<div dir="ltr"><div>I've just changed a few things, based on your config, <br></div><div><br></div><saml2><br> <name>oktaidp</name><br> <description>Enterprise SAML-based SSO system</description><br> <network><br> <readTimeout>10000</readTimeout><br> <connectTimeout>5000</connectTimeout><br> </network><br> <serviceProvider><br> <entityId>sp_midpoint</entityId><br> <aliasForPath>okta</aliasForPath><br> <signRequests>false</signRequests><br> <wantAssertionsSigned>true</wantAssertionsSigned><br> <singleLogoutEnabled>true</singleLogoutEnabled><br> <nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</nameId><br> <provider><br> <entityId><a href="http://www.okta.com/xxxxxxxxxxxx4x6">http://www.okta.com/xxxxxxxxxxxx4x6</a></entityId><br> <alias>SSO-Okta</alias><br> <metadata><br> <xml>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</xml><br> </metadata><br> <skipSslValidation>false</skipSslValidation><br> <linkText>Okta</linkText><br> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding><br> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute><br> </provider><br> </serviceProvider><br></saml2><br><br><br>And your ACS url will be something like this: <a href="http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta">http://midpoint-02.xyz.net/midpoint/auth/default/oktaidp/SSO/alias/okta</a><br><div><br></div><br><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 17, 2020 at 2:24 PM Gus Lou <<a href="mailto:gugalou38@gmail.com">gugalou38@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Luca</div><div dir="ltr">Thank you very much for your help. I had not configured this option yet.<div><div>I did the suggested configuration, now the link to the IdP in the midpoint interface is correct.</div><div>But when I click on the link to the IdP and do the authentication and get the reply back to the midpoint I get an error:</div><div><span style="background-color:rgb(255,255,255)"><font color="#000000"><span style="box-sizing:border-box;display:inline-block;font-size:14px;margin:0px;line-height:1;font-family:"Source Sans Pro","Helvetica Neue",Helvetica,Arial,sans-serif"><i>Midpoint saml module doesn't receive response from Identity Provider server.</i></span><br></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000"><span style="box-sizing:border-box;display:inline-block;margin:0px;line-height:1"><i><font face="Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif"><span style="font-size:14px">Authentication failed, and as a consequence was restarted authentication flow</span></font></i></span></font></span></div><div>(probably due to the fact that the midpoint ACS url in the IdP is not correct.)</div><div><br></div><div>I need to find out what the Midpoint Assertion Consumer Service (ACS) URL is to report on the IdP.</div></div><div><br></div><div>Print Screen after IdP Authentication failed</div><div><div><img src="cid:ii_kdyl6p2k4" alt="image.png" width="541" height="226"><br></div></div><div><br></div><div>Regards<br></div><div><br></div><div>Gus</div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 17 de ago. de 2020 às 03:18, Lukas Skublik <<a href="mailto:lukas.skublik@evolveum.com" target="_blank">lukas.skublik@evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Gus,<br>
<br>
you try configure attribute
systemConfiguration/infrastructure/publicHttpUrlPattern to
'<a href="http://midpoint-02.xyz.net/midpoint" target="_blank">http://midpoint-02.xyz.net/midpoint</a>'.<br>
<br>
Regards,<br>
Lukas Skublik<br>
</p>
<div>On 6. 8. 2020 0:00, Gus Lou wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Guys
<div>
<div>Anyone here already integrated Midpoint
with Okta's solution to provide Midpoint
authentication through the SAML 2.0
protocol?</div>
<div>I created a free developer account on
Okta and I am trying to make the SAML
settings following the guidelines below:</div>
<div><br>
</div>
<div><b>Midpoint Wiki:</b> </div>
<div><a href="https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration" target="_blank">https://wiki.evolveum.com/display/midPoint/Flexible+Authentication+Configuration</a></div>
<div><br>
</div>
<div><b>Git Example
Security-policy-flexible-authentication:</b> </div>
<div><a href="https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml" target="_blank">https://github.com/Evolveum/midpoint-samples/blob/master/samples/policy/security/security-policy-flexible-authentication.xml</a></div>
<div><br>
</div>
<div><b>Okta Example - SAML Spring Security:</b></div>
<div><a href="https://developer.okta.com/code/java/spring_security_saml/" target="_blank">https://developer.okta.com/code/java/spring_security_saml/</a></div>
<div><a href="https://github.com/oktadeveloper/okta-spring-boot-saml-example" target="_blank">https://github.com/oktadeveloper/okta-spring-boot-saml-example</a></div>
<div><br>
</div>
<div>I understand that Okta is the Identity
Provider IdP and Midpoint is the Service
Provider SP.</div>
<div>After trying to make the settings I had
some doubts:</div>
<div><br>
</div>
<div>What is the Midpoint uri that receives
the IdP response?</div>
<div>What is the Midpoint url that I should
use to perform the authentication of the
IdP (Okta). Because when I try to inform
an existing user in the IdP an error
appears and a screen with the link of the
IdP (in this part there is another error
that I couldn't solve the midpoint
displays the internal address <a href="https://127.0.0.1/" target="_blank">https://127.0.0.1/</a></div>
</div>
<div><br>
</div>
<div>Some Informations from my Lab:</div>
<div><br>
</div>
<div><b>Print-01 Midpoint - Authentatication
GUI</b> (the user john.doe, does not exist
at midpoint but exists at IdP)</div>
<div>
<div><img src="cid:173fca052abcb971f161" alt="image.png" width="541" height="190"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-02 </b></div>
<div>
<div>After I try to authenticate, I get the
error message:</div>
<div><i><u><font style="background-color:rgb(243,243,243)" color="#ff0000">Couldn't
authenticate user, reason: couldn't
encode password.</font></u></i></div>
</div>
<div>
<div><img src="cid:173fca052accb971f162" alt="image.png" width="541" height="207"><br>
</div>
</div>
<div><br>
</div>
<div><b>Print-03</b></div>
<div>
<div>The link to the idp Okta is displaying
the midpoint's internal address:</div>
<div><b><font color="#ff0000"><a href="http://127.0.0.1:8080/" target="_blank">http://127.0.0.1:8080/</a></font></b>midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com" target="_blank">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>Instead of the hostname address:</div>
<div><b><font color="#0000ff"><a href="http://midpoint-02.xyz.net" target="_blank">http://midpoint-02.xyz.net</a></font></b>/midpoint/auth/default/oktaidp/discovery?idp=http%3A%2F%<a href="http://2Fwww.okta.com" target="_blank">2Fwww.okta.com</a>%2Fexko4d721K5vASKoJ4x6</div>
<div><br>
</div>
<div>I believe it is some incorrect
configuration on my reverse proxy - nginx</div>
</div>
<div>
<div>
<div><img src="cid:173fca052accb971f163" alt="image.png" width="541" height="178"><br>
</div>
</div>
</div>
<div><br>
</div>
<div><b>Print-04: Okta IdP SAML Configuration</b></div>
<div>
<div>Here is my main question, because in
the fields:</div>
<div>
<ol>
<li>Single sign on URL</li>
<li>Audience URI (SP Entity ID)</li>
</ol>
</div>
<div>I need to report existing data in
Midpoint, but I'm not sure where to get
this information.</div>
</div>
<div>
<div><img src="cid:173fca052accb971f164" alt="image.png" width="541" height="357"><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><b>My Security Policy Config:</b></div>
<div>I made the settings in the IdP, generated
the metadata, encoded it in base 64 and put
it in the Midpoint settings.<br>
</div>
<div><b><br>
</b></div>
<div>
<div><authentication></div>
<div> <modules></div>
<div> <loginForm id="15"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<description>Internal
username/password authentication, default
user password, login
form</description></div>
<div> </loginForm></div>
<div> <saml2 id="16"></div>
<div>
<name>oktaidp</name></div>
<div> <description>My
SAML-based SSO system.</description></div>
<div> <network></div>
<div>
<readTimeout>10000</readTimeout></div>
<div>
<connectTimeout>5000</connectTimeout></div>
<div> </network></div>
<div> <serviceProvider></div>
<div>
<entityId>sp_midpoint</entityId></div>
<div>
<signRequests>true</signRequests></div>
<div>
<wantAssertionsSigned>true</wantAssertionsSigned></div>
<div>
<singleLogoutEnabled>true</singleLogoutEnabled></div>
<div>
<nameId>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</nameId></div>
<div> <keys/></div>
<div> <provider
id="17"></div>
<div>
<entityId><a href="http://www.okta.com/xxxxxxxxxxxx4x6" target="_blank">http://www.okta.com/xxxxxxxxxxxx4x6</a></entityId></div>
<div>
<alias>SSO-Okta</alias></div>
<div>
<metadata></div>
<div>
<xml>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48bWQ6RW50aXR5RGVzY3JpcHRvciBlbnRpdHlJRD0iaHR0cDovL3d3dy5va3RhLmNvbS9leGtvNGQ3MjFLNXZBU0</xml></div>
<div>
</metadata></div>
<div>
<skipSslValidation>true</skipSslValidation></div>
<div>
<linkText>Okta</linkText></div>
<div>
<authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding></div>
<div>
<nameOfUsernameAttribute>uid</nameOfUsernameAttribute></div>
<div> </provider></div>
<div>
</serviceProvider></div>
<div> </saml2></div>
<div> </modules></div>
<div> <sequence id="8"></div>
<div>
<name>admin-gui-default</name></div>
<div> <description></div>
<div> Default GUI
authentication sequence.</div>
<div> We want to try company
SSO, federation and internal. In that
order.</div>
<div> Just one of then need
to be successful to let user in.</div>
<div> </description></div>
<div> <channel></div>
<div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>true</default></div>
<div>
<urlSuffix>default</urlSuffix></div>
<div> </channel></div>
<div> <module id="12"></div>
<div>
<name>oktaidp</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> <module id="13"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>20</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> <sequence id="9"></div>
<div>
<name>admin-gui-emergency</name></div>
<div> <description></div>
<div> Special GUI
authentication sequence that is using just
the internal user password.</div>
<div> It is used only in
emergency. It allows to skip SAML
authentication cycles, e.g. in case</div>
<div> that the SAML
authentication is redirecting the browser
incorrectly.</div>
<div> </description></div>
<div> <channel></div>
<div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</a></channelId></div>
<div>
<default>false</default></div>
<div>
<urlSuffix>emergency</urlSuffix></div>
<div> </channel></div>
<div> <requireAssignmentTarget
oid="00000000-0000-0000-0000-000000000004"
relation="org:default"
type="c:RoleType"></div>
<div> <!-- Superuser
--></div>
<div>
</requireAssignmentTarget></div>
<div> <module id="14"></div>
<div>
<name>internalLoginForm</name></div>
<div>
<order>30</order></div>
<div>
<necessity>sufficient</necessity></div>
<div> </module></div>
<div> </sequence></div>
<div> </authentication></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>If anyone has any suggestions for solving
the problem I would appreciate it.<br>
</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>Gus</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><table style="font-family:arial,sans-serif;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);color:rgb(0,0,0);font-size:medium" width="450" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td rowspan="6" style="font-family:arial,sans-serif;margin:0px" width="105" valign="top" height="120" align="right"><a href="https://www.ifood.com.br/" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/iFood_assinatura3.gif" alt="" width="105" height="110"></a></td><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px" height="22"><div style="line-height:18px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif;color:rgb(85,85,85)"><p style="margin:0px;line-height:18px"><span style="font-size:14px">Alexandre R Zia<br></span></p></div></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><div style="font-size:12px;line-height:14px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif;color:rgb(228,0,43)"><p style="margin:0px;line-height:15px"><span style="line-height:15px"><b>Security</b></span></p></div></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18" height="10"><br></td><td style="font-family:arial,sans-serif;margin:0px" height="10"><br></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><br></td></tr><tr><td style="font-family:arial,sans-serif;margin:0px" width="18"><br></td><td style="font-family:arial,sans-serif;margin:0px"><div style="font-size:11px;line-height:16px;font-family:Montserrat,"Trebuchet MS","Lucida Grande","Lucida Sans Unicode","Lucida Sans",Tahoma,sans-serif"><a href="https://www.ifood.com.br/" style="color:rgb(119,119,119);line-height:16px" target="_blank">www.ifood.com.br</a></div></td></tr><tr><td colspan="2" style="font-family:arial,sans-serif;margin:0px" height="35"><table width="190" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="font-family:arial,sans-serif;margin:0px" width="12"> </td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.facebook.com/iFood?fref=ts" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/facebook_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://twitter.com/iFood" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/twitter_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.instagram.com/iFoodBrasil/" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/instagram_2x.png" alt="" width="32" height="32"></a></td><td style="font-family:arial,sans-serif;margin:0px"><a href="https://www.youtube.com/ifood" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.ifood.com.br/nws/assinatura/youtube_2x.png" alt="" width="32" height="32"></a></td></tr></tbody></table></td></tr></tbody></table><table style="color:rgb(34,34,34);font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);font-size:13px;line-height:normal;font-family:tahoma,geneva,sans-serif" width="630" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="font-family:arial,sans-serif;margin:0px"><table width="100%" cellspacing="0" cellpadding="0" border="0"></table></td></tr></tbody></table></div></div></div></div>