Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2025-06-05 19:30:26
|
Hi Sander, W dniu 16.05.2025 o 07:44, Sander Apweiler pisze: > Good morning Kryzstof, > > 1. I attached a screenshot of the auto process settings. The > Finalization tab has not configuration. Let me know if you need some > others as well. > 2. It happens when you follow the link from the invitation. Clicking on > it in the email or copy it and enter in browser. > 3. I attached the log file, but it has only two get requests. One for > the document and one for the favicon. > 4. As far as we understood, the invitation was send via upman to the > user and the user received it without problems. Just like a normal > email address. So we are pretty sure that the problem is related to the '/' in UpMan project name. Changes in servlet API added quite strict restrictions on encoding '/' in URL paths. We have "legacy-compatible" mode already enabled, however it is failing (there are numerous 3rd party libs which are handling URLs in navigation and the problem is somewhere there). 1. Is it feasible to just restrict use of the '/' character in project names? 2. Can you please retest your scenario on a project w/o '/' in name? My guess is that it should work, including emails with '+'. > About the second error. The steps to reproduce: > 1. Start filling registration form > 2. Wait lets say 5-10 Minutes > 3. Submit the request by clicking on the button Huh, no luck on our side with reproducing that. Sounds like a mistery. Can you please try to isolate this problem (maybe some test project aside)? WOuld be great to have full TRACE level logs of when this happens... Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2025-05-21 13:01:23
|
Dear Sander, W dniu 21.05.2025 o 14:39, Sander Apweiler pisze: > Dear Krzysztof, > dear Roman, > > We encountered a bug in the handling of "hide-from-discovery" > statements in federation metadata for SPs. We have one SP, who set the > "hide-from-discovery" in the federation metadata. If this client wants > to authenticate users, unity shows an SAML error, which says the issuer > is not among trusted, although it is listed SAML web authentication > settings among the clients from federation. It is the same error > message you get if a wrong return URL is configured. > > Beside that the error message is wrong, it does not make sense to apply > the "hide-from-discovery" for SPs because you do not have a discovery > for clients. You have only a discovery for IdPs. > > Please let me know if you need some more details. Makes sense, likely some too generic code on our side. We will address that. Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2025-05-21 12:39:28
|
Dear Krzysztof, dear Roman, We encountered a bug in the handling of "hide-from-discovery" statements in federation metadata for SPs. We have one SP, who set the "hide-from-discovery" in the federation metadata. If this client wants to authenticate users, unity shows an SAML error, which says the issuer is not among trusted, although it is listed SAML web authentication settings among the clients from federation. It is the same error message you get if a wrong return URL is configured. Beside that the error message is wrong, it does not make sense to apply the "hide-from-discovery" for SPs because you do not have a discovery for clients. You have only a discovery for IdPs. Please let me know if you need some more details. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-05-19 12:18:24
|
Hi Krzysztof, please find attached the input translation profile and the registration form. I'll have a look if we still have the logs from creation and let you know. Best regards, Sander On Mon, 2025-05-19 at 11:37 +0200, Krzysztof Benedyczak wrote: > > W dniu 19.05.2025 o 11:22, Krzysztof Benedyczak pisze: > > > > > > Hi Sander, > > > > > > > > > > W dniu 15.05.2025 o 09:14, Sander Apweiler pisze: > > > > > > > > > > Hi Krzysztof, > > > hi Roman, > > > > > > there might be another bug in user registration, found in unity > > > 4.0.6. > > > We had a user were mandatory attributes are missing. In the > > > registration form the "Optional parameter" tick-box for the > > > attributes > > > givenname, surname and email address is not set. Action for the > > > name > > > attributes is "From remote IdP else user input" and for email > > > address > > > "From remote Idp and shown RO". The input translation profile > > > does work > > > for IdPs where those information are transferred. Nevertheless > > > the user > > > successfully created the account without those mandatory > > > information, > > > but can not use any service. > > > > > > > This one is also not easily reproducible. We would need: > > > > 1. complete form configuration. JSON from DB JSON dump (of course > > only this form part) would be helpful. (note: you can selectively > > control what is exported, then trimming the JSON will be easier). > > > > 2. what was received from the upstream IdP. Log would be perfect. > > > > and one thing more: > > > 3. input profile of the authenticator used in this case for remote > login. > > Thanks, > Krzysztof > > > > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2025-05-19 09:37:21
|
W dniu 19.05.2025 o 11:22, Krzysztof Benedyczak pisze: > Hi Sander, > > W dniu 15.05.2025 o 09:14, Sander Apweiler pisze: >> Hi Krzysztof, >> hi Roman, >> >> there might be another bug in user registration, found in unity 4.0.6. >> We had a user were mandatory attributes are missing. In the >> registration form the "Optional parameter" tick-box for the attributes >> givenname, surname and email address is not set. Action for the name >> attributes is "From remote IdP else user input" and for email address >> "From remote Idp and shown RO". The input translation profile does work >> for IdPs where those information are transferred. Nevertheless the user >> successfully created the account without those mandatory information, >> but can not use any service. > > This one is also not easily reproducible. We would need: > > 1. complete form configuration. JSON from DB JSON dump (of course only > this form part) would be helpful. (note: you can selectively control > what is exported, then trimming the JSON will be easier). > > 2. what was received from the upstream IdP. Log would be perfect. > and one thing more: 3. input profile of the authenticator used in this case for remote login. Thanks, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2025-05-19 09:22:38
|
Hi Sander, W dniu 15.05.2025 o 09:14, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > there might be another bug in user registration, found in unity 4.0.6. > We had a user were mandatory attributes are missing. In the > registration form the "Optional parameter" tick-box for the attributes > givenname, surname and email address is not set. Action for the name > attributes is "From remote IdP else user input" and for email address > "From remote Idp and shown RO". The input translation profile does work > for IdPs where those information are transferred. Nevertheless the user > successfully created the account without those mandatory information, > but can not use any service. This one is also not easily reproducible. We would need: 1. complete form configuration. JSON from DB JSON dump (of course only this form part) would be helpful. (note: you can selectively control what is exported, then trimming the JSON will be easier). 2. what was received from the upstream IdP. Log would be perfect. Thank you, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2025-05-16 05:44:55
|
Good morning Kryzstof, 1. I attached a screenshot of the auto process settings. The Finalization tab has not configuration. Let me know if you need some others as well. 2. It happens when you follow the link from the invitation. Clicking on it in the email or copy it and enter in browser. 3. I attached the log file, but it has only two get requests. One for the document and one for the favicon. 4. As far as we understood, the invitation was send via upman to the user and the user received it without problems. Just like a normal email address. About the second error. The steps to reproduce: 1. Start filling registration form 2. Wait lets say 5-10 Minutes 3. Submit the request by clicking on the button Best regards, Sander On Thu, 2025-05-15 at 18:17 +0200, Krzysztof Benedyczak wrote: > > Hi Sander, > > > > > W dniu 14.05.2025 o 17:13, Sander Apweiler pisze: > > > > > > Hi Krzysztof, > > hi Roman, > > > > we found two bugs in unity 4.1.0. The first is in the invitation > > handling and the second in account registration. > > > > Starting with the invitation handling. If an invitation is send to > > an > > email address containing a +, the invitation itself is send to the > > user > > without any problems, but if the user follows the link from the > > invitation unity shows an URN encoding error and the corersponding > > stack trace. I attached this to the email. > > > > Well, I'm not entirely sure the problem is like described. I was able > to register with email address with + sign w/o any problem end to > end. Also the stack trace is suggesting another problem: the URL has > '/' encoded. > > It is possible the problem is really with "+" but then I'd suspect > some extra configuration that comes into play. > > > So can you please provide more detailed information? > > > 1. form configuration. Especially if there are any post-registration > actions configured. > > 2. in what moment precisely this happens? When user is opening the > URL from email? When confirming something? When getting the > finalization page? > > 3. network log from the browser, what is on UI > > > 4. how the user is invited (precise flow, additional settings). > > > > > > > > The second error occurred in the registration of a local account. > > We > > are not sure if this only happens in the registration of OAuth > > clients > > (the only local accounts we allow), but I assume it happens to all > > local accounts. If the registration form is opened all mandatory > > information entered and policies accepted, but some minutes waited > > before the registration is submitted, unity shows only registration > > failed to the users but internally it processes the registration, > > sending emails to the system administrators and lists this > > registration > > in the requests tab. This request is completly empty or broken (see > > attached screenshot) and trying to delete the request on the button > > of > > the pages is changing the button text only to error. We can delete > > this > > request by going back to the request list and triggering the > > deletion > > from the hamburger menu. > > > > Hmm, let me ensure I do understand this: registration form is opened, > filled, but not submitted. After some time of inactivity the form is > auto submitted? > > > > > Thanks, > Krzysztof > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-05-16 05:19:22
|
Good morning Krzysztof, yes a setting in oputput translation profile would be greate. I agree a global change to wrap all single-valued attribute into arrays would be a good idea. Some attributes are defined as single-value and software systems might expect them as single-value and not as array. Best regards, Sander On Thu, 2025-05-15 at 18:21 +0200, Krzysztof Benedyczak wrote: > > Hi Sander, > > > > > W dniu 15.05.2025 o 14:07, Sander Apweiler pisze: > > > > > > Hi Krzysztof, > > hi Roman, > > > > sorry for bothering you again. > > > > We have some attributes, e.g. entitlements, which mostly contains > > multiple values but can also contain just a single value. At the > > moment > > unity does not release the single values as array/list. This is > > fine, > > according the protocol standards. But we have some services > > connected, > > which did not cover the case that the attribute might not be > > available > > as array/list but as single value. Is there a way in unity to > > release > > an attribute always as array/list, even when it has only a single > > value? > > > > No, unfortunately not. This would need to be a configurable setting, > per attribute (in output profile I guess?). I don't think a global > change to wrap all single-valued attribute values into arrays would > be appreciated :-) > > Best, > Krzysztof > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2025-05-15 16:21:24
|
Hi Sander, W dniu 15.05.2025 o 14:07, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > sorry for bothering you again. > > We have some attributes, e.g. entitlements, which mostly contains > multiple values but can also contain just a single value. At the moment > unity does not release the single values as array/list. This is fine, > according the protocol standards. But we have some services connected, > which did not cover the case that the attribute might not be available > as array/list but as single value. Is there a way in unity to release > an attribute always as array/list, even when it has only a single > value? No, unfortunately not. This would need to be a configurable setting, per attribute (in output profile I guess?). I don't think a global change to wrap all single-valued attribute values into arrays would be appreciated :-) Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2025-05-15 16:18:01
|
Hi Sander, W dniu 14.05.2025 o 17:13, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > we found two bugs in unity 4.1.0. The first is in the invitation > handling and the second in account registration. > > Starting with the invitation handling. If an invitation is send to an > email address containing a +, the invitation itself is send to the user > without any problems, but if the user follows the link from the > invitation unity shows an URN encoding error and the corersponding > stack trace. I attached this to the email. Well, I'm not entirely sure the problem is like described. I was able to register with email address with + sign w/o any problem end to end. Also the stack trace is suggesting another problem: the URL has '/' encoded. It is possible the problem is really with "+" but then I'd suspect some extra configuration that comes into play. So can you please provide more detailed information? 1. form configuration. Especially if there are any post-registration actions configured. 2. in what moment precisely this happens? When user is opening the URL from email? When confirming something? When getting the finalization page? 3. network log from the browser, what is on UI 4. how the user is invited (precise flow, additional settings). > The second error occurred in the registration of a local account. We > are not sure if this only happens in the registration of OAuth clients > (the only local accounts we allow), but I assume it happens to all > local accounts. If the registration form is opened all mandatory > information entered and policies accepted, but some minutes waited > before the registration is submitted, unity shows only registration > failed to the users but internally it processes the registration, > sending emails to the system administrators and lists this registration > in the requests tab. This request is completly empty or broken (see > attached screenshot) and trying to delete the request on the button of > the pages is changing the button text only to error. We can delete this > request by going back to the request list and triggering the deletion > from the hamburger menu. Hmm, let me ensure I do understand this: registration form is opened, filled, but not submitted. After some time of inactivity the form is auto submitted? Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2025-05-15 12:07:37
|
Hi Krzysztof, hi Roman, sorry for bothering you again. We have some attributes, e.g. entitlements, which mostly contains multiple values but can also contain just a single value. At the moment unity does not release the single values as array/list. This is fine, according the protocol standards. But we have some services connected, which did not cover the case that the attribute might not be available as array/list but as single value. Is there a way in unity to release an attribute always as array/list, even when it has only a single value? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-05-15 07:14:56
|
Hi Krzysztof, hi Roman, there might be another bug in user registration, found in unity 4.0.6. We had a user were mandatory attributes are missing. In the registration form the "Optional parameter" tick-box for the attributes givenname, surname and email address is not set. Action for the name attributes is "From remote IdP else user input" and for email address "From remote Idp and shown RO". The input translation profile does work for IdPs where those information are transferred. Nevertheless the user successfully created the account without those mandatory information, but can not use any service. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-05-14 15:14:00
|
Hi Krzysztof, hi Roman, we found two bugs in unity 4.1.0. The first is in the invitation handling and the second in account registration. Starting with the invitation handling. If an invitation is send to an email address containing a +, the invitation itself is send to the user without any problems, but if the user follows the link from the invitation unity shows an URN encoding error and the corersponding stack trace. I attached this to the email. The second error occurred in the registration of a local account. We are not sure if this only happens in the registration of OAuth clients (the only local accounts we allow), but I assume it happens to all local accounts. If the registration form is opened all mandatory information entered and policies accepted, but some minutes waited before the registration is submitted, unity shows only registration failed to the users but internally it processes the registration, sending emails to the system administrators and lists this registration in the requests tab. This request is completly empty or broken (see attached screenshot) and trying to delete the request on the button of the pages is changing the button text only to error. We can delete this request by going back to the request list and triggering the deletion from the hamburger menu. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-05-05 10:46:09
|
Hi Roman, yes this solved the issue. Maybe mention this change also in the 4.2.3. From 3.LATEST to 4.0 section. We did not recognized this changes because it was not listed here. But I'm not sure how many instances customized the messages. Best regards, Sander On Tue, 2025-04-29 at 09:06 +0200, Roman Krysiński wrote: > Hi Sander, > > Good question, as far as I can see in the code, in Unity-IdM 4, authN > screen can be tweaked in web endpoint configuration file. > The equivalent you are looking for seems to > be unity.endpoint.web.authnScreenTitle. For more information please > have a > look https://www.unity-idm.eu/documentation/unity-4.1.1/manual.html#e > ndpoints-authn > > Note that if the aforementioned is not configured > the AuthenticationUI.login message is taken as default. > > Please let me know if that answers your question. > > Kind regards, > Roman > > > czw., 24 kwi 2025 o 13:03 Sander Apweiler <sa....@fz...> > napisał(a): > > Hi Krzysztof, > > hi Roman, > > > > in unity 3, we were able to change the text on the "login screens" > > on > > the different endpoints by updating the AuthenticationUI.login > > parameter in message properties file. It seems this has changed in > > unity version 4. Is there any possibility to update the default > > messages? > > > > Best regards, > > Sander > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2025-04-29 07:07:14
|
Hi Sander, Good question, as far as I can see in the code, in Unity-IdM 4, authN screen can be tweaked in web endpoint configuration file. The equivalent you are looking for seems to be unity.endpoint.web.authnScreenTitle. For more information please have a look https://www.unity-idm.eu/documentation/unity-4.1.1/manual.html#endpoints-authn Note that if the aforementioned is not configured the AuthenticationUI.login message is taken as default. Please let me know if that answers your question. Kind regards, Roman czw., 24 kwi 2025 o 13:03 Sander Apweiler <sa....@fz...> napisał(a): > Hi Krzysztof, > hi Roman, > > in unity 3, we were able to change the text on the "login screens" on > the different endpoints by updating the AuthenticationUI.login > parameter in message properties file. It seems this has changed in > unity version 4. Is there any possibility to update the default > messages? > > Best regards, > Sander > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Krzysztof B. <kb...@un...> - 2025-04-25 12:24:31
|
Dear Subscribers,
A small patch release with one fix was published today:
* Fixed error related to authentication with Unity, when value-less
query parameters were used
Details are available here: https://unity-idm.eu/releases/release-4-1-1/
Best regards,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2025-04-24 11:03:15
|
Hi Krzysztof, hi Roman, in unity 3, we were able to change the text on the "login screens" on the different endpoints by updating the AuthenticationUI.login parameter in message properties file. It seems this has changed in unity version 4. Is there any possibility to update the default messages? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2025-04-17 19:40:23
|
Hi Sander, W dniu 14.04.2025 o 16:06, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > is there a possibility to set the NameFormat of attributes, released by > unity? By default it uses urn:oasis:names:tc:SAML:2.0:attrname- > format:unspecified but we have a client which would require > urn:oasis:names:tc:SAML:2.0:attrname-format:uri. Unfortunately no, we don't set NameFormat. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2025-04-17 19:15:51
|
Hi Sander, W dniu 17.04.2025 o 11:24, Sander Apweiler pisze: > Hello Krzysztof, hello Roman, > do you have any update? We got a lot of tickets from users and also the > service provider is already asking when this would be solved. > We have the fix for this issue, not released yet. Will it be suitable, if it goes out in 4.*1*.1 release? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2025-04-17 09:25:20
|
Hello Krzysztof, hello Roman, do you have any update? We got a lot of tickets from users and also the service provider is already asking when this would be solved. Best regards, Sander On Mon, 2025-04-14 at 08:44 +0200, Sander Apweiler wrote: > Hi Krzysztof, hi Roman, > it loks like there is still an issue in the login process. > > > For some service, so far only for public client with PKCE reproduced, > we got a NullPointer Exception after being redirected from Home IdP: > > > HTTP ERROR 500 java.lang.NullPointerException: Cannot invoke > "String.replace(java.lang.CharSequence, java.lang.CharSequence)" > because "arg" is null > URI: /unitygw/spSAMLResponseConsumer > STATUS: 500 > MESSAGE: java.lang.NullPointerException: Cannot invoke > "String.replace(java.lang.CharSequence, java.lang.CharSequence)" > because "arg" is null > SERVLET: pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet > -6666410a > CAUSED BY: java.lang.NullPointerException: Cannot invoke > "String.replace(java.lang.CharSequence, java.lang.CharSequence)" > because "arg" is null > Caused by: > > java.lang.NullPointerException: Cannot invoke > "String.replace(java.lang.CharSequence, java.lang.CharSequence)" > because "arg" is null > at > pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.decodePlusIntoSpace > (URIBuilderFixer.java:40) > at > pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.lambda$newInstance$ > 0(URIBuilderFixer.java:31) > at > java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipe > line.java:197) > at > java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(A > rrayList.java:1708) > at > java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline > .java:509) > at > java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractP > ipeline.java:499) > at > java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Redu > ceOps.java:921) > at > java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline > .java:234) > at > java.base/java.util.stream.ReferencePipeline.collect(ReferencePipelin > e.java:682) > at > pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.newInstance(URIBuil > derFixer.java:32) > at > pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.newInstance(URIBuil > derFixer.java:24) > at > pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet.getRedirectWithC > ontextIdParam(SAMLResponseConsumerServlet.java:83) > at > pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet.postProcessRespo > nse(SAMLResponseConsumerServlet.java:76) > at > pl.edu.icm.unity.saml.SamlHttpResponseServlet.process(SamlHttpRespons > eServlet.java:67) > at > pl.edu.icm.unity.saml.SamlHttpResponseServlet.doPost(SamlHttpResponse > Servlet.java:42) > at > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:547) > at > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614) > at > org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.jav > a:736) > at > org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(Servl > etHandler.java:1614) > at > org.eclipse.jetty.ee10.servlets.CrossOriginFilter.handle(CrossOriginF > ilter.java:317) > at > org.eclipse.jetty.ee10.servlets.CrossOriginFilter.doFilter(CrossOrigi > nFilter.java:270) > at > org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.jav > a:205) > at > org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletH > andler.java:1586) > at > io.imunity.vaadin.endpoint.common.InvocationContextSetupFilter.doFilt > er(InvocationContextSetupFilter.java:67) > at > org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.jav > a:205) > at > org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletH > andler.java:1586) > at > io.imunity.vaadin.endpoint.common.RemoteRedirectedAuthnResponseProces > singFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.jav > a:48) > at > org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.jav > a:205) > at > org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletH > andler.java:1586) > at > org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(Se > rvletHandler.java:1547) > at > org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel > .java:814) > at > org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.j > ava:431) > at > org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.j > ava:464) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.jav > a:571) > at > org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.j > ava:703) > at > org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler > .java:765) > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIP > SettingHandler.java:67) > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont > extHandlerCollection.java:181) > at > org.eclipse.jetty.rewrite.handler.RewriteHandler$LastRuleHandler.hand > le(RewriteHandler.java:159) > at > org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) > at > org.eclipse.jetty.rewrite.handler.HeaderPatternRule$1.handle(HeaderPa > tternRule.java:89) > at > org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle > r.java:143) > at > org.eclipse.jetty.rewrite.handler.RewriteHandler$LastRuleHandler.hand > le(RewriteHandler.java:159) > at > org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) > at > org.eclipse.jetty.rewrite.handler.HeaderPatternRule$1.handle(HeaderPa > tternRule.java:89) > at > org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle > r.java:143) > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler. > java:597) > at > org.eclipse.jetty.server.Handler$Wrapper.handle(Handler.java:716) > at > pl.edu.icm.unity.engine.server.TraceBlockingHandler.handle(TraceBlock > ingHandler.java:34) > at org.eclipse.jetty.server.Server.handle(Server.java:179) > at > org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run > (HttpChannelState.java:619) > at > org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConne > ction.java:411) > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(Abstra > ctConnection.java:322) > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) > at > org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConn > ection.java:574) > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java: > 390) > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java > :150) > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) > at > org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChanne > lEndPoint.java:53) > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runT > ask(AdaptiveExecutionStrategy.java:478) > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.cons > umeTask(AdaptiveExecutionStrategy.java:441) > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryP > roduce(AdaptiveExecutionStrategy.java:293) > at > org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run( > AdaptiveExecutionStrategy.java:201) > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.r > un(ReservedThreadExecutor.java:410) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo > l.java:971) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(Queued > ThreadPool.java:1201) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThrea > dPool.java:1156) > at java.base/java.lang.Thread.run(Thread.java:1583) > > > The exception is shown in the browser to the users and we see it in > the > logs. We can reproduce this with the service > https://sensors.gfz-potsdam.de/ > > Best regards, > Sander > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-04-14 14:06:37
|
Hi Krzysztof, hi Roman, is there a possibility to set the NameFormat of attributes, released by unity? By default it uses urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified but we have a client which would require urn:oasis:names:tc:SAML:2.0:attrname-format:uri. Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2025-04-14 06:44:53
|
Hi Krzysztof, hi Roman, it loks like there is still an issue in the login process. For some service, so far only for public client with PKCE reproduced, we got a NullPointer Exception after being redirected from Home IdP: HTTP ERROR 500 java.lang.NullPointerException: Cannot invoke "String.replace(java.lang.CharSequence, java.lang.CharSequence)" because "arg" is null URI: /unitygw/spSAMLResponseConsumer STATUS: 500 MESSAGE: java.lang.NullPointerException: Cannot invoke "String.replace(java.lang.CharSequence, java.lang.CharSequence)" because "arg" is null SERVLET: pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet-6666410a CAUSED BY: java.lang.NullPointerException: Cannot invoke "String.replace(java.lang.CharSequence, java.lang.CharSequence)" because "arg" is null Caused by: java.lang.NullPointerException: Cannot invoke "String.replace(java.lang.CharSequence, java.lang.CharSequence)" because "arg" is null at pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.decodePlusIntoSpace(URIBuilderFixer.java:40) at pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.lambda$newInstance$0(URIBuilderFixer.java:31) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) at pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.newInstance(URIBuilderFixer.java:32) at pl.edu.icm.unity.engine.api.utils.URIBuilderFixer.newInstance(URIBuilderFixer.java:24) at pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet.getRedirectWithContextIdParam(SAMLResponseConsumerServlet.java:83) at pl.edu.icm.unity.saml.sp.SAMLResponseConsumerServlet.postProcessResponse(SAMLResponseConsumerServlet.java:76) at pl.edu.icm.unity.saml.SamlHttpResponseServlet.process(SamlHttpResponseServlet.java:67) at pl.edu.icm.unity.saml.SamlHttpResponseServlet.doPost(SamlHttpResponseServlet.java:42) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:547) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:614) at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736) at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1614) at org.eclipse.jetty.ee10.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:317) at org.eclipse.jetty.ee10.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:270) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586) at io.imunity.vaadin.endpoint.common.InvocationContextSetupFilter.doFilter(InvocationContextSetupFilter.java:67) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586) at io.imunity.vaadin.endpoint.common.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:48) at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205) at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1586) at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1547) at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:814) at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:431) at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:464) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:571) at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:703) at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:765) at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:67) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:181) at org.eclipse.jetty.rewrite.handler.RewriteHandler$LastRuleHandler.handle(RewriteHandler.java:159) at org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) at org.eclipse.jetty.rewrite.handler.HeaderPatternRule$1.handle(HeaderPatternRule.java:89) at org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:143) at org.eclipse.jetty.rewrite.handler.RewriteHandler$LastRuleHandler.handle(RewriteHandler.java:159) at org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) at org.eclipse.jetty.rewrite.handler.HeaderPatternRule$1.handle(HeaderPatternRule.java:89) at org.eclipse.jetty.rewrite.handler.Rule$Handler.handle(Rule.java:108) at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:143) at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:597) at org.eclipse.jetty.server.Handler$Wrapper.handle(Handler.java:716) at pl.edu.icm.unity.engine.server.TraceBlockingHandler.handle(TraceBlockingHandler.java:34) at org.eclipse.jetty.server.Server.handle(Server.java:179) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:619) at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:411) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.ssl.SslConnection$SslEndPoint.onFillable(SslConnection.java:574) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:390) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:150) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:478) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:441) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:410) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:971) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1201) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1156) at java.base/java.lang.Thread.run(Thread.java:1583) The exception is shown in the browser to the users and we see it in the logs. We can reproduce this with the service https://sensors.gfz-potsdam.de/ Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2025-04-10 10:09:44
|
Hi Sander, This should be fixed in 4.0.6 release. Best regards, Roman czw., 10 kwi 2025 o 11:26 Sander Apweiler <sa....@fz...> napisał(a): > Hello Roman, > we have some further information from another users. Not sure if this > is still relevant or already fixed with 4.0.6 release. It seems that > unity adds a second ? in the URL when trying to redirect to the IdP: > > https://login.helmholtz.de/oauth2-as/authentication?x-client-ver=8.0.0.0&x-client-SKU=ID_NET472?redirectToIdP=81c6ea9e-fe8b-4f71-8906-56b2cd76607d > > Best regards, > Sander > > > On Thu, 2025-03-27 at 14:57 +0100, Roman Krysiński wrote: > > Hello Sander, > > > > Thank you for reproduction steps, those are essential to find the > > root cause. > > > > We are working on it. > > > > Best regards, > > Roman > > > > czw., 27 mar 2025 o 14:03 Sander Apweiler <sa....@fz...> > > napisał(a): > > > Hello Krzysztof, hello Roman, > > > > > > yesterday we moved to unity 4.0.5 after testing the release in a > > > broader audience but still not that close to our production > > > environment. Sadly we now get again an increasing number of tickets > > > about login fails and errors where the browsers are not allowed to > > > show > > > the unity page. > > > > > > The redirect loop happens on the WAYF/discovery page if the service > > > is > > > a public client. E.g. https://sensors.gfz-potsdam.de/ > > > > > > If the users have a broken login, for example due to the first > > > problem, > > > and start using another service, even confidential services, the > > > browser shows the error about not being allowed to show the page. > > > 1. Go To another service, e.g. https://codebase.helmholtz.cloud/ > > > 2. Select Login with Helmholtz ID > > > 3. Select an IdP from the WAYF/discovery page > > > > > > Please let us know if we can provide you any further information. > > > > > > Best regards, > > > Sander > > > > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Krzysztof B. <kb...@un...> - 2025-04-10 09:40:22
|
Dear Subscribers,
A new feature release was published today.
The 4.1.0 release focuses on improving authentication, with a particular
emphasis on better MFA handling.
* *Authentication Method Reference (AMR)* support: Administrators can
now utilize information on active AMRs in the configuration of
dynamic attributes and claims returned by any IdP endpoint.
* OAuth IdP recognizes *requested ACRs* (Authentication Context
References).
* OAuth and SAML *authenticators can request ACRs*: Requests can be
fixed (set in configuration) or dynamic, forwarding the requested
ACR from the downstream client (useful for proxy IdP scenarios).
* Unity now returns the *auth_time* claim.
Additionally, Unity introduces a proprietary feature allowing OAuth
clients to specify a whitelist of claims, effectively filtering the
returned claims to only those values deemed relevant.
All relevant resources are linked from the release page:
https://unity-idm.eu/releases/release-4-1-0/
Thank you,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2025-04-10 09:26:23
|
Hello Roman, we have some further information from another users. Not sure if this is still relevant or already fixed with 4.0.6 release. It seems that unity adds a second ? in the URL when trying to redirect to the IdP: https://login.helmholtz.de/oauth2-as/authentication?x-client-ver=8.0.0.0&x-client-SKU=ID_NET472?redirectToIdP=81c6ea9e-fe8b-4f71-8906-56b2cd76607d Best regards, Sander On Thu, 2025-03-27 at 14:57 +0100, Roman Krysiński wrote: > Hello Sander, > > Thank you for reproduction steps, those are essential to find the > root cause. > > We are working on it. > > Best regards, > Roman > > czw., 27 mar 2025 o 14:03 Sander Apweiler <sa....@fz...> > napisał(a): > > Hello Krzysztof, hello Roman, > > > > yesterday we moved to unity 4.0.5 after testing the release in a > > broader audience but still not that close to our production > > environment. Sadly we now get again an increasing number of tickets > > about login fails and errors where the browsers are not allowed to > > show > > the unity page. > > > > The redirect loop happens on the WAYF/discovery page if the service > > is > > a public client. E.g. https://sensors.gfz-potsdam.de/ > > > > If the users have a broken login, for example due to the first > > problem, > > and start using another service, even confidential services, the > > browser shows the error about not being allowed to show the page. > > 1. Go To another service, e.g. https://codebase.helmholtz.cloud/ > > 2. Select Login with Helmholtz ID > > 3. Select an IdP from the WAYF/discovery page > > > > Please let us know if we can provide you any further information. > > > > Best regards, > > Sander > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
