<span style=" font-size:10pt;font-family:sans-serif">Hi Frederic.<br>
<br>
</span>
<ol>
<li value=1><span style=" font-size:10pt;font-family:sans-serif">All 3
users which I am using in tests paralely exists in RH SSO and midPoint.
with same basic atributes. </span>
<li value=2><span style=" font-size:10pt;font-family:sans-serif">I am able
to log in midPoint when I change the sequence to work with loginForm</span>
<li value=3><span style=" font-size:10pt;font-family:sans-serif">all 3
users have assignement to EndUser role with GUI priviledges.</span>
<li value=4><span style=" font-size:10pt;font-family:sans-serif">this anonymouse
users appeared there because <b>com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator.decide</b>
is calling </span><span style=" font-size:9pt;color:#2f2f2f;font-family:Consolas">MidPointPrincipal
principal </span><span style=" font-size:9pt;font-family:Consolas">=</span><span style=" font-size:9pt;color:#2f2f2f;font-family:Consolas">
getPrincipalFromAuthentication(authentication, object, configAttributes);</span>
<li value=5></ol><span style=" font-size:12pt">From my point of view it
looks so that something is missing inside my reqests and hence the </span><span style=" font-size:10pt;font-family:sans-serif"><b>MidPointGuiAuthorizationEvaluator.decide
</b>do not return with PASS but invoke some </span><span style=" font-size:10pt;font-family:Consolas">getPrincipalFromAuthentication(</span><span style=" font-size:10pt;color:#622152;font-family:Consolas">authentication</span><span style=" font-size:10pt;font-family:Consolas">,
</span><span style=" font-size:10pt;color:#622152;font-family:Consolas">object</span><span style=" font-size:10pt;font-family:Consolas">,
</span><span style=" font-size:10pt;color:#622152;font-family:Consolas">configAttributes</span><span style=" font-size:10pt;font-family:Consolas">);</span>
<ol>
<li value=1></ol><span style=" font-size:10pt;font-family:sans-serif">So
the signing is not working correctly? At time beiing i decided do basic
tests it without signing</span>
<br>
<br><img src=cid:_1_0E4165280E415F24001AE4C1C12586E1 style="border:0px solid;">
<br>
<br>
<br>
<br>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">From:
       </span><span style=" font-size:9pt;font-family:sans-serif">"Frédéric
Lohier" <frederic@lohier.org></span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">To:
       </span><span style=" font-size:9pt;font-family:sans-serif">"midPoint
General Discussion" <midpoint@lists.evolveum.com></span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Cc:
       </span><span style=" font-size:9pt;font-family:sans-serif">tomas.husar@ibask.eu</span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Date:
       </span><span style=" font-size:9pt;font-family:sans-serif">25.
05. 2021 23:09</span>
<br><span style=" font-size:9pt;color:#5f5f5f;font-family:sans-serif">Subject:
       </span><span style=" font-size:9pt;font-family:sans-serif">Re:
[midPoint] SAML2 and Red Hat SSO</span>
<br>
<hr noshade>
<br>
<br>
<br><span style=" font-size:12pt">Hello,</span>
<br>
<br><span style=" font-size:12pt">It looks like your "anonymous user"
does not has any GUI authorization. Did you make sure that your anonymous
user already exists in Midpoint and has a role with some GUI authorizations?</span>
<br>
<br><span style=" font-size:12pt">By the way, if you manage to make the
SAML SP signing work, please let me know, this is still a blocker for me.</span>
<br>
<br><span style=" font-size:12pt">-Frederic</span>
<br>
<br><span style=" font-size:12pt">On Tue, May 25, 2021, 20:43 Tomá¹ via
midPoint <</span><a href=mailto:midpoint@lists.evolveum.com target=_blank><span style=" font-size:12pt;color:blue"><u>midpoint@lists.evolveum.com</u></span></a><span style=" font-size:12pt">>
wrote:</span>
<br><span style=" font-size:10pt;font-family:sans-serif">Hallo I would
like to inform if somebody did not strugle with simmilar trouble.</span><span style=" font-size:12pt">
<br>
</span><span style=" font-size:10pt;font-family:sans-serif"><br>
I am trying toi work with midPoint as Service Procider and RH SSo as Identity
provider,<br>
<br>
I succesfuly did folowing:</span><span style=" font-size:12pt"> </span>
<ol>
<li value=1><span style=" font-size:10pt;font-family:sans-serif">apply
saml2 modul and sequence </span>
<ol>
<li value=1><span style=" font-size:10pt;font-family:sans-serif">json.securityPolicy.authentication.sequence[0].</span><a href=http://module.name/ target=_blank><span style=" font-size:10pt;color:blue;font-family:sans-serif"><u>module.name</u></span></a><span style=" font-size:10pt;font-family:sans-serif">
= "<b>rhSamlSso300</b>";</span><span style=" font-size:12pt">
</span>
<li value=2><span style=" font-size:10pt;font-family:sans-serif">json.securityPolicy.authentication.modules.saml2[1].name
=<b> "rhSamlSso300";</b></span></ol>
<li value=2><span style=" font-size:10pt;font-family:sans-serif">exchanged
metadata between midPoint and Rh SSO</span><span style=" font-size:12pt">
</span>
<li value=3><span style=" font-size:10pt;font-family:sans-serif">midPoint
sent request to Rh SSO</span><span style=" font-size:12pt"> </span>
<li value=4><span style=" font-size:10pt;font-family:sans-serif">RH SSO
displayed loginForm,</span><span style=" font-size:12pt"> </span>
<li value=5><span style=" font-size:10pt;font-family:sans-serif">RH sent
response to midPoint</span><span style=" font-size:12pt"> </span>
<ol>
<li value=1><span style=" font-size:10pt;font-family:sans-serif">with expected
username <i>(</i></span><span style=" font-size:12pt;color:#4f4f4f;font-family:Consolas"><i>AttributeStatement:
* username = thus</i></span><span style=" font-size:12pt"><i> </i></span><span style=" font-size:10pt;font-family:sans-serif"><i>)</i></span><span style=" font-size:12pt">
</span></ol></ol><span style=" font-size:10pt;font-family:sans-serif">But
midpoint is unable to to make authorisation decison with following stack.</span><span style=" font-size:12pt">
</span><span style=" font-size:10pt;font-family:sans-serif"><b><br>
com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator.decide</b><br>
<br>
</span><span style=" font-size:12pt"><br>
_______________________________________________<br>
midPoint mailing list</span><span style=" font-size:12pt;color:blue"><u><br>
</u></span><a href=mailto:midPoint@lists.evolveum.com target=_blank><span style=" font-size:12pt;color:blue"><u>midPoint@lists.evolveum.com</u></span></a><span style=" font-size:12pt;color:blue"><u><br>
</u></span><a href=https://lists.evolveum.com/mailman/listinfo/midpoint target=_blank><span style=" font-size:12pt;color:blue"><u>https://lists.evolveum.com/mailman/listinfo/midpoint</u></span></a><span style=" font-size:12pt;color:blue"><u>[attachment
"noname" deleted by Tomas Husar/Ibacz/cz] </u></span>
<br>
<br>