<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Guys<div><br></div><div><div>I identified an error in my settings, my metadata before looked like this:</div><div><a href="https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint">https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint</a></div><div><br></div><div>After the correction, it looked like this:</div><div><a href="https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint">https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/alias/sp_midpoint</a></div><div><br></div><div>Tip: use Midpoint's metadata generator:</div><div><a href="https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/">https://docs.evolveum.com/midpoint/reference/security/authentication/flexible-authentication/configuration/</a></div><div><br></div><div>Midpoint can generate metadata of SP. You can get it via the link:</div><div>http://<midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata.</div><div><br></div><div>Now I get another error:</div><div> <b> Invalid username and/or password</b>. </div></div><div><br></div><div>I keep investigating, I've validated the username and password directly in my identity provider and the credentials are correct. <br></div><div><br></div><div>Best Regards</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qua., 14 de jul. de 2021 às 20:14, Gus Lou <<a href="mailto:gugalou38@gmail.com">gugalou38@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Frédéric<div>Thank you for your help.</div><div><div>I followed your recommendation and changed metadata to <pathtofile>.</div><div>Now, Midpoint presented a new message:</div></div><div><b>Validation Errors: 1. Destination mismatch: <a href="https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint" target="_blank">https://192.168.0.46/midpoint/auth/default/mysamlsso/SSO/okta/sp_midpoint</a></b><br></div><div><b><br></b></div><div>I'm validating the settings to understand what might be wrong.<br></div><div><br></div><div>Best regards</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em ter., 13 de jul. de 2021 às 03:30, Frédéric Lohier <<a href="mailto:frederic@lohier.org" target="_blank">frederic@lohier.org</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hello Gus,<div dir="auto"><br></div><div dir="auto">I had the same issue and this was because midpoint did/could not download the IDP metadata specified in <metadataUrl> even though I could download it via a curl command from the server.</div><div dir="auto"><br></div><div dir="auto">I ended up using the <pathToFile> with the IDP metadata stored locally on the server.</div><div dir="auto"><br></div><div dir="auto">Strangely, I wasn't able to reproduce the bug when I wanted to file an issue, but I did not spend too much time on it either.</div><div dir="auto"><br></div><div dir="auto">-Frédéric</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 12, 2021, 22:08 Gus Lou via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Guys<br><div><br></div><div><div>I configured Midpoint to use Flex Authentication.</div><div>In my configuration, I used the SAML2 module, when I try to authenticate to Midpoint I get the information</div><div><b>"List of Identity Providers is empty"</b></div><div><b>"Select an Identity Provider"</b></div><div>I enabled debug to try to understand what might be wrong but I couldn't identify relevant information. </div></div><div><br></div><div><b>Midpoint Version:</b> 4.3.1<br></div><div><br></div><div><b>My Default Security Policy:</b></div><div><div><br></div><div><securityPolicy</div><div>xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div>xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"</div><div>xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"</div><div>xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"</div><div>xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" rel="noreferrer" target="_blank">http://prism.evolveum.com/xml/ns/public/query-3</a>"</div><div>xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"</div><div>xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" rel="noreferrer" target="_blank">http://prism.evolveum.com/xml/ns/public/types-3</a>" oid="00000000-0000-0000-0000-000000000120" version="36"></div><div> <name>Default Security Policy</name></div><div> <authentication></div><div> <modules></div><div> <loginForm id="20"></div><div> <name>internalLoginForm</name></div><div> <description>Internal username/password authentication, default user password, login form</description></div><div> </loginForm></div><div> <saml2 id="21"></div><div> <name>mysamlsso</name></div><div> <description>My internal enterprise SAML-based SSO system.</description></div><div> <serviceProvider></div><div> <entityId>sp_midpoint</entityId></div><div> <signRequests>false</signRequests></div><div> <wantAssertionsSigned>false</wantAssertionsSigned></div><div> <singleLogoutEnabled>true</singleLogoutEnabled></div><div> <provider id="22"></div><div> <entityId><a href="https://www.okta.com/d721K5vASKoJ4x6exko4" rel="noreferrer" target="_blank">https://www.okta.com/d721K5vASKoJ4x6exko4</a></entityId></div><div> <alias>okta</alias></div><div> <metadata></div><div> <metadataUrl><a href="https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata" rel="noreferrer" target="_blank">https://dev-99301.okta.com/app/d721K5vASKoJ4x6exko4/sso/saml/metadata</a></metadataUrl></div><div> </metadata></div><div> <skipSslValidation>false</skipSslValidation></div><div> <linkText>oktapreview</linkText></div><div> <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding></div><div> <nameOfUsernameAttribute>uid</nameOfUsernameAttribute></div><div> </provider></div><div> </serviceProvider></div><div> </saml2></div><div> </modules></div><div> <sequence id="23"></div><div> <name>admin-gui-default</name></div><div> <description></div><div> Default GUI authentication sequence.</div><div> We want to try company SSO, federation and internal. In that order.</div><div> Just one of then need to be successful to let user in.</div><div> </description></div><div> <channel></div><div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a></channelId></div><div> <default>true</default></div><div> <urlSuffix>default</urlSuffix></div><div> </channel></div><div> <module id="25"></div><div> <name>mysamlsso</name></div><div> <order>30</order></div><div> <necessity>sufficient</necessity></div><div> </module></div><div> </sequence></div><div> <sequence id="24"></div><div> <name>admin-gui-emergency</name></div><div> <description></div><div> Special GUI authentication sequence that is using just the internal user password.</div><div> It is used only in emergency. It allows to skip SAML authentication cycles, e.g. in case</div><div> that the SAML authentication is redirecting the browser incorrectly.</div><div> </description></div><div> <channel></div><div> <channelId><a href="http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</a></channelId></div><div> <default>false</default></div><div> <urlSuffix>emergency</urlSuffix></div><div> </channel></div><div> <requireAssignmentTarget oid="00000000-0000-0000-0000-000000000004" relation="org:default" type="c:RoleType"></div><div> <!-- Superuser --></div><div> </requireAssignmentTarget></div><div> <module id="27"></div><div> <name>internalLoginForm</name></div><div> <order>10</order></div><div> <necessity>sufficient</necessity></div><div> </module></div><div> </sequence></div><div> <ignoredLocalPath>/actuator</ignoredLocalPath></div><div> <ignoredLocalPath>/actuator/health</ignoredLocalPath></div><div> </authentication></div><div> <credentials></div><div> <password></div><div> <minOccurs>0</minOccurs></div><div> <lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts></div><div> <lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration></div><div> <lockoutDuration>PT15M</lockoutDuration></div><div> <valuePolicyRef xmlns:tns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" rel="noreferrer" target="_blank">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" oid="00000000-0000-0000-0000-000000000003" relation="org:default" type="tns:ValuePolicyType"></div><div> <!-- Default Password Policy --></div><div> </valuePolicyRef></div><div> </password></div><div> </credentials></div><div></securityPolicy></div></div><div><br></div><div><br></div><div><b>Midpoint.log:</b></div><div><br></div><div><div>2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] INFO (org.opensaml.core.config.InitializationService): Initializing OpenSAML using the Java Services API</div><div>2021-07-11 23:01:27,323 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.soap.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.JavaCryptoValidationInitializer</div><div>2021-07-11 23:01:27,340 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer</div><div>2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer</div><div>2021-07-11 23:01:27,349 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer</div><div>2021-07-11 23:01:27,350 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,360 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.xml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,365 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.xml.config.GlobalParserPoolInitializer</div><div>2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.metrics.impl.MetricRegistryInitializer</div><div>2021-07-11 23:01:27,367 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xacml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,380 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.saml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.saml.config.SAMLConfigurationInitializer</div><div>2021-07-11 23:01:27,416 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer</div><div>2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] INFO (org.opensaml.core.config.InitializationService): Initializing OpenSAML using the Java Services API</div><div>2021-07-11 23:01:27,427 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.soap.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.JavaCryptoValidationInitializer</div><div>2021-07-11 23:01:27,442 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.ApacheXMLSecurityInitializer</div><div>2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.GlobalSecurityConfigurationInitializer</div><div>2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.security.config.ClientTLSValidationConfiguratonInitializer</div><div>2021-07-11 23:01:27,452 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xacml.profile.saml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,462 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.xml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,468 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.xml.config.GlobalParserPoolInitializer</div><div>2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.core.metrics.impl.MetricRegistryInitializer</div><div>2021-07-11 23:01:27,469 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xacml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,480 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.saml.config.XMLObjectProviderInitializer</div><div>2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.saml.config.SAMLConfigurationInitializer</div><div>2021-07-11 23:01:27,513 [] [http-nio-8080-exec-10] DEBUG (org.opensaml.core.config.InitializationService): Initializing module initializer implementation: org.opensaml.xmlsec.config.GlobalAlgorithmRegistryInitializer</div></div><div><br></div><div>Regards</div><div><br></div><div>Gus</div><div><br></div><div><br></div><div><br></div></div></div></div></div></div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" rel="noreferrer" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>