Idp Initiated Authentication not working

1
We are using the latest SAML20 module in our app (in studio pro 8.8.1)  for SSO via Okta. The "IdP Initiated Authentication" option is enabled in SSO configuration. When SSO is initiated from the application by going to https://hostname:port/SSO/, it works fine, where the SAML response contains the InResponseTo element. When Okta (IdP) initiates the request, where the SAML response doesn’t contain the InResponseTo element, it fails with on-screen message "Unable to validate the SAML message", and the application log shows errors: "ERROR - SAML_SSO: java.lang.NullPointerException: null" and "ERROR - SAML_SSO: Unable to validate Response, see SAMLRequest overview for detailed response. Error: null". We wonder if we missed any configuration that would make Idp Initiated Authentication work. Thanks!
asked
3 answers
1

Hi Kevin, 

I’ve had the same issue and was able to fix it by changing the Java code in the SAML module.

I’ve already send a ticket to Mendix to fix it in the SAML module.

But if you don’t want to wait on the fix of Mendix you can change the SAMLUtil.java file yourself.

OLD, start on line number 417:

public static SAMLRequest retrieveCorrespondingRequest(IContext context, String inResponseTo) {
	List<IMendixObject> samlrequestList = MendixUtils.retrieveFromDatabase(context, "//%s[%s = $requestId][%s = $no]",
			new HashMap<>() {{
				put("requestId", inResponseTo);
				put("no", YesNo.No.toString());
			}},
			SAMLRequest.entityName,
			SAMLRequest.MemberNames.RequestID.toString(),
			SAMLRequest.MemberNames.hasResponse.toString()
	);

	if (samlrequestList.size() == 1)
		return SAMLRequest.initialize(context, samlrequestList.get(0));
	else
		return null;
}

NEW:

public static SAMLRequest retrieveCorrespondingRequest(IContext context, String inResponseTo) {
	if (inResponseTo != null) {
		List<IMendixObject> samlrequestList = MendixUtils.retrieveFromDatabase(context, "//%s[%s = $requestId][%s = $no]",
				new HashMap<>() {{
					put("requestId", inResponseTo);
					put("no", YesNo.No.toString());
				}},
				SAMLRequest.entityName,
				SAMLRequest.MemberNames.RequestID.toString(),
				SAMLRequest.MemberNames.hasResponse.toString()
		);

		if (samlrequestList.size() == 1) {
			return SAMLRequest.initialize(context, samlrequestList.get(0));
		}
	}
	
	return null;
}

Cheers,

Jeffrey 

answered
0

Hi Kevin! Can you share the rest of the settings you have for the SAML module in your app? I went through Okta IDP config with SAML module, albeit in a Mendix 7 app, but I’d imagine there aren’t too many differences in the module itself. We spent a couple of days with Okta and Mendix to get it working and it was really the matter of a checkbox unchecked in the local config that saved us. In any case, I’d like to inspect your configuration to maybe provide some additional assistance. If there aren’t any insights given by others with the info you’ve already shared.

 

answered
0

Hi Kevin, this integration of the OKTA with SAML2.0, was it done for a Mendix Web App or a Mendix Native application?

answered