Integrating Mendix with Okta (IdP) via SAML2.0 module

0
Hi all, Our customer wants all applications to be accessed via a single non-Mendix App, called Okta. Okta will handle two functionalities, namely: Single Sign On, and; User provisioning The Mendix App I am building functions as the Service Provider (SP) and Okta functions as the Identity provider (IdP). For these applications to communicate via the SAML2.0 standard, I implemented the SAML2.0 module from the AppStore. I configured on both the SP as well as the IdP side and have got everything working until the part where the validation of the response from Okta in Mendix comes into place. The SAML2.0 module gives me the following feedback: "The response from the identity provider isn't valid". When I look at the response XML from Okta (which is accessible in Mendix via the SAML-module screens), I don't see any strange things. Is there anybody who already has experience with valid XML responses from an IdP in in the context of working with the Mendix SAML2.0-module? For instance a working example XML would already help a lot! Regards, Ivo
asked
2 answers
1

The SAML module does not support a SAML response without an "AttributeStatement". Currently it is mandatory to select an "Attribute" part of the "AttributeStatement" to act as the "PrincipalKey". This "PrincipalKey" is used when the user gets created (in the Mendix System.User table) to fill the "Name" attribute.

Looking at some Google results it appears Okta doesn't provide an AttributeStatement in its response. And the official SAML 2.0 documentation states that if no statements (AttributeStatement is one of the statements) are supplied a Subject is mandatory. The Subject is included in the Okta SAML response so it does follow the SAML 2.0 specifications.

To support Okta it should be made possible to select the Subject identifying attribute as well (as the PrincipalKey), this is one of NameID, BaseID and EncryptedID. Where the latter should obviously be decrypted before becoming useful.

For the short term you're best bet would be to add this functionality to the SAML module yourself (if you go that route, please share it with us so we can include it in the next app store version). If that's not an option and you are in a hurry, I would advise you to contact your Mendix representative to discuss possible alternative approaches.

References:
SAML 2.0 documentation
Example Okta SAML response

answered
0

Here is a request and a response. The XML has been sanitized so no client data is visible:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://somemendixwebsite.mendix.nl/SSO/" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://adfs.clientname.nl/adfs/ls/" ForceAuthn="false" ID="_4122bcca-6c47-4cf3-83de-b71d723659d6" IsPassive="false" IssueInstant="2014-08-05T12:55:11.334Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
    <samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://somemendixwebsite.mendix.nl/</samlp:Issuer>
    <saml2p:RequestedAuthnContext xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:authentication:windows</saml:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</samlp:AuthnRequest>

Response:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://somemendixwebsite.mendix.nl/SSO/" ID="_4b861382-601e-4f77-915b-8f89f9231857" InResponseTo="_4456bcca-6c47-4cf3-83de-b71d723234d6" IssueInstant="2014-08-05T12:55:11.342Z" Version="2.0">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.clientname.nl/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_40123627-2a23-4f23-aa0e-391b16f131df" IssueInstant="2014-08-05T12:55:11.342Z" Version="2.0">
        <Issuer>http://adfs.clientname.nl/adfs/services/trust</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_40612327-2a23-4f35-aa0e-391b16f131df">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>SomeDigestValueHHGsadfNj4BAHqCeaJQTa+i=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>SOMJSIGNATUREVALUEsdl;ajflkaSJKHDSKHKKJLsdflPjACzQ6JSgiv5U4CuyNqsnYAAB79mWYrZlSo44DXBVm/DzfwFlNQCuXZjJraDBqVCUzek8PzpMHA74kChlYYeCnRgIPUaRnCLnpiqARANP5ltLVlwpdDB8zNt3OSC8QnHxTWP1qvIDb8aEVQGPHc3WmmWfXITNYEU5slJliVPK2kktxdjM5mpeXJtwZ6bFfGWg0pppNiYHif8qORoz1l60zl5GFB1AZ1bqGYgsBUy2AXJptkjYJfS0Kv59yEl8lCoX8Jrg==
            </SignatureValue>
            <KeyInfo>
            <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Certificate>BOGUSKEYMIIC4DCCAcigAwIBsdfasdefsadlfjasdl;jAgIQG4uOrvS6TapCufXS82xBIDANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLnByb3BlcnNvbmEubmwwHhcNMTMwOTE2MDg0NzQ3WhcNMTQwOTE2MDg0NzQ3WjAsMSowKAYDVQQDEyFBREZTIFNpZ25pbmcgLSBhZGZzLnByb3BlcnNvbmEubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT3PP03AWsRJJdsQ9dYKJHKLJHKHkjjhklkjh9879879790IYUIUYIOUYIUY97697987YUOOIUYOIUYIOYOIUY</ds:X509Certificate></ds:X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_4122bcca-6c47-4cf3-83de-b71d123659d6" NotOnOrAfter="2014-08-05T13:00:11.342Z" Recipient="https://somemendixwebsite.mendix.nl/SSO/"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2014-08-05T12:55:11.342Z" NotOnOrAfter="2014-08-05T13:55:11.342Z">
            <AudienceRestriction>
                <Audience>https://somemendixwebsite.mendix.nl/</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"><AttributeValue>Nobody</AttributeValue></Attribute></AttributeStatement>
        <AuthnStatement AuthnInstant="2014-08-05T12:50:06.967Z">
            <AuthnContext>
                <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

Regards,

Ronald

answered