Menu
▾
▴
Re: [Unity-idm-discuss] OAuth authorization request with preselected IdP
|
From: Nikolaos E. <ni...@ad...> - 2018-07-04 11:48:01
|
Hello Krzysztof,
I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
Here are all the changes I made:
1. Modified conf/unityServer.conf
unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
And
# Enables MarineID AS functionality
$include.marineAS=${CONF}/modules/marineAS.module
Both are copies of samlWeb and $include.oauthAS correspondingly.
2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
unity.saml.requester.metadataPath=metadata1
unity.saml.requester.requesterCredential=MAIN
unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unity.saml.requester.sloPath=slo1
unity.saml.requester.sloRealm=defaultRealm
unity.saml.requester.remoteIdp.marine.name=MarineID IdP
unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
unity.saml.requester.remoteIdp.marine.certificate=MARINEID
unity.saml.requester.remoteIdp.marine.translationProfile=marineID
unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
3. Created modules/oauthAS.module copy of oauthAS.module
unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
unityServer.core.script.909.trigger=pre-init
unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineToken.contextPath=/marine
unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
unity.oauth2.as.signingCredential=MAIN
unity.oauth2.as.clientsGroup=/oauth-clients
unity.oauth2.as.usersGroup=/
unity.oauth2.as.translationProfile=marineIDout
unity.oauth2.as.accessTokenValidity=600
unity.oauth2.as.extendAccessTokenValidityUpTo=86400
unity.oauth2.as.refreshTokenValidity=0
# Definition of scopes
unity.oauth2.as.scopes.1.name=openid
unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
unity.oauth2.as.scopes.4.name=email
unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
unity.oauth2.as.scopes.4.attributes.1=email
unity.oauth2.as.scopes.5.name=profile
unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
unity.oauth2.as.scopes.5.attributes.1=name
unity.oauth2.as.scopes.2.name=USER_PROFILE
unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
unity.oauth2.as.scopes.2.attributes.1=userName
unity.oauth2.as.scopes.2.attributes.2=email
unity.oauth2.as.scopes.2.attributes.3=groups
unity.oauth2.as.scopes.2.attributes.4=unity:persistent
unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
unity.oauth2.as.scopes.2.attributes.6=name
unity.oauth2.as.scopes.2.attributes.7=cn
unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
unity.oauth2.as.scopes.3.description=Generate User Certificate
unity.oauth2.as.scopes.3.attributes.1=userName
unity.oauth2.as.scopes.3.attributes.2=email
unity.oauth2.as.scopes.3.attributes.3=name
unity.oauth2.as.scopes.3.attributes.4=groups
#UI specific properties
unity.endpoint.web.enableRegistration=false
unity.endpoint.web.autoLogin=true
unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
unity.endpoint.web.authenticationTiles.4.tileMode=table
unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
———————
Best regards,
Nick
> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>
> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>
> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>
> Best,
> Krzysztof
|
