Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2023-05-25 20:46:54
|
Dear Subscribers, I'm happy to announce availability of a new Unity release. As always all relevant links are available at https://unity-idm.eu/releases/release-3-13-0/ The 3.13.0 release brings implementation of several OSS community requests. The main development effort was on technical debt reduction, and at the same time preparation for the changes planned in Unity 4. Effects of that work are not visible today, will add a value upon the next major release. Registration form information for remote signup Registration forms can have a separate 2nd stage form information. This information is shown, together with separately configured title after returning from remote IdP, during signup with remote identity. Support for Unity certificate rollover for SAML IdP and SP Unity SAML IdP allows for configuring additional credential. This credential is advertised in generated metadata as another certificate. It is useful for IdP certificate roll-over, when, for a short time, service providers in federation should learn a new certificate, and prepare to accept it. Similar, but more complex, feature was added to SAML authenticator (an SP in SAML nomenclature). It is possible to configure additional credential which can be used to decrypt incoming messages (typically authentication or attribute assertions), as an alternative to the main credential. What is more it is possible to control, whether this alternative credential is included in generated SAML metadata or not. Configuration in the case of SP is more complex as the certificate rollover process is also more involving. Typically admin want to first advertise a new certificate in metadata, and be ready to accept message encrypted with it (step 1). Next the credentials are swapped and the old credential is removed from metadata, however decryption with it is still possible (step 2). User attributes as claims in OAuth JWT tokens OAuth clients may requests putting user claims in OAuth access token (if is issued as JWT) and/or in OIDC id token. Other improvements * Update of realm is automatically picked by endpoints using it. Before the endpoints had to be manually reloaded. * For certain 2nd facto credentials like OTP, invalid try to provide it is not resulting in reset of the whole authentication and return to the first factor. Instead it is possible to provide the 2nd factor credential again. * UpMan invitations grid won’t crash, when some invitations has not been sent yet Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-05-03 06:11:38
|
Hello Roman, thank you very much for jumping in. Thanks also for the explenation. A workaround is not needed anymore. The service provider did an update of the underlying libraries and now it is working. I got the confirmation over the weekend and had no time to forward it. Best regards, Sander On Tue, 2023-05-02 at 11:53 +0200, Roman Krysiński wrote: > Hello Sander, > > Krzysztof is out of the office for some time, so let me address your > question. > > The "Accept" header is used by the client to indicate the MIME types > of content that the client is able to understand and process. The > purpose of the "Accept" header is to allow the client to negotiate > with the server and receive content in a format that it can handle. > The implementation of JWK produces data in "application/jwk-set+json" > MIME type, thus the problem. This type was explicitly set by > Krzysztof, likely based on RFC (likely, because he is not here to > confirm). > > I'm not aware of any workaround that could be applied at Unity site > to overcome this issue. > > Best regards, > Roman > > > śr., 26 kwi 2023 o 11:55 Sander Apweiler <sa....@fz...> > napisał(a): > > Hi Krzysztof, > > we have got a OIDC client with has some trouble in the integration. > > The > > used software eduMEET adds an "Accept: application/json" header to > > communication with jwk endpoint. Testing it with curl commands it > > seems > > that unity does not support this: > > > > with Accept-Header: > > % curl -i -H "Accept: application/json" > > 'https://login-dev.helmholtz.de/oauth2/jwk' > > HTTP/1.1 400 Bad Request > > Date: Tue, 25 Apr 2023 19:02:21 GMT > > Strict-Transport-Security: max-age=31536000; includeSubDomains > > X-Frame-Options: DENY > > Content-Type: application/json > > Content-Length: 91 > > > > {"error_description":"Unexpected server error; Server engine > > error","error":"server_error"} > > > > > > without Accept-Header: > > > > % curl -i 'https://login-dev.helmholtz.de/oauth2/jwk' > > HTTP/1.1 200 OK > > Date: Tue, 25 Apr 2023 19:02:43 GMT > > Strict-Transport-Security: max-age=31536000; includeSubDomains > > X-Frame-Options: DENY > > Content-Type: application/jwk-set+json;charset=UTF-8 > > Vary: Accept-Encoding > > Content-Length: 396 > > > > {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvI > > GdDI > > _iiZC- > > w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5 > > vFzQ > > 4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2 > > p8yb > > uL- > > HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiK > > PhmC > > u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY8 > > 4bNI > > nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]} > > > > Is this intended by you and do you have any idea of a workaround to > > integrate the software? > > > > I didn't find something in the unity manual about this issue and it > > seems that the OIDC standard did not cover this in the token > > validation. > > > > Best regards, > > Sander > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2023-05-02 09:53:37
|
Hello Sander, Krzysztof is out of the office for some time, so let me address your question. The "Accept" header is used by the client to indicate the MIME types of content that the client is able to understand and process. The purpose of the "Accept" header is to allow the client to negotiate with the server and receive content in a format that it can handle. The implementation of JWK produces data in "application/jwk-set+json" MIME type, thus the problem. This type was explicitly set by Krzysztof, likely based on RFC <https://www.rfc-editor.org/rfc/rfc7517> (likely, because he is not here to confirm). I'm not aware of any workaround that could be applied at Unity site to overcome this issue. Best regards, Roman śr., 26 kwi 2023 o 11:55 Sander Apweiler <sa....@fz...> napisał(a): > Hi Krzysztof, > we have got a OIDC client with has some trouble in the integration. The > used software eduMEET adds an "Accept: application/json" header to > communication with jwk endpoint. Testing it with curl commands it seems > that unity does not support this: > > with Accept-Header: > % curl -i -H "Accept: application/json" > 'https://login-dev.helmholtz.de/oauth2/jwk' > HTTP/1.1 400 Bad Request > Date: Tue, 25 Apr 2023 19:02:21 GMT > Strict-Transport-Security: max-age=31536000; includeSubDomains > X-Frame-Options: DENY > Content-Type: application/json > Content-Length: 91 > > {"error_description":"Unexpected server error; Server engine > error","error":"server_error"} > > > without Accept-Header: > > % curl -i 'https://login-dev.helmholtz.de/oauth2/jwk' > HTTP/1.1 200 OK > Date: Tue, 25 Apr 2023 19:02:43 GMT > Strict-Transport-Security: max-age=31536000; includeSubDomains > X-Frame-Options: DENY > Content-Type: application/jwk-set+json;charset=UTF-8 > Vary: Accept-Encoding > Content-Length: 396 > > {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvIGdDI > _iiZC- > w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5vFzQ > 4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2p8yb > uL- > HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiKPhmC > u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY84bNI > nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]} > > Is this intended by you and do you have any idea of a workaround to > integrate the software? > > I didn't find something in the unity manual about this issue and it > seems that the OIDC standard did not cover this in the token > validation. > > Best regards, > Sander > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, > Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2023-04-26 09:55:19
|
Hi Krzysztof, we have got a OIDC client with has some trouble in the integration. The used software eduMEET adds an "Accept: application/json" header to communication with jwk endpoint. Testing it with curl commands it seems that unity does not support this: with Accept-Header: % curl -i -H "Accept: application/json" 'https://login-dev.helmholtz.de/oauth2/jwk' HTTP/1.1 400 Bad Request Date: Tue, 25 Apr 2023 19:02:21 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY Content-Type: application/json Content-Length: 91 {"error_description":"Unexpected server error; Server engine error","error":"server_error"} without Accept-Header: % curl -i 'https://login-dev.helmholtz.de/oauth2/jwk' HTTP/1.1 200 OK Date: Tue, 25 Apr 2023 19:02:43 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY Content-Type: application/jwk-set+json;charset=UTF-8 Vary: Accept-Encoding Content-Length: 396 {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"ni4t9tzJ8rjkw_FvIGdDI _iiZC- w2JthaNHcvN1B8tzGm2wdhp2f5ujlvI68Q2NMrzfF2aeS02nhs9PJ8FoBT53bRUJ9h5vFzQ 4X0cRT8s1A4Ya_Ejs2xbJbBitvs4GwtNId8PnJGqI_BpAZQ26IMXXWpaL46N4vnnCb2p8yb uL- HOhAjNQS2gOnQ5djxow4yjkYPgF3YaoQ8AI8CrE3KuOJInTdGl_E4pauV5Zc_My9ZiKPhmC u4xTNuHrIJAuUWZl8xnHLoANJAV5iMVVrm9xEVC5P6JOjuRxrLG37iV2YitCnUDwBY84bNI nZSKuQhVjc2qyfbguJ-HCD5U17fQ"}]} Is this intended by you and do you have any idea of a workaround to integrate the software? I didn't find something in the unity manual about this issue and it seems that the OIDC standard did not cover this in the token validation. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-04-24 11:02:42
|
W dniu 21.04.2023 o 07:17, Sander Apweiler pisze: > Good morning Krzysztof, > ok I understood your update workflow. Because this is not the common > way how services update the email addresses of the users it would be > great if you can make a section in the manual about this. Sure, no problem |
|
From: Sander A. <sa....@fz...> - 2023-04-21 07:13:31
|
Hi Krzysztof, I tried it at the same time and got the user response a minute ago. Since all invitations had send and expiration date, I deleted all invitations and the user responded that upman is working again. Best regards, Sander On Fri, 2023-04-21 at 09:09 +0200, Krzysztof Benedyczak wrote: > Hi, > > W dniu 21.04.2023 o 07:13, Sander Apweiler pisze: > > Good morning Krzysztof, > > good to hear that you identified the problem, even if you could not > > reproduce it. Do you know a way how I could solve the problem, that > > the > > user could further manage the project? E.g. deleting the > > invitations > > from this project. > > So if the problem persists... it is better, as this is what I can > explain :-) > > You can try to open invitations list from admin's console, and look > for > invitations which has no send time set (so were not sent, even once) > and > are inviting to the group of the upman project. Removing such > invitation(s) will help. > > Best, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-04-21 07:10:11
|
Hi, W dniu 21.04.2023 o 07:13, Sander Apweiler pisze: > Good morning Krzysztof, > good to hear that you identified the problem, even if you could not > reproduce it. Do you know a way how I could solve the problem, that the > user could further manage the project? E.g. deleting the invitations > from this project. So if the problem persists... it is better, as this is what I can explain :-) You can try to open invitations list from admin's console, and look for invitations which has no send time set (so were not sent, even once) and are inviting to the group of the upman project. Removing such invitation(s) will help. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-04-21 05:17:22
|
Good morning Krzysztof, ok I understood your update workflow. Because this is not the common way how services update the email addresses of the users it would be great if you can make a section in the manual about this. We will update our configuration and extend the documentation to our users. Best regards, Sander On Thu, 2023-04-20 at 11:22 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 18.04.2023 o 11:45, Sander Apweiler pisze: > > Hi Krzysztof, > > we got the feedback that users where not able to update their email > > addresses because they are not validated. We are running unity > > 3.11.2. > > The attribute is verifiableEmail type and self modifiable. The > > users > > are able to enter new email address but when they save them the > > attached error is shown. I would assume that a new verification > > email > > send. > > We don't support such flow, it is pretty risky. Suggested flow is as > follows: > > 1. user adds *another* email, next to the existing one. Confirmation > is > sent. > 2. user confirms the new email address > 3. then user can delete the old one > > This flow ensures that user won't lock herself out, i.e. land in a > situation w/o any valid email (what may be a problem in many cases: > notifications, system consistency, credential reset). Surely if the > flow > described above shall be supported, attribute type needs to accept at > least 2 values. > > We can make this more flexible (e.g. have this validation > configurable, > or more sophisticated, taking into account also email identities of > the > user), but that would need development. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-04-21 05:14:03
|
Good morning Krzysztof, good to hear that you identified the problem, even if you could not reproduce it. Do you know a way how I could solve the problem, that the user could further manage the project? E.g. deleting the invitations from this project. Best regards, Sander On Thu, 2023-04-20 at 11:10 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 19.04.2023 o 07:51, Sander Apweiler pisze: > > Dear Krzysztof, > > > > we have in one upman managed group the problem that a NullPointer > > exception is raised if the user switched to invitations and tries > > to > > create a new one. I added the stack trace. Sadly I didn't see > > anything > > else in the log before, since we reduced the loglevel to see if the > > system has an issue with IO, which we can eliminate as cause for > > slow > > unity. > > Hm, on one hand I can't reproduce it on our side, but also the bug is > clear: the grid with invitations will crash if at least one > invitation > has no "last sent time" set. That's a bug and we will fix it. I > though > don't know how this could happen in the flow you are describing: when > user invites from upman, the invitation is sent automatically, and > only > after the grid is refreshed. I can think of some very unlikely > situations only (two users are adding an invitation, one who is > first > hits create, the grid is refreshed and the invitation of the other > user > is created but not yet sent. Very unlikely, so perhaps there is some > other situation in which this can happen... > > Anyway the bug is clear, as even an admin can create an invitation by > hand, w/o sending it. Will be fixed in the next release. > > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-04-20 16:06:41
|
Hi Sander, W dniu 19.04.2023 o 07:51, Sander Apweiler pisze: > Dear Krzysztof, > > we have in one upman managed group the problem that a NullPointer > exception is raised if the user switched to invitations and tries to > create a new one. I added the stack trace. Sadly I didn't see anything > else in the log before, since we reduced the loglevel to see if the > system has an issue with IO, which we can eliminate as cause for slow > unity. Hm, on one hand I can't reproduce it on our side, but also the bug is clear: the grid with invitations will crash if at least one invitation has no "last sent time" set. That's a bug and we will fix it. I though don't know how this could happen in the flow you are describing: when user invites from upman, the invitation is sent automatically, and only after the grid is refreshed. I can think of some very unlikely situations only (two users are adding an invitation, one who is first hits create, the grid is refreshed and the invitation of the other user is created but not yet sent. Very unlikely, so perhaps there is some other situation in which this can happen... Anyway the bug is clear, as even an admin can create an invitation by hand, w/o sending it. Will be fixed in the next release. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2023-04-20 09:22:37
|
Hi Sander, W dniu 18.04.2023 o 11:45, Sander Apweiler pisze: > Hi Krzysztof, > we got the feedback that users where not able to update their email > addresses because they are not validated. We are running unity 3.11.2. > The attribute is verifiableEmail type and self modifiable. The users > are able to enter new email address but when they save them the > attached error is shown. I would assume that a new verification email > send. We don't support such flow, it is pretty risky. Suggested flow is as follows: 1. user adds *another* email, next to the existing one. Confirmation is sent. 2. user confirms the new email address 3. then user can delete the old one This flow ensures that user won't lock herself out, i.e. land in a situation w/o any valid email (what may be a problem in many cases: notifications, system consistency, credential reset). Surely if the flow described above shall be supported, attribute type needs to accept at least 2 values. We can make this more flexible (e.g. have this validation configurable, or more sophisticated, taking into account also email identities of the user), but that would need development. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-04-19 05:51:42
|
Dear Krzysztof, we have in one upman managed group the problem that a NullPointer exception is raised if the user switched to invitations and tries to create a new one. I added the stack trace. Sadly I didn't see anything else in the log before, since we reduced the loglevel to see if the system has an issue with IO, which we can eliminate as cause for slow unity. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-04-18 10:05:11
|
Hi Krzysztof, we got the feedback that users where not able to update their email addresses because they are not validated. We are running unity 3.11.2. The attribute is verifiableEmail type and self modifiable. The users are able to enter new email address but when they save them the attached error is shown. I would assume that a new verification email send. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-02-10 17:37:34
|
W dniu 6.02.2023 o 10:59, Sander Apweiler pisze: > Hi Krzysztof, > I just pasted the part of the google registration form. Please let me > know if you want to have the full export. I saw that the full export is > not valid json. There is missing the closing ]. thx [CUT] > And it seems that the custom form layout is not applied, too. It is, although you have triggered one edge case where we can improve. The logic deciding whether a configured caption should be shown or not is not simple, as other elements of the layout can disappear at runtime (e.g. attribute may be provided by google, and not configured to be overwritten - then no component on form). So we are skipping some captions. And it seems we skip them bit too many cases, including your case when caption is the first element. We will improve this as a bugfix. while reworking on our registration forms, we recognized that the >>>> Form >>>> information, which we use to inform the users about the email >>>> validation, is not shown anymore in the form itself. We just see >>>> the >>>> boxes with identities and the policies. Is this a bug or intended >>>> behaviour? Seems as the case from our UY-1000 ticket - we don't support form information for the 2nd stage form, i.e. form shown after return from remote IdP in the case of remote registration. This ticket had wrong tags, and so was slightly forgotten. I've already fixed the tags and so is in the OSS requests queue. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2023-02-07 11:28:59
|
Hi Sander, W dniu 7.02.2023 o 09:26, Sander Apweiler pisze: > Dear Krzysztof, > we have problems with slow web UI and creashes of the endpoints. We got > a lot of feedback from users that the web UI is quite slow. Especially > if they want to invite multiple people or just accept an invitation > (more than two minutes the spinning wheel). > When we delete five registrations, the progress bar goes to ~95%, > blinks and it tokes two to three minutes to finish the deletion. If we > want to delete ten registrations, the risk is high that the console > endpoints crashes and we need to restart unity. > Switching the conflict resolution of an attribute statement from skip > to merge toke two minutes this morning. > > I'm pretty sure that our large number of users (14k+) is one of the > reasons for this. It seems that the server itself is not on load. It > has 0,3 having 4 cores. Unity is allowed to use 8GB RAM but the whole > server uses at the moment just 5,4GB. > > We increased already the number of workers to 32. Do you have some > hints how we can get a better performance? It is hard to say and most likely profiling will be needed to identify root cause. Before that can you be more specific by what do you mean be "endpoint crashes"? Are there any exceptions in logs? This might be very helpful. Generally there are many aspects influencing app performance. It is not only memory and CPU/threads. Also it might be related to I/O (e.g. excessive logging on DEBUG/TRACE level or RDBMS access - e.g. too few connections). There might be spikes in memory load which you won't observe wit OS tools, rather you need APM for that. What I'd anyway suggest for any bigger production instance. Then you will be able to check the detailed memory usage stats over time (if JVM runs close to its memory limits, GC kicks in and app starts to be very slow), threads utilization (there are few thread pools). In general my take on performance is that I first try to find reproducible case which is slow, then run it in some isolation (simulate on separate server or even on prod in off peak hours) with some extra logging turned on, find which operations are slow (gap in logs or long reported operation) and proceed from that point. HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-02-07 08:27:01
|
Dear Krzysztof, we have problems with slow web UI and creashes of the endpoints. We got a lot of feedback from users that the web UI is quite slow. Especially if they want to invite multiple people or just accept an invitation (more than two minutes the spinning wheel). When we delete five registrations, the progress bar goes to ~95%, blinks and it tokes two to three minutes to finish the deletion. If we want to delete ten registrations, the risk is high that the console endpoints crashes and we need to restart unity. Switching the conflict resolution of an attribute statement from skip to merge toke two minutes this morning. I'm pretty sure that our large number of users (14k+) is one of the reasons for this. It seems that the server itself is not on load. It has 0,3 having 4 cores. Unity is allowed to use 8GB RAM but the whole server uses at the moment just 5,4GB. We increased already the number of workers to 32. Do you have some hints how we can get a better performance? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-02-06 10:00:07
|
Hi Krzysztof, I just pasted the part of the google registration form. Please let me know if you want to have the full export. I saw that the full export is not valid json. There is missing the closing ]. Best regards, Sander On Mon, 2023-02-06 at 10:43 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 3.02.2023 o 07:03, Sander Apweiler pisze: > > And it seems that the custom form layout is not applied, too. > > > > Best regards, > > Sander > > > > On Fri, 2023-02-03 at 06:56 +0100, Sander Apweiler wrote: > > > Good morning Krzysztof, > > > while reworking on our registration forms, we recognized that the > > > Form > > > information, which we use to inform the users about the email > > > validation, is not shown anymore in the form itself. We just see > > > the > > > boxes with identities and the policies. Is this a bug or intended > > > behaviour? > > Of course not intended. > > Can you share bit more of your config (perfectly: JSON export, which > you > can generate with REST API)? In general it works at our end pretty > well, > so would be great to be able to reproduce your issue - likely form > config specific. > > Thanks, > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-02-06 09:44:14
|
Hi Sander, W dniu 3.02.2023 o 07:03, Sander Apweiler pisze: > And it seems that the custom form layout is not applied, too. > > Best regards, > Sander > > On Fri, 2023-02-03 at 06:56 +0100, Sander Apweiler wrote: >> Good morning Krzysztof, >> while reworking on our registration forms, we recognized that the >> Form >> information, which we use to inform the users about the email >> validation, is not shown anymore in the form itself. We just see the >> boxes with identities and the policies. Is this a bug or intended >> behaviour? Of course not intended. Can you share bit more of your config (perfectly: JSON export, which you can generate with REST API)? In general it works at our end pretty well, so would be great to be able to reproduce your issue - likely form config specific. Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-02-03 06:03:38
|
And it seems that the custom form layout is not applied, too. Best regards, Sander On Fri, 2023-02-03 at 06:56 +0100, Sander Apweiler wrote: > Good morning Krzysztof, > while reworking on our registration forms, we recognized that the > Form > information, which we use to inform the users about the email > validation, is not shown anymore in the form itself. We just see the > boxes with identities and the policies. Is this a bug or intended > behaviour? > > Best regards, > Sander > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-02-03 05:57:14
|
Good morning Krzysztof, while reworking on our registration forms, we recognized that the Form information, which we use to inform the users about the email validation, is not shown anymore in the form itself. We just see the boxes with identities and the policies. Is this a bug or intended behaviour? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2023-02-02 10:49:45
|
Hi Krzysztof, sorry for the late answer. Last days were very busy. On Mon, 2023-01-30 at 09:35 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > First of all thank you for that email. We will internally talk about > it > more after the next release is out, but please find below some quick > comments. > > W dniu 25.01.2023 o 08:56, Sander Apweiler pisze: > > for the usage of MFA we want to provide some feedback. Some of this > > things you already know. > > > > - If OTP is wrong I have to redo the whole authentication. This > > feels a > > little bit annoying. On other platforms you just have to reenter > > the > > OTP, but not username & password. > > Makes sense, though is more complex: this behavior makes sense for > OTP > and maybe SMS as second factor, but completely not if say hardware > token > (fido2) is used as second factor. But worth considering as credential > dependent behavior. Shouldn't be big deal to be implemented. Ok. I didn't had any time to test FIDO2. But I want to do. > > > - Signalling MFA usage to SPs in common ways. There are already > > some > > common ways to signal the usage of MFA usage to services. This are > > the > > AuthnContextClassRef in SAML and the acr claim in OIDC. It would be > > great if this is supported by unity, too. > > - Proxying the MFA information from upstream IdP. If the upstram > > IdP > > already enables MFA and send the usage to services, MFA at unity > > does > > not increase the security anymore. Especially it the second factor > > is > > the same OTP generator. So it would be greate if there is a way to > > transfer the information to the SPs of unity. I know we can build a > > workaround but as you already mentioned storing information in > > unity to > > session bound attributes is not the best way. > > - If the user enables MFA in unity but the upstream IdP already > > preformed MFA, is would be great if there is a way for admins to > > configure if unity performs MFA or not and just proxies the > > information. As mentioned before there is no benefit if the second > > factor is the same. > > All 3 points above are mostly clear and true - a missing > functionality > in Unity. > > > - Have an additional authentication flow policy "step_up" which > > does > > not fall back to never, if the user has no MFA configured, but just > > prohibits the operation/login. > > Here I'm not sure if I understand. Do you mean that user needs to > provide two factors and if has only one set up then the authN fails? > Isn't that possible today? We see "step_up" as something between required and never. This will be only triggered if the user want to perform a "sensitiv" operation at a connected service or within unity. To perform this operation the user is send back to authentication and must perform a more secured authentication using MFA. But this does not work if the policy switches back to never, if the user has no MFA configured. In this case, the user can not perform the step_up authentication and the authorization fails. Hopefully it is more clear now. > > > - Have different session lifetime for user who performed MFA. Since > > the > > MFA gives a better trust about the user account is not compromised, > > it > > would be nice if we can increase the session time for those user > > who > > authenticated with MFA. This would be a benefit for those, who are > > doing the additional step. > > Here I don't think this is a correct approach. What is the liking > between LoA and session lifetime? If any I'd say it is opposite: if > you > are strongly authenticated, then you may potentially gain access to > more > resources, and so your session should be shorter. But essentially I'd > say there should be no dependency here. In general I agree to you. Security is hard to combine with laziness or "comfort" to users. This was one requirement by the management. If you do not see this as a valid request, I'm fine. Best regards, Sander > > Thank you a lot, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-02-01 12:30:04
|
Dear Subscribers, I'm happy to announce availability of a new Unity release. As always all relevant links are available at https://unity-idm.eu/releases/release-3-12-0/ The 3.12.0 release brings a new library for easier REST integration with Unity from Java, a new REST endpoint to manage projects and much more. REST Types API The biggest change in this release is introduction of a new Java module /unity-rest-api/. This module can be used by apps written in Java, which integrate with Unity REST API. This module offers a clean, simple to use set of immutable classes following builder pattern, allowing for easy preparation of REST requests as well as parsing of responses. All Unity REST Admin paths are covered. At the same time the other module /unity-types-api/ gets deprecated. It will be dropped in the release 4.0.0. Users of this module should consider migrating to the /unity-rest-api/ module. Note that REST API has not been changed – the new module offers only a new Java API making the REST integration easier on Java platform. SAML metadata handling of IdPs We have finally concluded our big effort to update SAML metadata handling. The previous releases covered more impacting part of authenticators. In this release we have aligned the IdP part. A user visible effect of this change is slightly reduced memory consumption in case of IdP endpoints configured from SAML metadata, as well as faster (re)loading of metadata. RPM packaging dropped Since we haven’t observed almost any download activity related to RPM packaging, we have decided to drop it. tar.gz bundle is now the only distribution format. Proxied OAuth token introspection Unity allows now for acting as a proxy to other OAuth servers when it comes to handling OAuth token introspection requests. To enable this feature the upstream OAuth Authorization Servers needs to be setup in Unity OAuth endpoint’s configuration. UpMan REST API A new type of endpoint was added: UpMan REST API. This API complements UpMan web interface, but is not its REST replacement functionality-wise. Instead the REST API allows for quick and easy management of projects themselves. Creation, removal and fundamental configuration of an UpMan project (like setting the initial manager) can be done effortlessly with the new REST interface. Policy documents REST API Unity Admin REST API was enhanced with support of Unity policy documents management. Also a new authorization role was added: policyDocumentsManager. Holder of this role has generally limited permissions as a regular user, but additionally can manage policy documents over the REST API. Other improvements * After typing a wrong password the Enter key binding is not lost anymore * Invitations are not loosing the >by invitation< status even after switching to enquiry mode * Invitation to upman with default settings do not allows for choosing arbitrary initial groups anymore * Null entries in trusted apps tab on home UI should not happen anymore * Missing logo do not causes upman loading to crash anymore Best regards, Krzysztof |
|
From: Roman K. <ro...@un...> - 2023-01-30 10:45:36
|
Good morning Sander, This is a bug on our side, we are working on this. Fix will be in the next release, which happens to be early this week. Sorry for inconvenience. Best regards, Roman pt., 27 sty 2023 o 08:02 Sander Apweiler <sa....@fz...> napisał(a): > Good morning Roman, > yes workaround fixed the problem, I'm afraid that i might have much > more groups, where it fails because normally we do not set the logo. > Also on this group we didn't set it. So yes it was empty or null. We > were not aware that the logo is mandatory. It would be great if you can > mark this some how, if you want to have it mandatory. And if this is > not a bug please list this as on changes in the versions updates, since > it was working in older versions without the logo. > > Best regards, > Sander > > On Thu, 2023-01-26 at 18:23 +0100, Roman Krysiński wrote: > > HI Sander, > > > > It seems the Logo URL in some group w/ configured delegation has > > incorrect value - set to null. > > As the workaround I think it would be sufficient to find the > > promenatic group and from the console update the Logo URL to > > something meaningful. > > It would be helpful to understand how this project has been created, > > do you happen to know? > > > > In the meantime we will investigate the problem. > > > > Please let me know if the workaround worked for you. > > > > Best, > > Roman > > > > czw., 26 sty 2023 o 13:36 Sander Apweiler <sa....@fz...> > > napisał(a): > > > Hi Krzysztof, > > > we have an issue with only one group in upman. The user just got > > > the > > > word "error" shown when they logged into upman. I just got the > > > attached > > > stacktrace but no further info in the log. From the stacktrace I > > > assume > > > that some config/parameter is missing but I don't know what. Do you > > > know where this exception is raised? > > > > > > Best regards, > > > Sander > > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, > Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > > |
|
From: Krzysztof B. <kb...@un...> - 2023-01-30 08:35:57
|
Hi Sander, First of all thank you for that email. We will internally talk about it more after the next release is out, but please find below some quick comments. W dniu 25.01.2023 o 08:56, Sander Apweiler pisze: > for the usage of MFA we want to provide some feedback. Some of this > things you already know. > > - If OTP is wrong I have to redo the whole authentication. This feels a > little bit annoying. On other platforms you just have to reenter the > OTP, but not username & password. Makes sense, though is more complex: this behavior makes sense for OTP and maybe SMS as second factor, but completely not if say hardware token (fido2) is used as second factor. But worth considering as credential dependent behavior. Shouldn't be big deal to be implemented. > - Signalling MFA usage to SPs in common ways. There are already some > common ways to signal the usage of MFA usage to services. This are the > AuthnContextClassRef in SAML and the acr claim in OIDC. It would be > great if this is supported by unity, too. > - Proxying the MFA information from upstream IdP. If the upstram IdP > already enables MFA and send the usage to services, MFA at unity does > not increase the security anymore. Especially it the second factor is > the same OTP generator. So it would be greate if there is a way to > transfer the information to the SPs of unity. I know we can build a > workaround but as you already mentioned storing information in unity to > session bound attributes is not the best way. > - If the user enables MFA in unity but the upstream IdP already > preformed MFA, is would be great if there is a way for admins to > configure if unity performs MFA or not and just proxies the > information. As mentioned before there is no benefit if the second > factor is the same. All 3 points above are mostly clear and true - a missing functionality in Unity. > - Have an additional authentication flow policy "step_up" which does > not fall back to never, if the user has no MFA configured, but just > prohibits the operation/login. Here I'm not sure if I understand. Do you mean that user needs to provide two factors and if has only one set up then the authN fails? Isn't that possible today? > - Have different session lifetime for user who performed MFA. Since the > MFA gives a better trust about the user account is not compromised, it > would be nice if we can increase the session time for those user who > authenticated with MFA. This would be a benefit for those, who are > doing the additional step. Here I don't think this is a correct approach. What is the liking between LoA and session lifetime? If any I'd say it is opposite: if you are strongly authenticated, then you may potentially gain access to more resources, and so your session should be shorter. But essentially I'd say there should be no dependency here. Thank you a lot, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-01-27 07:03:00
|
Good morning Roman, yes workaround fixed the problem, I'm afraid that i might have much more groups, where it fails because normally we do not set the logo. Also on this group we didn't set it. So yes it was empty or null. We were not aware that the logo is mandatory. It would be great if you can mark this some how, if you want to have it mandatory. And if this is not a bug please list this as on changes in the versions updates, since it was working in older versions without the logo. Best regards, Sander On Thu, 2023-01-26 at 18:23 +0100, Roman Krysiński wrote: > HI Sander, > > It seems the Logo URL in some group w/ configured delegation has > incorrect value - set to null. > As the workaround I think it would be sufficient to find the > promenatic group and from the console update the Logo URL to > something meaningful. > It would be helpful to understand how this project has been created, > do you happen to know? > > In the meantime we will investigate the problem. > > Please let me know if the workaround worked for you. > > Best, > Roman > > czw., 26 sty 2023 o 13:36 Sander Apweiler <sa....@fz...> > napisał(a): > > Hi Krzysztof, > > we have an issue with only one group in upman. The user just got > > the > > word "error" shown when they logged into upman. I just got the > > attached > > stacktrace but no further info in the log. From the stacktrace I > > assume > > that some config/parameter is missing but I don't know what. Do you > > know where this exception is raised? > > > > Best regards, > > Sander > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
