unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Update for selecting SAML IdP in preselected authentication

[Sander A. <sa....@fz...>]

Hi Andre,
thank you very much for the information/link.

Best regards,
Sander

On Thu, 2025-09-18 at 14:09 +0200, André Moreira via Unity-idm-discuss
wrote:
> Hi Sander,
> 
> We do that by concatenating:  "_entryFromMetadata_" + 
> DigestUtils.md5Hex(samlEntityId)
> Follow the code from here:
> https://github.com/unity-idm/unity/blob/master/saml/src/main/java/pl/edu/icm/unity/saml/sp/config/TrustedIdPKey.java#L26
> 
> The ID can also be found by selecting the IdP on Unity login screen
> and 
> then looking at the generated cookie for Unity URL.
> 
> 
> Regards,
> André Moreira
> 
> On 18/09/2025 12:08, Sander Apweiler wrote:
> > Hi Krystof,
> > hi Roman,
> > 
> > is there any update on the easier identification of SAML IdPs in
> > preselected authentication? According to this ticket [1], I don't
> > see
> > any progress. Can you also remember me how to find this ID of the
> > IdP.
> > 
> > Best regards,
> > Sander
> > 
> > [1]: https://unity-idm.atlassian.net/browse/UY-1007
> > 
> > 
> > 
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> 
> -- 
> André Moreira
> CLARIN ERIC
> https://www.clarin.eu
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Update for selecting SAML IdP in preselected authentication

[André M. <an...@cl...>]

Hi Sander,

We do that by concatenating:  "_entryFromMetadata_" + 
DigestUtils.md5Hex(samlEntityId)
Follow the code from here:
https://github.com/unity-idm/unity/blob/master/saml/src/main/java/pl/edu/icm/unity/saml/sp/config/TrustedIdPKey.java#L26

The ID can also be found by selecting the IdP on Unity login screen and 
then looking at the generated cookie for Unity URL.


Regards,
André Moreira

On 18/09/2025 12:08, Sander Apweiler wrote:
> Hi Krystof,
> hi Roman,
>
> is there any update on the easier identification of SAML IdPs in
> preselected authentication? According to this ticket [1], I don't see
> any progress. Can you also remember me how to find this ID of the IdP.
>
> Best regards,
> Sander
>
> [1]: https://unity-idm.atlassian.net/browse/UY-1007
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
André Moreira
CLARIN ERIC
https://www.clarin.eu

[Unity-idm-discuss] Update for selecting SAML IdP in preselected authentication

[Sander A. <sa....@fz...>]

Hi Krystof,
hi Roman,

is there any update on the easier identification of SAML IdPs in
preselected authentication? According to this ticket [1], I don't see
any progress. Can you also remember me how to find this ID of the IdP.

Best regards,
Sander

[1]: https://unity-idm.atlassian.net/browse/UY-1007

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Question regarding redundant installations

[Krzysztof B. <kb...@un...>]

Hi Laura,

W dniu 17.09.2025 o 11:09, Laura Hofer pisze:
> Hi Krzysztof, Hi Roman,
>
> we are currently planning to switch our Unity setup to an HA setup 
> with one master and two workers.
> This raised the question of how best to proceed with Unity updates: Do 
> all Unity instances have to be stopped and updated at the same time, 
> or can the instances be updated gradually (e.g. within a few hours)? 
> Could the second option cause problems with the database if, for 
> example, the master is already running a newer version of Unity, but 
> the workers are still running an older version? 


Newer Unity can not work on older DB - actually at the startup it will 
try to update DB schema.

That said, if you want to have close-to-zero downtime deployment 
blue-green sounds as the proper approach.

0. Blue is running old version (and can have HA, e.g. 3 instance)

1. install the new version on Green

2. (critical; see notes below) stop Blue, clone DB from Blue to Green

3. start the stack on Green

4. switch routing to Green

5. deprovision Blue


In this scheme #2 is critical, this is when your downtime starts (ends 
at #4). Typically such short downtime is OK: that should take few 
minutes, and in case of troubles with new installation rollback is 
immediate - you just start Blue again.

But we can do better here: instead of fully stopping Unity, we can have 
a feature to put it into RO mode. This would require some development 
and precise definition (note: in Unity even a simple new sign-in is a 
write operation from DB standpoint), but could help a lot: e.g. existing 
sessions/tokens could be serviced w/o interruptions. But that would 
require a new feature.

HTH,
Krzysztof

[Unity-idm-discuss] Question regarding redundant installations

[Laura H. <l....@fz...>]

Hi Krzysztof, Hi Roman,

we are currently planning to switch our Unity setup to an HA setup with 
one master and two workers.
This raised the question of how best to proceed with Unity updates: Do 
all Unity instances have to be stopped and updated at the same time, or 
can the instances be updated gradually (e.g. within a few hours)? Could 
the second option cause problems with the database if, for example, the 
master is already running a newer version of Unity, but the workers are 
still running an older version?

Kind regards,
Laura

-- 
"Das Forschungszentrum Jülich stellt zurzeit auf einen neuen Zertifikatsanbieter zum digitalen Signieren von E-Mails um. Während dieser Umstellungsarbeiten kann es vorkommen, dass das DFN Community PKI Zertifikat, mit dem diese E-Mail signiert worden ist, als ungültig angezeigt wird."

Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 6576
fax: +49 2461 61 6656
email: l....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SAML SP using AttributeConsumingServiceIndex

[Sander A. <sa....@fz...>]

Dear Roman,
please find the log attached.

Best regards,
Sander

On Wed, 2025-09-03 at 07:09 +0200, Roman Krysiński wrote:
> Dear Sander,
> 
> I'm assuming the problem is manifesting as an error log record.
> Would it be possible to provide an exception from unity log?
> 
> Thank you,
> Roman
> 
> pon., 1 wrz 2025 o 08:42 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Dear Roman,
> > delivered as part of a regular update would be fine for us.
> > 
> > Thank you very much.
> > Sander
> > 
> > On Fri, 2025-08-29 at 12:30 +0200, Roman Krysiński wrote:
> > > Dear Sander,
> > > 
> > > We've analyzed the issue of AttributeConsumingServiceIndex in the
> > > context of SAML and the specification.
> > > 
> > > Our initial thoughts are that ignoring this parameter by default
> > > might be incorrect, as there are conditions under which it should
> > > not
> > > be omitted.
> > > 
> > > We are leaning towards introducing a configuration option that
> > > would
> > > allow administrators to decide how to handle this index.
> > > Implementing
> > > full AttributeConsumingService selection is a much larger scope
> > > of
> > > work, which is not currently on our roadmap.
> > > 
> > > I would like to ask how urgent this matter is for you? Would a
> > > solution delivered as part of a regular update be acceptable to
> > > you?
> > > 
> > > Best regards,
> > > Roman
> > > 
> > > śr., 27 sie 2025 o 11:57 Sander Apweiler
> > > <sa....@fz...>
> > > napisał(a):
> > > > Dear Krzysztof,
> > > > dear Roman,
> > > > 
> > > > one of our colleagues wants to connect Open edX via SAML. Open
> > > > edX
> > > > send
> > > > the AttributeConsumingServiceIndex in the AuthN request, which
> > > > is
> > > > not
> > > > supported by unity. At the moment it returns this to as message
> > > > to
> > > > the
> > > > SP. Since the AtributeConsumingServiceIndex may be just ignored
> > > > by
> > > > the
> > > > IdPs, is there any possibility to make unity ignoring this
> > > > instead
> > > > of
> > > > returning the error message? I can understand that there are
> > > > reasons to
> > > > return the error message instead of just ignoring it. If not
> > > > would
> > > > it
> > > > be an option to make this configurable by administrators?
> > > > 
> > > > Best regards,
> > > > Sander
> > > > 
> > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SAML SP using AttributeConsumingServiceIndex

[Roman K. <ro...@un...>]

Dear Sander,

I'm assuming the problem is manifesting as an error log record.
Would it be possible to provide an exception from unity log?

Thank you,
Roman

pon., 1 wrz 2025 o 08:42 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Roman,
> delivered as part of a regular update would be fine for us.
>
> Thank you very much.
> Sander
>
> On Fri, 2025-08-29 at 12:30 +0200, Roman Krysiński wrote:
> > Dear Sander,
> >
> > We've analyzed the issue of AttributeConsumingServiceIndex in the
> > context of SAML and the specification.
> >
> > Our initial thoughts are that ignoring this parameter by default
> > might be incorrect, as there are conditions under which it should not
> > be omitted.
> >
> > We are leaning towards introducing a configuration option that would
> > allow administrators to decide how to handle this index. Implementing
> > full AttributeConsumingService selection is a much larger scope of
> > work, which is not currently on our roadmap.
> >
> > I would like to ask how urgent this matter is for you? Would a
> > solution delivered as part of a regular update be acceptable to you?
> >
> > Best regards,
> > Roman
> >
> > śr., 27 sie 2025 o 11:57 Sander Apweiler <sa....@fz...>
> > napisał(a):
> > > Dear Krzysztof,
> > > dear Roman,
> > >
> > > one of our colleagues wants to connect Open edX via SAML. Open edX
> > > send
> > > the AttributeConsumingServiceIndex in the AuthN request, which is
> > > not
> > > supported by unity. At the moment it returns this to as message to
> > > the
> > > SP. Since the AtributeConsumingServiceIndex may be just ignored by
> > > the
> > > IdPs, is there any possibility to make unity ignoring this instead
> > > of
> > > returning the error message? I can understand that there are
> > > reasons to
> > > return the error message instead of just ignoring it. If not would
> > > it
> > > be an option to make this configurable by administrators?
> > >
> > > Best regards,
> > > Sander
> > >
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Jülich GmbH
> 52425 Jülich
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Dr. Stephanie Bauer (stellvertretende Vorsitzende),
> Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

Re: [Unity-idm-discuss] SAML SP using AttributeConsumingServiceIndex

[Sander A. <sa....@fz...>]

Dear Roman,
delivered as part of a regular update would be fine for us.

Thank you very much.
Sander

On Fri, 2025-08-29 at 12:30 +0200, Roman Krysiński wrote:
> Dear Sander,
> 
> We've analyzed the issue of AttributeConsumingServiceIndex in the
> context of SAML and the specification.
> 
> Our initial thoughts are that ignoring this parameter by default
> might be incorrect, as there are conditions under which it should not
> be omitted.
> 
> We are leaning towards introducing a configuration option that would
> allow administrators to decide how to handle this index. Implementing
> full AttributeConsumingService selection is a much larger scope of
> work, which is not currently on our roadmap.
> 
> I would like to ask how urgent this matter is for you? Would a
> solution delivered as part of a regular update be acceptable to you?
> 
> Best regards,
> Roman
> 
> śr., 27 sie 2025 o 11:57 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Dear Krzysztof,
> > dear Roman,
> > 
> > one of our colleagues wants to connect Open edX via SAML. Open edX
> > send
> > the AttributeConsumingServiceIndex in the AuthN request, which is
> > not
> > supported by unity. At the moment it returns this to as message to
> > the
> > SP. Since the AtributeConsumingServiceIndex may be just ignored by
> > the
> > IdPs, is there any possibility to make unity ignoring this instead
> > of
> > returning the error message? I can understand that there are
> > reasons to
> > return the error message instead of just ignoring it. If not would
> > it
> > be an option to make this configurable by administrators?
> > 
> > Best regards,
> > Sander
> > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SAML SP using AttributeConsumingServiceIndex

[Roman K. <ro...@un...>]

Dear Sander,

We've analyzed the issue of AttributeConsumingServiceIndex in the context
of SAML and the specification.

Our initial thoughts are that ignoring this parameter by default might be
incorrect, as there are conditions under which it should not be omitted.

We are leaning towards introducing a configuration option that would allow
administrators to decide how to handle this index. Implementing full
AttributeConsumingService selection is a much larger scope of work, which
is not currently on our roadmap.

I would like to ask how urgent this matter is for you? Would a solution
delivered as part of a regular update be acceptable to you?

Best regards,
Roman

śr., 27 sie 2025 o 11:57 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Krzysztof,
> dear Roman,
>
> one of our colleagues wants to connect Open edX via SAML. Open edX send
> the AttributeConsumingServiceIndex in the AuthN request, which is not
> supported by unity. At the moment it returns this to as message to the
> SP. Since the AtributeConsumingServiceIndex may be just ignored by the
> IdPs, is there any possibility to make unity ignoring this instead of
> returning the error message? I can understand that there are reasons to
> return the error message instead of just ignoring it. If not would it
> be an option to make this configurable by administrators?
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Jülich GmbH
> 52425 Jülich
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Dr. Stephanie Bauer (stellvertretende Vorsitzende),
> Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] SAML SP using AttributeConsumingServiceIndex

[Sander A. <sa....@fz...>]

Dear Krzysztof,
dear Roman,

one of our colleagues wants to connect Open edX via SAML. Open edX send
the AttributeConsumingServiceIndex in the AuthN request, which is not
supported by unity. At the moment it returns this to as message to the
SP. Since the AtributeConsumingServiceIndex may be just ignored by the
IdPs, is there any possibility to make unity ignoring this instead of
returning the error message? I can understand that there are reasons to
return the error message instead of just ignoring it. If not would it
be an option to make this configurable by administrators?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] refresh token for public clients with offline_access scope

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 2.07.2025 o 07:56, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> I have a short question about the refresh token for public clients
> using PKCE. Shall they get a refresh token, if they send the offline
> access scope but no openid scope? In manual I found the refresh token
> rotation for public clients, but no further information.
>
> We configured unity to create refresh tokens only on offline access
> request.

Well, this is not a legitimate request: offline_access scope is defined 
in OIDC, so a non-OIDC client using it may fail and we are not 
supporting such setup. That said, I think it should work: such client 
should get an one time use refresh token.

HTH,
Krzysztof

[Unity-idm-discuss] refresh token for public clients with offline_access scope

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

I have a short question about the refresh token for public clients
using PKCE. Shall they get a refresh token, if they send the offline
access scope but no openid scope? In manual I found the refresh token
rotation for public clients, but no further information. 

We configured unity to create refresh tokens only on offline access
request.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Two bugs in unity 4.1.0

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 16.05.2025 o 07:44, Sander Apweiler pisze:
> Good morning Kryzstof,
>
> 1. I attached a screenshot of the auto process settings. The
> Finalization tab has not configuration. Let me know if you need some
> others as well.
> 2. It happens when you follow the link from the invitation. Clicking on
> it in the email or copy it and enter in browser.
> 3. I attached the log file, but it has only two get requests. One for
> the document and one for the favicon.
> 4. As far as we understood, the invitation was send via upman to the
> user and the user received it without problems. Just like a normal
> email address.

So we are pretty sure that the problem is related to the '/' in UpMan 
project name. Changes in servlet API added quite strict restrictions on 
encoding '/' in URL paths. We have "legacy-compatible" mode already 
enabled, however it is failing (there are numerous 3rd party libs which 
are handling URLs in navigation and the problem is somewhere there).

1. Is it feasible to just restrict use of the '/' character in project 
names?

2. Can you please retest your scenario on a project w/o '/' in name? My 
guess is that it should work, including emails with '+'.


> About the second error. The steps to reproduce:
> 1. Start filling registration form
> 2. Wait lets say 5-10 Minutes
> 3. Submit the request by clicking on the button

Huh, no luck on our side with reproducing that. Sounds like a mistery. 
Can you please try to isolate this problem (maybe some test project 
aside)? WOuld be great to have full TRACE level logs of when this happens...


Best,
Krzysztof

Re: [Unity-idm-discuss] Bug in hide from discovery handling from SPs

[Krzysztof B. <kb...@un...>]

Dear Sander,

W dniu 21.05.2025 o 14:39, Sander Apweiler pisze:
> Dear Krzysztof,
> dear Roman,
>
> We encountered a bug in the handling of "hide-from-discovery"
> statements in federation metadata for SPs. We have one SP, who set the
> "hide-from-discovery" in the federation metadata. If this client wants
> to authenticate users, unity shows an SAML error, which says the issuer
> is not among trusted, although it is listed SAML web authentication
> settings among the clients from federation. It is the same error
> message you get if a wrong return URL is configured.
>
> Beside that the error message is wrong, it does not make sense to apply
> the "hide-from-discovery" for SPs because you do not have a discovery
> for clients. You have only a discovery for IdPs.
>
> Please let me know if you need some more details.

Makes sense, likely some too generic code on our side. We will address that.

Thanks,
Krzysztof

[Unity-idm-discuss] Bug in hide from discovery handling from SPs

[Sander A. <sa....@fz...>]

Dear Krzysztof,
dear Roman,

We encountered a bug in the handling of "hide-from-discovery"
statements in federation metadata for SPs. We have one SP, who set the
"hide-from-discovery" in the federation metadata. If this client wants
to authenticate users, unity shows an SAML error, which says the issuer
is not among trusted, although it is listed SAML web authentication
settings among the clients from federation. It is the same error
message you get if a wrong return URL is configured.

Beside that the error message is wrong, it does not make sense to apply
the "hide-from-discovery" for SPs because you do not have a discovery
for clients. You have only a discovery for IdPs.

Please let me know if you need some more details.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] successful registration without mandatory attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
please find attached the input translation profile and the registration
form. I'll have a look if we still have the logs from creation and let
you know.

Best regards,
Sander

On Mon, 2025-05-19 at 11:37 +0200, Krzysztof Benedyczak wrote:
>  
> W dniu 19.05.2025 o 11:22, Krzysztof Benedyczak pisze:
>  
>  
> >  
> > Hi Sander,
> >  
> > 
> >  
> >  
> > W dniu 15.05.2025 o 09:14, Sander Apweiler pisze:
> >  
> >  
> > >  
> > > Hi Krzysztof,
> > > hi Roman,
> > > 
> > > there might be another bug in user registration, found in unity
> > > 4.0.6.
> > > We had a user were mandatory attributes are missing. In the
> > > registration form the "Optional parameter" tick-box for the
> > > attributes
> > > givenname, surname and email address is not set. Action for the
> > > name
> > > attributes is "From remote IdP else user input" and for email
> > > address
> > > "From remote Idp and shown RO". The input translation profile
> > > does work
> > > for IdPs where those information are transferred. Nevertheless
> > > the user
> > > successfully created the account without those mandatory
> > > information,
> > > but can not use any service.
> > >  
> >  
> > This one is also not easily reproducible. We would need:
> >  
> > 1. complete form configuration. JSON from DB JSON dump (of course
> > only this form part) would be helpful. (note: you can selectively
> > control what is exported, then trimming the JSON will be easier).
> >  
> > 2. what was received from the upstream IdP. Log would be perfect.
> >  
>  
> and one thing more: 
>  
>  
> 3. input profile of the authenticator used in this case for remote
> login.
>  
> Thanks,
>  Krzysztof
>  
>  
> 
>  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] successful registration without mandatory attributes

[Krzysztof B. <kb...@un...>]

W dniu 19.05.2025 o 11:22, Krzysztof Benedyczak pisze:
> Hi Sander,
>
> W dniu 15.05.2025 o 09:14, Sander Apweiler pisze:
>> Hi Krzysztof,
>> hi Roman,
>>
>> there might be another bug in user registration, found in unity 4.0.6.
>> We had a user were mandatory attributes are missing. In the
>> registration form the "Optional parameter" tick-box for the attributes
>> givenname, surname and email address is not set. Action for the name
>> attributes is "From remote IdP else user input" and for email address
>> "From remote Idp and shown RO". The input translation profile does work
>> for IdPs where those information are transferred. Nevertheless the user
>> successfully created the account without those mandatory information,
>> but can not use any service.
>
> This one is also not easily reproducible. We would need:
>
> 1. complete form configuration. JSON from DB JSON dump (of course only 
> this form part) would be helpful. (note: you can selectively control 
> what is exported, then trimming the JSON will be easier).
>
> 2. what was received from the upstream IdP. Log would be perfect.
>
and one thing more:

3. input profile of the authenticator used in this case for remote login.

Thanks,
Krzysztof

Re: [Unity-idm-discuss] successful registration without mandatory attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 15.05.2025 o 09:14, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> there might be another bug in user registration, found in unity 4.0.6.
> We had a user were mandatory attributes are missing. In the
> registration form the "Optional parameter" tick-box for the attributes
> givenname, surname and email address is not set. Action for the name
> attributes is "From remote IdP else user input" and for email address
> "From remote Idp and shown RO". The input translation profile does work
> for IdPs where those information are transferred. Nevertheless the user
> successfully created the account without those mandatory information,
> but can not use any service.

This one is also not easily reproducible. We would need:

1. complete form configuration. JSON from DB JSON dump (of course only 
this form part) would be helpful. (note: you can selectively control 
what is exported, then trimming the JSON will be easier).

2. what was received from the upstream IdP. Log would be perfect.

Thank you,
Krzysztof

Re: [Unity-idm-discuss] Two bugs in unity 4.1.0

[Sander A. <sa....@fz...>]

Good morning Kryzstof,

1. I attached a screenshot of the auto process settings. The
Finalization tab has not configuration. Let me know if you need some
others as well.
2. It happens when you follow the link from the invitation. Clicking on
it in the email or copy it and enter in browser.
3. I attached the log file, but it has only two get requests. One for
the document and one for the favicon.
4. As far as we understood, the invitation was send via upman to the
user and the user received it without problems. Just like a normal
email address.


About the second error. The steps to reproduce:
1. Start filling registration form
2. Wait lets say 5-10 Minutes
3. Submit the request by clicking on the button

Best regards,
Sander

On Thu, 2025-05-15 at 18:17 +0200, Krzysztof Benedyczak wrote:
>  
> Hi Sander,
>  
> 
>  
>  
> W dniu 14.05.2025 o 17:13, Sander Apweiler pisze:
>  
>  
> >  
> > Hi Krzysztof,
> > hi Roman,
> > 
> > we found two bugs in unity 4.1.0. The first is in the invitation
> > handling and the second in account registration.
> > 
> > Starting with the invitation handling. If an invitation is send to
> > an
> > email address containing a +, the invitation itself is send to the
> > user
> > without any problems, but if the user follows the link from the
> > invitation unity shows an URN encoding error and the corersponding
> > stack trace. I attached this to the email.
> >  
>  
> Well, I'm not entirely sure the problem is like described. I was able
> to register with email address with + sign w/o any problem end to
> end. Also the stack trace is suggesting another problem: the URL has
> '/' encoded.
>  
> It is possible the problem is really with "+" but then I'd suspect
> some extra configuration that comes into play. 
>  
>  
> So can you please provide more detailed information?
>  
>  
> 1. form configuration. Especially if there are any post-registration
> actions configured.
>  
> 2. in what moment precisely this happens? When user is opening the
> URL from email? When confirming something? When getting the
> finalization page?
>  
> 3. network log from the browser, what is on UI
>  
>  
> 4. how the user is invited (precise flow, additional settings).
>  
>  
> 
>  
> >  
> > The second error occurred in the registration of a local account.
> > We
> > are not sure if this only happens in the registration of OAuth
> > clients
> > (the only local accounts we allow), but I assume it happens to all
> > local accounts. If the registration form is opened all mandatory
> > information entered and policies accepted, but some minutes waited
> > before the registration is submitted, unity shows only registration
> > failed to the users but internally it processes the registration,
> > sending emails to the system administrators and lists this
> > registration
> > in the requests tab. This request is completly empty or broken (see
> > attached screenshot) and trying to delete the request on the button
> > of
> > the pages is changing the button text only to error. We can delete
> > this
> > request by going back to the request list and triggering the
> > deletion
> > from the hamburger menu.
> >  
>  
> Hmm, let me ensure I do understand this: registration form is opened,
> filled, but not submitted. After some time of inactivity the form is
> auto submitted?
>  
> 
>  
>  
> Thanks,
>  Krzysztof
>  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Possibility to release attributes always as list, even if it contains only a single value

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
yes a setting in oputput translation profile would be greate. I agree a
global change to wrap all single-valued attribute into arrays would be
a good idea. Some attributes are defined as single-value and software
systems might expect them as single-value and not as array.

Best regards,
Sander

On Thu, 2025-05-15 at 18:21 +0200, Krzysztof Benedyczak wrote:
>  
> Hi Sander,
>  
> 
>  
>  
> W dniu 15.05.2025 o 14:07, Sander Apweiler pisze:
>  
>  
> >  
> > Hi Krzysztof,
> > hi Roman,
> > 
> > sorry for bothering you again.
> > 
> > We have some attributes, e.g. entitlements, which mostly contains
> > multiple values but can also contain just a single value. At the
> > moment
> > unity does not release the single values as array/list. This is
> > fine,
> > according the protocol standards. But we have some services
> > connected,
> > which did not cover the case that the attribute might not be
> > available
> > as array/list but as single value. Is there a way in unity to
> > release
> > an attribute always as array/list, even when it has only a single
> > value?
> >  
>  
> No, unfortunately not. This would need to be a configurable setting,
> per attribute (in output profile I guess?). I don't think a global
> change to wrap all single-valued attribute values into arrays would
> be appreciated :-)
>  
> Best,
>  Krzysztof
>  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Possibility to release attributes always as list, even if it contains only a single value

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 15.05.2025 o 14:07, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> sorry for bothering you again.
>
> We have some attributes, e.g. entitlements, which mostly contains
> multiple values but can also contain just a single value. At the moment
> unity does not release the single values as array/list. This is fine,
> according the protocol standards. But we have some services connected,
> which did not cover the case that the attribute might not be available
> as array/list but as single value. Is there a way in unity to release
> an attribute always as array/list, even when it has only a single
> value?

No, unfortunately not. This would need to be a configurable setting, per 
attribute (in output profile I guess?). I don't think a global change to 
wrap all single-valued attribute values into arrays would be appreciated :-)

Best,
Krzysztof

Re: [Unity-idm-discuss] Two bugs in unity 4.1.0

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 14.05.2025 o 17:13, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> we found two bugs in unity 4.1.0. The first is in the invitation
> handling and the second in account registration.
>
> Starting with the invitation handling. If an invitation is send to an
> email address containing a +, the invitation itself is send to the user
> without any problems, but if the user follows the link from the
> invitation unity shows an URN encoding error and the corersponding
> stack trace. I attached this to the email.

Well, I'm not entirely sure the problem is like described. I was able to 
register with email address with + sign w/o any problem end to end. Also 
the stack trace is suggesting another problem: the URL has '/' encoded.

It is possible the problem is really with "+" but then I'd suspect some 
extra configuration that comes into play.

So can you please provide more detailed information?

1. form configuration. Especially if there are any post-registration 
actions configured.

2. in what moment precisely this happens? When user is opening the URL 
from email? When confirming something? When getting the finalization page?

3. network log from the browser, what is on UI

4. how the user is invited (precise flow, additional settings).

> The second error occurred in the registration of a local account. We
> are not sure if this only happens in the registration of OAuth clients
> (the only local accounts we allow), but I assume it happens to all
> local accounts. If the registration form is opened all mandatory
> information entered and policies accepted, but some minutes waited
> before the registration is submitted, unity shows only registration
> failed to the users but internally it processes the registration,
> sending emails to the system administrators and lists this registration
> in the requests tab. This request is completly empty or broken (see
> attached screenshot) and trying to delete the request on the button of
> the pages is changing the button text only to error. We can delete this
> request by going back to the request list and triggering the deletion
> from the hamburger menu.

Hmm, let me ensure I do understand this: registration form is opened, 
filled, but not submitted. After some time of inactivity the form is 
auto submitted?


Thanks,
Krzysztof

[Unity-idm-discuss] Possibility to release attributes always as list, even if it contains only a single value

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

sorry for bothering you again.

We have some attributes, e.g. entitlements, which mostly contains
multiple values but can also contain just a single value. At the moment
unity does not release the single values as array/list. This is fine,
according the protocol standards. But we have some services connected,
which did not cover the case that the attribute might not be available
as array/list but as single value. Is there a way in unity to release
an attribute always as array/list, even when it has only a single
value?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] successful registration without mandatory attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

there might be another bug in user registration, found in unity 4.0.6.
We had a user were mandatory attributes are missing. In the
registration form the "Optional parameter" tick-box for the attributes
givenname, surname and email address is not set. Action for the name
attributes is "From remote IdP else user input" and for email address
"From remote Idp and shown RO". The input translation profile does work
for IdPs where those information are transferred. Nevertheless the user
successfully created the account without those mandatory information,
but can not use any service.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Two bugs in unity 4.1.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

we found two bugs in unity 4.1.0. The first is in the invitation
handling and the second in account registration.

Starting with the invitation handling. If an invitation is send to an
email address containing a +, the invitation itself is send to the user
without any problems, but if the user follows the link from the
invitation unity shows an URN encoding error and the corersponding
stack trace. I attached this to the email.

The second error occurred in the registration of a local account. We
are not sure if this only happens in the registration of OAuth clients
(the only local accounts we allow), but I assume it happens to all
local accounts. If the registration form is opened all mandatory
information entered and policies accepted, but some minutes waited
before the registration is submitted, unity shows only registration
failed to the users but internally it processes the registration,
sending emails to the system administrators and lists this registration
in the requests tab. This request is completly empty or broken (see
attached screenshot) and trying to delete the request on the button of
the pages is changing the button text only to error. We can delete this
request by going back to the request list and triggering the deletion
from the hamburger menu.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Dr. Stephanie Bauer (stellvertretende Vorsitzende),
Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers
-----------------------------------------------------------------------
-----------------------------------------------------------------------