How to configure okta developers application for single log out
Single Logout URL
SP Issuer
Signature Certificate
Any one please help me how to configure it . how to generate Signature Certificate and sp issuer???
Useing "SIGN ON" Tab(in Okta application) you will get this details.
using "View Setup intruction" button you can fetch this details. This link provides following attributes:
Identity Provider Single Sign-On URL:
Identity Provider Issuer:
metadata to your SP provider:
X.509 Certificate:
If you are using Rails you can use Omnioth-saml gem
For issuer field you can reffer this
References:
https://github.com/onelogin/ruby-saml-example
http://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html
Related
I'm trying to configure IdP initiated SSO with Google acting as an IdP in order to be able to authenticate to our web app, which supports SSO authentication via Keycloak, by clicking on custom SAML app in Google Workspace popup (basically it's just a link to https://accounts.google.com/o/saml2/initsso?idpid=[IDP ID]&spid=[SP ID]&forceauthn=false) but the problem I have is that the request to Keycloak (ACS URL) fails with the following error:
If I set Start URL field in Google SSO configuration, with for example my webapp's SSO login page, then it fails with another error:
Failing HTTP request:
URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Method: POST
Status Code: 400
Form Data: SAMLResponse=[LONG BASE64]&RelayState=[EMPTY OR Start URL VALUE]
This is the configuration I use for Google custom SAML app:
ACS URL: https://[KEYCLOAK DOMAIN]/realms/[REALM]/broker/[IDENTITY BROKER]/endpoint
Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Signed response: ON
Name ID format: EMAIL
Name ID: Basic Information > Primary email
Keycloak Identity Provider SAML Config:
Service Provider Entity ID: https://[KEYCLOAK DOMAIN]/realms/[REALM]
Single Sign-On Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
Single Logout Service URL: https://accounts.google.com/o/saml2/idp?idpid=[IDP ID]
NameID Policy Format: Email
Principal Type: Subject NameID
HTTP-POST Binding Response: ON
HTTP-POST Binding for AuthnRequest: ON
Validate Signature: ON
Validating X509 Certificates: [...]
Keycloak Version: 17.0.0
So my question is what could be wrong with this setup and whether it needed to put some URL into Start URL field?
Also do I need to configure a separate Keycloak client as I couldn't find any relation between Google SAML / Keycloak IdP and Keycloak client configurations?
UPDATE:
Network recording in HAR format
I am getting success and responder status information too from ADFS, I checked for both of cases by turning on and off validate signature switch, setting PROXY_ADDRESS_FORWARDING=true and also to porto HTTP and https forwarding.
No one solution from above given worked well for me.
• You can try the settings in keycloak to be configured as below for it to act as a service provider to ADFS IdP so that you will be able to get the SAML requests to process correctly: -
‘ IdP URL: ${IDP_URL}/adfs/ls/
NameID Policy Format: persistent
WantAuthnRequestsSigned: true
WantAssertionsSigned: true
SignatureAlgorithm: RSA_SHA256
SAMLSignatureKeyName: CERT_SUBJECT ‘
Thus, when you configure the above settings in keycloak, also ensure that you update NameID policy in keycloak as SP and similarly custom settings on the IdP side as well to ensure NameID is sent back as ‘persistent’ in format.
Had the same error message with a misconfigured identity provider on Keycloak 15.
Try this:
Go to https://[ADFS server hostname]/federationmetadata/2007-06/federationmetadata.xml to download the ADFS server metadata
Find the X509Certificate fields marked 'signing' in the metadata
Go to your Keycloak Identity Provider definition -> settings -> 'Validating X509 Certificates' and insert the values from the metadata. Alternatively you can import the metadata file using Keycloak's import button when you create a new identity provider. Note: if the metadata contains multiple certificate values you can comma delimit them when you enter them in your keycloak identity provider definition.
I have created a SAML 2.0 App on okta and have finished all the configurations. I then attempt to do an authorization from my application, by doing a redirect to the okta idp ->
http://www.okta.com/(okta created token)?SAMLRequest=(encoded saml xml)
The redirect returns a 404. When I go to my admin okta console I don't see any logs for the failed attempt, which i guess makes sense since it is returning a 404, but i don't know how to figure out what is causing the 404.
Is there a way to figure out what is causing the issue?
Install SAML tracer browser extensions and try it again to confirm the SAML Response is being decoded correctly.
To address your question "Is there a way to figure out what is causing the issue?", I have repeated your SAML 2.0 authentication steps suggested by your post.
The following responses and answer will help you to "figure out what is causing the issue".
(1) Quote your post "I have created a SAML 2.0 App on okta and have finished all the configurations. I then attempt to do an authorization from my application, by doing a redirect to the okta idp ->
http://www.okta.com/(okta created token)?SAMLRequest=(encoded saml xml)"
Response:
(I) I have created a SAML 2.0 SP App on okta and have finished all the configurations as you did.
(II) I then attempt to do an authorization from my SAML SP application, by doing a redirect to the okta idp as you did.
(III) Submit the username/password of local Okta user account (e.g., john.doe#example.com) to proceed with SAML authentication.
(2) Quote your post "The redirect returns a 404. When I go to my admin okta console I don't see any logs for the failed attempt, which i guess makes sense since it is returning a 404, but i don't know how to figure out what is causing the 404."
Response:
(I) In my experiment, the redirect returns the following error message instead of a 404 error.
Sorry, you can't access SAML 2.0 SP demo because you are not assigned this app in Okta.
If you're wondering why this is happening, please contact your administrator.
If it's any consolation, we can take you to your Okta home page.
(II) Then "I go to my admin okta console" as suggested by your post,
navigate to Reports > System Log, I saw the log below.
Event Info Targets
User attempted unauthorized access to app SAML 2.0 SP demo (AppInstance)
FAILURE :
(3) Quote your question "Is there a way to figure out what is causing the issue?"
Answer:
I summarize the four (4) potential root causes of your SAML authentication failure. The top #1 potential root cause is that you uploaded the wrong okta IdP metadata file into your SAML 2.0 SP app server (see the detailed description below).
(I) Potential Issue #1:
The root cause of my issue is that my local okta user account was NOT assigned to access this SAML 2.0 App.
Resolution:
(a) Navigate to Applications > SAML 2.0 App, then click Assign > Assign to People,
(b) On the pop-up dialog box, select the local Okta user accounts (e.g., John Doe (john.doe#example.com)), click Assign, click Save and Go Back, then click Done.
(c) Repeated the above SAML 2.0 authentication steps again, I was redirected back and logged in to SAML 2.0 App successfully.
(II) Potential Issue #2:
Three (3) potential root causes of this issue are that
(a) you did NOT fill in all the correct SAML SP information of your SAML 2.0 SP app on okta.
(b) or you did NOT upload the okta IdP metadata file into your SAML 2.0 SP app server
(c) or you uploaded the wrong okta IdP metadata file into your SAML 2.0 SP app server (this is the highest probability for bringing your 404 failure, because unlike most of SAML IdPs which create only one IdP metadata file for all SAML SP apps, okta create different IdP metadata files for different SAML SP apps).
Resolution:
Regarding to root cause (II.a): You need to ensure that the following SAML SP information should be the exactly the same as the SAML SP metadata of your SAML 2.0 SP app when you create new SAML 2.0 app.
Single sign on URL should come from your SAML SP metadata, e.g.,
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your-saml-sp-app-URL/SAML2/POST" index="1"/>
Audience URI (SP Entity ID) should also come from your SAML SP metadata, e.g.,
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_random-string" entityID="https://your-saml-sp-app-URL/SAML2/Metadata">)
The sample SAML Settings of SAML 2.0 SP app on okta
Navigate to Applications > your SAML 2.0 App > general > SAML Settings
Single Sign On URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Recipient URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Destination URL https://your-saml-sp-app-URL/SAML2/POST (i.e., your SAML SP AssertionConsumerService)
Audience Restriction https://your-saml-sp-app-URL/SAML2/Metadata (i.e., your SAML SP entity ID)
Default Relay State
Name ID Format Unspecified
Response Signed
Assertion Signature Signed
Signature Algorithm RSA_SHA256
Digest Algorithm SHA256
Assertion Encryption Unencrypted
SAML Single Logout Disabled
authnContextClassRef PasswordProtectedTransport
Honor Force Authentication Yes
SAML Issuer ID http://www.okta.com/${org.externalKey}
Regarding to root causes (II.b) and (II.c): You need to upload the correct okta IdP metadata into your SAML 2.0 SP app server.
Note that okta creates different okta IdP metadata files for your different SAML 2.0 SP apps.
Navigate to Applications > your SAML 2.0 App > Sign On
Identity Provider metadata is available if this application supports dynamic configuration.
Click Identity Provider metadata to download the okta IdP metadata for your SAML 2.0 SP app.
Log in to your SAML 2.0 SP app, upload the okta IdP metadata into your SAML 2.0 SP app, and then complete the configuration to store the okta IdP information on your SAML 2.0 SP app server.
My motive is to generate an access token for the client (through simple_oauth module of Drupal) with the help of which the client can access the content of Drupal 8 site via REST API. But the Generate token tab is not available on the screen, also I have tried generating the token through Postman by using OAuth2.0 authentication, but failed to understand what to write in the Authorization URL and token URL field.
Any suggestion will be appreciated. Thanks in advance.
Quick demo (Password Grant)
Install the module using Composer: composer config repositories.drupal composer https://packages.drupal.org/8 && composer require drupal/simple_oauth:^3. You can use any other installation method, as long as you install the OAuth2 Server composer package.
Generate a pair of keys to encrypt the tokens. And store them outside of your document root for security reasons.
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key
Save the path to your keys in: /admin/config/people/simple_oauth.
Go to REST UI and enable the oauth2 authentication in your resource.
Create a Client Application by going to: /admin/config/services/consumer/add.
Create a token with your credentials by making a POST request to /oauth/token. See the documentation about what fields your request should contain.
(Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.
Request a node via REST without authentication and watch it fail.
Request a node via REST with the header Authorization: Bearer {YOUR_TOKEN} and watch it succeed.**
SSOCircle provides a ready to use Identity Provider according to their website. I wanted to simulate SAML SSO and integrate it in sample Liberty for Java application in bluemix.
What I did so far:
Downloaded SSOCircle Public IDP Metadata from "Manage Metadata". Uploaded it into the bluemix SSO service via the upload file button and entered https://idp.ssocircle.com/sso in the textbox under "Step 1" in the SAML Enterprise setup.
Downloaded SAML metadata under "Step 2" in the SAML Enterprise setup and imported it in SSOCircle. The FQDN that I used is: https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com.
Edit** Changed URL to https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com/idaas/mtfim/sps/idaas/saml20 as recommended by Martin
After integrating. I pointed my browser to https://cruzgsjava1.mybluemix.net then clicked "Sign in with SAML Enterprise".
I got redirected to https://idp.ssocircle.com/sso/UI/Login?module=peopleMembership&goto=https%3A%2F%2Fidp.ssocircle.com%2Fsso%2Fidpssoinit%3FmetaAlias%3D%2Fssocircle%26spEntityID%3Dhttps%3A%2F%2Fssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com%2Fidaas%2Fmtfim%2Fsps%2Fidaas%2Fsaml20. I logged in and encountered an error
Your URL is wrong. I have not seen clear documentation on ssocircle.com, but I found some samples from which I could deduce the (hopefully) right URL pattern. This is what I use for testing:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=<your SP entity ID>;
You can find out your SP entity ID by downloading the service provider metadata in step 2 and inspect the attribute "entityID" of the root element "md:EntityDescriptor".
The SSOCircle URL is correct. The error happens at the bluemix site. According to IBM knowledge center FBTSML236E says that the trace log will indicate the operation failed.
Most probably the validation of the assertion signature is failing. SSOCircle signing certificate itself is not self-signed but is signed by its own CA.
It could be the case that bluemix is validating the whole certificate chain and for that reason needs the CA certificate. You can get it from the SSOCircle web site after logging in and then under 'My certificate status' you'll find a link to the CA certificate.
If that does not solve the problem. Check with IBM how the SAML response is validated. SSOCircle public IDP by default signs the SAML assertion. It could potentially be that bluemix has different requirements (e.g. signing the SAML response)