Menu
▾
▴
Re: [Unity-idm-discuss] OAuth authorization request with preselected IdP
|
From: Nikolaos E. <ni...@ad...> - 2018-09-19 06:47:45
|
Hello Krzysztof,
After a long time I tried to enable auto login again and I managed to resolve my issue and I’m posting the solution.
The use case is: Site —> OAuth authorization request —> Unity AS with autoLogin & authenticator with one IdP —> SAML login —> SAML IdP on Unity
As I posted earlier I copied the current ${CONF}/modules/oauth/oauth2-as.properties for the new endpoint ${CONF}/modules/oauth/oauth2-sdc.properties.
The oauth2-as.properties has the following properties:
unity.endpoint.web.authenticationTiles.1.tileContents=pwd cert
unity.endpoint.web.authenticationTiles.2.tileContents=oauth
unity.endpoint.web.authenticationTiles.3.tileContents=saml
And oauth2-sdc.properties has:
unity.endpoint.web.authenticationTiles.1.tileContents=saml
With these properties the flow wasn’t working and when the user returned to Unity was stack in a loop where he/she was asked to login again.
Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11
unity.endpoint.web.authenticationTiles.11.tileContents=saml
And then everything worked smoothly.
I guess it was a conflict on authenticationTiles number id because both belong to the same endpoint type (OAuth2Authz/OAuth2Token)
Regards,
Nick
> On 9 Jul 2018, at 22:19, Krzysztof Benedyczak <kb...@un...> wrote:
>
> Hi Nikolaos,
>
> I'm answering here for both recent emails. With this information I can understand what you want to perform now.
> Should work - at least the similar setup worked fine for me without a problem a moment ago:
>
> Site ---OAuth login-->Unity AS with autoLogin --SAML login-->SAML IdP on Unity
>
> More or less configured as below but there are still tons of places where problems may happen.
>
> First of all read the logs. Looking for warns/errors is not always helpful. You should enable debug (or for this purpose even TRACE) logging of SAML, OAuth and web subsystems. You will have information (search for "Proxy") on auto login fact (or that it is skipped).
> 2nd thing to do is to compare this with browser log (Developer tools -> Network tab, important: turn off persistent logs, otherwise each redirect will clean the log).
>
> With this information you should be able to precisely identify in which moment your flow is not behaving as expected and perhaps what is the reason.
>
> HTH,
> Krzysztof
>
> W dniu 04.07.2018 o 13:47, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
>> I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
>>
>> Here are all the changes I made:
>> 1. Modified conf/unityServer.conf
>> unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
>> unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
>> unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
>> unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
>>
>> And
>>
>> # Enables MarineID AS functionality
>> $include.marineAS=${CONF}/modules/marineAS.module
>>
>> Both are copies of samlWeb and $include.oauthAS correspondingly.
>>
>> 2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
>> unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
>> unity.saml.requester.metadataPath=metadata1
>> unity.saml.requester.requesterCredential=MAIN
>> unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
>> unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>> unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>>
>> unity.saml.requester.sloPath=slo1
>> unity.saml.requester.sloRealm=defaultRealm
>>
>> unity.saml.requester.remoteIdp.marine.name=MarineID IdP
>> unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
>> unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
>> unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
>> unity.saml.requester.remoteIdp.marine.certificate=MARINEID
>> unity.saml.requester.remoteIdp.marine.translationProfile=marineID
>> unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
>> unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
>> unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
>>
>> 3. Created modules/oauthAS.module copy of oauthAS.module
>> unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
>> unityServer.core.script.909.trigger=pre-init
>>
>> unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
>> unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
>> unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
>> unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
>>
>> unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
>> unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineToken.contextPath=/marine
>> unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
>> unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
>>
>> 4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
>> unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
>>
>> unity.oauth2.as.signingCredential=MAIN
>>
>> unity.oauth2.as.clientsGroup=/oauth-clients
>> unity.oauth2.as.usersGroup=/
>>
>> unity.oauth2.as.translationProfile=marineIDout
>> unity.oauth2.as.accessTokenValidity=600
>> unity.oauth2.as.extendAccessTokenValidityUpTo=86400
>> unity.oauth2.as.refreshTokenValidity=0
>> # Definition of scopes
>>
>> unity.oauth2.as.scopes.1.name=openid
>> unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
>>
>> unity.oauth2.as.scopes.4.name=email
>> unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
>> unity.oauth2.as.scopes.4.attributes.1=email
>>
>> unity.oauth2.as.scopes.5.name=profile
>> unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
>> unity.oauth2.as.scopes.5.attributes.1=name
>>
>> unity.oauth2.as.scopes.2.name=USER_PROFILE
>> unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
>> unity.oauth2.as.scopes.2.attributes.1=userName
>> unity.oauth2.as.scopes.2.attributes.2=email
>> unity.oauth2.as.scopes.2.attributes.3=groups
>> unity.oauth2.as.scopes.2.attributes.4=unity:persistent
>> unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
>> unity.oauth2.as.scopes.2.attributes.6=name
>> unity.oauth2.as.scopes.2.attributes.7=cn
>>
>>
>> unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
>> unity.oauth2.as.scopes.3.description=Generate User Certificate
>> unity.oauth2.as.scopes.3.attributes.1=userName
>> unity.oauth2.as.scopes.3.attributes.2=email
>> unity.oauth2.as.scopes.3.attributes.3=name
>> unity.oauth2.as.scopes.3.attributes.4=groups
>>
>>
>> #UI specific properties
>> unity.endpoint.web.enableRegistration=false
>> unity.endpoint.web.autoLogin=true
>>
>> unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
>> unity.endpoint.web.authenticationTiles.4.tileMode=table
>> unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
>>
>> ———————
>> Best regards,
>> Nick
>>
>>> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>>>
>>> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>>>> Hello Krzysztof,
>>>>
>>>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>>> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>>>
>>> Best,
>>> Krzysztof
>
>
|
