<div dir="ltr"><div dir="ltr">Hi Lukas</div><div dir="ltr">Thanks for your help.<br><div><br></div><div><div>I made the suggested changes.</div><div>I'm getting an error after authenticating with the IdP and returning to Midpoint:</div><div>Midpoint saml module doesn't receive response from Identity Provider server.</div><div>I'm investigating what may be wrong.</div></div><div><br></div><div>Regards</div><div><br></div><div>Gus</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em ter., 18 de ago. de 2020 às 02:28, Lukas Skublik <<a href="mailto:lukas.skublik@evolveum.com">lukas.skublik@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Gus, <br>
Mp waits response on URL
"'basic_URL'/auth/'urlSuffix_for_sequence'/'name_of_module'/SSO/alias/'entityId_for_SP'",
so for you it is
<a href="http://midpoint-02.xyz.net/midpoint/auth/default/mySamlSso/SSO/alias/sp_midpoint" target="_blank">"http://midpoint-02.xyz.net/midpoint/auth/default/mySamlSso/SSO/alias/sp_midpoint"</a>.</p>
<p>Regards,<br>
Lukas Skublik</p>
<div>On 17. 8. 2020 16:15, Gus Lou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Luca</div>
<div dir="ltr">Thank you very much for your help. I
had not configured this option yet.
<div>
<div>I did the suggested configuration, now the
link to the IdP in the midpoint interface is
correct.</div>
<div>But when I click on the link to the IdP and
do the authentication and get the reply back
to the midpoint I get an error:</div>
<div><span style="background-color:rgb(255,255,255)"><font color="#000000"><span><i>Midpoint
saml module doesn't receive response
from Identity Provider server.</i></span><br>
</font></span></div>
<div><span style="background-color:rgb(255,255,255)"><font color="#000000"><span style="box-sizing:border-box;display:inline-block;margin:0px;line-height:1"><i><font face="Source Sans Pro, Helvetica
Neue, Helvetica, Arial, sans-serif"><span style="font-size:14px">Authentication
failed, and as a consequence was
restarted authentication flow</span></font></i></span></font></span></div>
<div>(probably due to the fact that the midpoint
ACS url in the IdP is not correct.)</div>
<div><br>
</div>
<div>I need to find out what the Midpoint
Assertion Consumer Service (ACS) URL is to
report on the IdP.</div>
</div>
<div><br>
</div>
<div>Print Screen after IdP Authentication failed</div>
<div>
<div><img src="cid:1740372287fcb971f161" alt="image.png" width="541" height="226"><br>
</div>
</div>
<div><br>
</div>
<div>Regards<br>
</div>
<div><br>
</div>
<div>Gus</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em seg., 17 de ago. de 2020 às
03:18, Lukas Skublik <<a href="mailto:lukas.skublik@evolveum.com" target="_blank">lukas.skublik@evolveum.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Gus,<br>
<br>
you try configure attribute
systemConfiguration/infrastructure/publicHttpUrlPattern to
'<a href="http://midpoint-02.xyz.net/midpoint" target="_blank">http://midpoint-02.xyz.net/midpoint</a>'.<br>
<br>
Regards,<br>
Lukas Skublik<br>
</p>
<div>On 6. 8. 2020 0:00, Gus Lou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Guys
<div>
<div>Anyone here already integrated
Midpoint with Okta's solution to
provide Midpoint authentication
through the SAML 2.0 protocol?</div>
<div>I created a free developer
account on Okta and I am trying to
make the SAML settings following
the guidelines below:</div>
<div><br>
</div>
<div><b>Midpoint Wiki:</b> </div>
<div><a href="https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration" target="_blank">https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration</a></div>
<div><br>
</div>
<div><b>Git Example
Security-policy-flexible-authentication:</b> </div>
<div><a href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml" target="_blank">https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml</a></div>
<div><br>
</div>
<div><b>Okta Example - SAML Spring
Security:</b></div>
<div><a href="https://developer.okta.com/code/java/spring_security_saml/" target="_blank">https://developer.okta.com/code/java/spring_security_saml/</a></div>
<div><a href="https://github.com/oktadeveloper/okta-spring-boot-saml-example" target="_blank">https://github.com/oktadeveloper/okta-spring-boot-saml-example</a></div>
<div><br>
</div>
<div>I understand that Okta is the
Identity Provider IdP and Midpoint
is the Service Provider SP.</div>
<div>After trying to make the
settings I had some doubts:</div>
<div><br>
</div>
<div>What is the Midpoint uri that
receives the IdP response?</div>
<div>What is the Midpoint url that I
should use to perform the
authentication of the IdP (Okta).
Because when I try to inform an
existing user in the IdP an error
appears and a screen with the link
of the IdP (in this part there is
another error that I couldn't
solve the midpoint displays the
internal address <a href="https://127.0.0.1/" target="_blank">https://127.0.0.1/</a></div>
</div>
<div><br>
</div>
<div>Some Informations from my Lab:</div>
<div><br>
</div>
<div><b>Print-01 Midpoint -
Authentatication GUI</b> (the user
john.doe, does not exist at midpoint
but exists at IdP)</div>
<div>
<div><img src="cid:1740372287fcb971f162" alt="image.png" width="541" height="190"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-02 </b></div>
<div>
<div>After I try to authenticate, I
get the error message:</div>
<div><i><u><font style="background-color:rgb(243,243,243)" color="#ff0000">Couldn't
authenticate user, reason:
couldn't encode password.</font></u></i></div>
</div>
<div>
<div><img src="cid:1740372287fcb971f163" alt="image.png" width="541" height="207"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-03</b></div>
<div>
<div>The link to the idp Okta is
displaying the midpoint's internal
address:</div>
<div><b><font color="#ff0000"><a href="http://127.0.0.1:8080/" target="_blank">http://127.0.0.1:8080/</a></font></b>midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com" target="_blank">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>Instead of the hostname
address:</div>
<div><b><font color="#0000ff"><a href="http://midpoint-02.xyz.net" target="_blank">http://midpoint-02.xyz.net</a></font></b>/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com" target="_blank">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>I believe it is some incorrect
configuration on my reverse proxy
- nginx</div>
</div>
<div>
<div>
<div><img src="cid:1740372287fcb971f164" alt="image.png" width="541" height="178"><br>
</div>
</div>
</div>
<div><br>
</div>
<div><b>Print-04: Okta IdP SAML
Configuration</b></div>
<div>
<div>Here is my main question,
because in the fields:</div>
<div>
<ol>
<li>Single sign on URL</li>
<li>Audience URI (SP Entity ID)</li>
</ol>
</div>
<div>I need to report existing data
in Midpoint, but I'm not sure
where to get this information.</div>
</div>
<div>
<div><img src="cid:1740372287fcb971f165" alt="image.png" width="541" height="357"><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><b>My Security Policy Config:</b></div>
<div>I made the settings in the IdP,
generated the metadata, encoded it
in base 64 and put it in the
Midpoint settings.<br>
</div>
<div><b><br>
</b></div>
<div>
<div><authentication></div>
<div> <modules></div>
<div> <loginForm
id="15"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<description>Internal
username/password authentication,
default user password, login
form</description></div>
<div> </loginForm></div>
<div> <saml2
id="16"></div>
<div>
<name>oktaidp</name></div>
<div>
<description>My SAML-based
SSO system.</description></div>
<div> <network></div>
<div>
<readTimeout>10000</readTimeout></div>
<div>
<connectTimeout>5000</connectTimeout></div>
<div>
</network></div>
<div>
<serviceProvider></div>
<div>
<entityId>sp_midpoint</entityId></div>
<div>
<signRequests>true</signRequests></div>
<div>
<wantAssertionsSigned>true</wantAssertionsSigned></div>
<div>
<singleLogoutEnabled>true</singleLogoutEnabled></div>
<div>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId></div>
<div>
<keys/></div>
<div>
<provider id="17"></div>
<div>
<entityId><a href="http://www.okta.com/xxxxxxxxxxxx4x6" target="_blank">http://www.okta.com/xxxxxxxxxxxx4x6</a></entityId></div>
<div>
<alias>SSO-Okta</alias></div>
<div>
<metadata></div>
<div>
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml></div>
<div>
</metadata></div>
<div>
<skipSslValidation>true</skipSslValidation></div>
<div>
<linkText>Okta</linkText></div>
<div>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding></div>
<div>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute></div>
<div>
</provider></div>
<div>
</serviceProvider></div>
<div> </saml2></div>
<div> </modules></div>
<div> <sequence id="8"></div>
<div>
<name>admin-gui-default</name></div>
<div> <description></div>
<div> Default GUI
authentication sequence.</div>
<div> We want to try
company SSO, federation and
internal. In that order.</div>
<div> Just one of
then need to be successful to let
user in.</div>
<div>
</description></div>
<div> <channel></div>
<div>
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>true</default></div>
<div>
<urlSuffix>default</urlSuffix></div>
<div> </channel></div>
<div> <module
id="12"></div>
<div>
<name>oktaidp</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> <module
id="13"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>20</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> <sequence id="9"></div>
<div>
<name>admin-gui-emergency</name></div>
<div> <description></div>
<div> Special GUI
authentication sequence that is
using just the internal user
password.</div>
<div> It is used only
in emergency. It allows to skip
SAML authentication cycles, e.g.
in case</div>
<div> that the SAML
authentication is redirecting the
browser incorrectly.</div>
<div>
</description></div>
<div> <channel></div>
<div>
<channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>false</default></div>
<div>
<urlSuffix>emergency</urlSuffix></div>
<div> </channel></div>
<div>
<requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004"
relation="org:default"
type="c:RoleType"></div>
<div> <!--
Superuser --></div>
<div>
</requireAssignmentTarget></div>
<div> <module
id="14"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> </authentication></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>If anyone has any suggestions for
solving the problem I would
appreciate it.<br>
</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>Gus</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>