541"
height="207"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-03</b></div>
<div>
<div>The link to the idp Okta is displaying
the midpoint's internal address:</div>
<div><b><font color="#ff0000"><a
href="http://127.0.0.1:8080/"
moz-do-not-send="true">http://127.0.0.1:8080/</a></font></b>midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a
href="http://2Fwww.okta.com"
moz-do-not-send="true">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>Instead of the hostname address:</div>
<div><b><font color="#0000ff"><a
href="http://midpoint-02.xyz.net"
moz-do-not-send="true">http://midpoint-02.xyz.net</a></font></b>/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a
href="http://2Fwww.okta.com"
moz-do-not-send="true">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>I believe it is some incorrect
configuration on my reverse proxy - nginx</div>
</div>
<div>
<div>
<div><img
src="cid:part12.FE453FD5.15C3CEAF@evolveum.com"
alt="image.png" class="" width="541"
height="178"><br>
</div>
</div>
</div>
<div><br>
</div>
<div><b>Print-04: Okta IdP SAML Configuration</b></div>
<div>
<div>Here is my main question, because in
the fields:</div>
<div>
<ol>
<li>Single sign on URL</li>
<li>Audience URI (SP Entity ID)</li>
</ol>
</div>
<div>I need to report existing data in
Midpoint, but I'm not sure where to get
this information.</div>
</div>
<div>
<div><img
src="cid:part13.2F282E12.D33D7513@evolveum.com"
alt="image.png" class="" width="541"
height="357"><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><b>My Security Policy Config:</b></div>
<div>I made the settings in the IdP, generated
the metadata, encoded it in base 64 and put
it in the Midpoint settings.<br>
</div>
<div><b><br>
</b></div>
<div>
<div><authentication></div>
<div> <modules></div>
<div> <loginForm id="15"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<description>Internal
username/password authentication, default
user password, login
form</description></div>
<div> </loginForm></div>
<div> <saml2 id="16"></div>
<div>
<name>oktaidp</name></div>
<div> <description>My
SAML-based SSO system.</description></div>
<div> <network></div>
<div>
<readTimeout>10000</readTimeout></div>
<div>
<connectTimeout>5000</connectTimeout></div>
<div> </network></div>
<div> <serviceProvider></div>
<div>
<entityId>sp_midpoint</entityId></div>
<div>
<signRequests>true</signRequests></div>
<div>
<wantAssertionsSigned>true</wantAssertionsSigned></div>
<div>
<singleLogoutEnabled>true</singleLogoutEnabled></div>
<div>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId></div>
<div> <keys/></div>
<div> <provider
id="17"></div>
<div>
<entityId><a
href="http://www.okta.com/xxxxxxxxxxxx4x6"
moz-do-not-send="true">http://www.okta.com/xxxxxxxxxxxx4x6</a></entityId></div>
<div>
<alias>SSO-Okta</alias></div>
<div>
<metadata></div>
<div>
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml></div>
<div>
</metadata></div>
<div>
<skipSslValidation>true</skipSslValidation></div>
<div>
<linkText>Okta</linkText></div>
<div>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding></div>
<div>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute></div>
<div> </provider></div>
<div>
</serviceProvider></div>
<div> </saml2></div>
<div> </modules></div>
<div> <sequence id="8"></div>
<div>
<name>admin-gui-default</name></div>
<div> <description></div>
<div> Default GUI
authentication sequence.</div>
<div> We want to try company
SSO, federation and internal. In that
order.</div>
<div> Just one of then need
to be successful to let user in.</div>
<div> </description></div>
<div> <channel></div>
<div> <channelId><a
href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>true</default></div>
<div>
<urlSuffix>default</urlSuffix></div>
<div> </channel></div>
<div> <module id="12"></div>
<div>
<name>oktaidp</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> <module id="13"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>20</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> <sequence id="9"></div>
<div>
<name>admin-gui-emergency</name></div>
<div> <description></div>
<div> Special GUI
authentication sequence that is using just
the internal user password.</div>
<div> It is used only in
emergency. It allows to skip SAML
authentication cycles, e.g. in case</div>
<div> that the SAML
authentication is redirecting the browser
incorrectly.</div>
<div> </description></div>
<div> <channel></div>
<div> <channelId><a
href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user"
moz-do-not-send="true">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>false</default></div>
<div>
<urlSuffix>emergency</urlSuffix></div>
<div> </channel></div>
<div> <requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004"
relation="org:default"
type="c:RoleType"></div>
<div> <!-- Superuser
--></div>
<div>
</requireAssignmentTarget></div>
<div> <module id="14"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> </authentication></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>If anyone has any suggestions for solving
the problem I would appreciate it.<br>
</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>Gus</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>