unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Difficult use-case for ldap integration

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
within another project we have a quite difficult use-case for
integrating LDAP for authentication in untiy. The LDAP has one tree
containing the usernames, passwords and an identifier (not equal to the
username). Within another tree we have this identifier, email and name
of the user.

As far as I understood the manual unity would be able to perform the
ldapsearch for the attributes on another tree than the bind call for
authentication, but it would require the username in both trees. So
this would not fit here.

We had two ideas what could work but would need your knowledge to
clarify this. The first idea was the mechanism to call an attribute
authority after user authentication, like we had in the lifescience
use-case in past. Could we use this feature to perform the second LDAP
call after authentication to fetch the user information from the seconf
tree using the identifier.

The second idea was fetching the user information from a proprietary
API, which already exists. For this we would need to trigger a script,
which fetches the information and stores them into unity. Would there
be a trigger for a groovy script in the authentication/registration
process where we could integrate the script?

Or do you have any other idea for this difficult use-case?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hello again,
ORCID indicated that the error could be caused by this API change:
https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U

Can we somehow configure update the URL by the configuration to test
it?

Best regards,
Sander


On Tue, 2023-08-15 at 13:13 +0200, Sander Apweiler wrote:
> Hi Krzysztof, hi Roman,
> since a few weeks we have problems using ORCID as upstream login,
> without changes in our config. We get the following message if a user
> tries to login via ORCID:
> 
> unity.server.oauth.OAuth2Verificator: Error received. Contents:
> {"error":"unauthorized","error_description":"An Authentication object
> was not found in the SecurityContext"}
> 
> Following the error description I found exchanges where setting data
> type to "x-www-form-urlencoded" solved the issue. I tried to look in
> unity code if this is already done, but I didn't find it in source.
> 
> Do you know this problem already? We can reproduce this on differen
> unity instance, all running 3.11.2.
> 
> Best regards,
> Sander
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.13.1 release available

[Krzysztof B. <kb...@un...>]

Their Subscribers,

While we are mostly focused on the major Unity 4 release, a small bugfix 
update was published.

It includes two fixes, the most notable one is related to FIDO 
regression introduced in 3.13.0 (plus general FIDO improvements are here).

https://unity-idm.eu/releases/release-3-13-1/

Best regards,
Krzysztof

[Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
since a few weeks we have problems using ORCID as upstream login,
without changes in our config. We get the following message if a user
tries to login via ORCID:

unity.server.oauth.OAuth2Verificator: Error received. Contents:
{"error":"unauthorized","error_description":"An Authentication object
was not found in the SecurityContext"}

Following the error description I found exchanges where setting data
type to "x-www-form-urlencoded" solved the issue. I tried to look in
unity code if this is already done, but I didn't find it in source.

Do you know this problem already? We can reproduce this on differen
unity instance, all running 3.11.2.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Sander A. <sa....@fz...>]

Hi Piotr,
we tested today on 3.13 and there we were not able to reproduce the
problem. So it seems that it was solved in some update after 3.11.2

Best regards,
Sander

On Thu, 2023-08-10 at 14:27 +0200, Piotr Piernik wrote:
>  
> Hi Sander,
>  I tried to reproduce this problem but unfortunately without success.
>  Can you please add an example of this registration form? (Or error
> from log)
>  
>  
> The only thing I was able to reproduce is the error shown below:
>  
> 
>  
>  Best regards,
>  Piotr
>  
>  
>  
>  
> W dniu 09.08.2023 o 15:37, Sander Apweiler pisze:
>  
>  
> >  
> > Hi Krzysztof, hi Roman,
> > we found, from our point of view, a bug in unity 3.11.2. If the
> > remote
> > IdP provides all attributes and the user needs to confirm policies
> > only, the registration form is not shown. The registration fails
> > because the policies were not accepted. When we are using form opt-
> > ins
> > instead of the policy, the registration form is shown and the user
> > can
> > accept them. From our point of view the policy agreement should be
> > handled in the same way like the form opt-ins and registration form
> > should be shown to the users even if only policy agreement is
> > needed.
> > 
> > Best regards,
> > Sander
> >  
> >   
> >   
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> >  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Piotr P. <pio...@gm...>]

Hi Sander,
I tried to reproduce this problem but unfortunately without success.
Can you please add an example of this registration form? (Or error from log)

The only thing I was able to reproduce is the error shown below:



Best regards,
Piotr


W dniu 09.08.2023 o 15:37, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we found, from our point of view, a bug in unity 3.11.2. If the remote
> IdP provides all attributes and the user needs to confirm policies
> only, the registration form is not shown. The registration fails
> because the policies were not accepted. When we are using form opt-ins
> instead of the policy, the registration form is shown and the user can
> accept them. From our point of view the policy agreement should be
> handled in the same way like the form opt-ins and registration form
> should be shown to the users even if only policy agreement is needed.
>
> Best regards,
> Sander
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 9.08.2023 o 15:37, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we found, from our point of view, a bug in unity 3.11.2. If the remote
> IdP provides all attributes and the user needs to confirm policies
> only, the registration form is not shown. The registration fails
> because the policies were not accepted. When we are using form opt-ins
> instead of the policy, the registration form is shown and the user can
> accept them. From our point of view the policy agreement should be
> handled in the same way like the form opt-ins and registration form
> should be shown to the users even if only policy agreement is needed.

This indeed sounds like a bug. Ticket opened, we will investigate.

Thank you,
Krzyszof

[Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we found, from our point of view, a bug in unity 3.11.2. If the remote
IdP provides all attributes and the user needs to confirm policies
only, the registration form is not shown. The registration fails
because the policies were not accepted. When we are using form opt-ins
instead of the policy, the registration form is shown and the user can
accept them. From our point of view the policy agreement should be
handled in the same way like the form opt-ins and registration form
should be shown to the users even if only policy agreement is needed.

Best regards,
Sander
-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Sander A. <sa....@fz...>]

Good morning Roman,
thanks for your answer. We will try in the next days and come back if
we have problems.

Best regards,
Sander

On Tue, 2023-08-08 at 16:50 +0200, Roman Krysiński wrote:
> Hi Sander,
> 
> Sorry to be long in my reply, the answer to your question is YES, it
> is possible.
> The easiest way to see the desired configuration file content, is to
> create a database dump with the "System configuration" part (Console
> -> Maintenance -> Backup & Restore) and search for the configuration
> of the endpoint from the screenshot. I've made similar configuration
> for console and here is the relevant json part for this endpoint:
> 
>     {
>       "_updateTS" : 1691505258138,
>       "obj" : {
>         "name" : "Console",
>         "typeId" : "WebConsoleUI",
>         "contextAddress" : "/console",
>         "configuration" : {
>           "displayedName" : {
>             "Map" : {
>               "pl" : "Interfejs administracyjny Unity"
>             },
>             "DefaultValue" : "UNITY console administration interface"
>           },
>           "description" : "",
>           "authenticationOptions" : [ "pwdSys", "pwdComposite",
> "certFlow1", "smsAndPass", "cert", "ldap", "ldapDN", "saml", "oauth",
> "fido" ],
>           "configuration" : "#\n#Tue Aug 08 16:34:18 CEST
> 2023\nunity.endpoint.web.authnScreenShowSearch=false\nunity.endpoint.
> web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd764
> 8301d749818fa038b51bf7f235+1. pwdSys _SEPARATOR fido _SEPARATOR cert
> _SEPARATOR pwdComposite _SEPARATOR _SEPARATOR ldap _SEPARATOR
> _REGISTER\nunity.endpoint.web.authnScreenTitle=title of
> page\nunity.endpoint.web.authnScreenColumn.1.columnTitle.en=Local
> authentication\nunity.endpoint.web.externalRegistrationURL=https\\://
> www.wp.pl\nunity.endpoint.web.productionMode=false\nunity.endpoint.we
> b.authnScreenColumn.2.columnTitle.pl=Zdalne
> logowanie\nunity.endpoint.web.authnScreenTitle.en=title of
> page\nunity.endpoint.web.authnScreenOptionsLabel.1.text.en=separator\
> nunity.endpoint.web.showRegistrationFormsInHeader=false\nunity.endpoi
> nt.web.authnScreenShowAllOptions=false\nunity.endpoint.web.authnLastO
> ptionOnlyLayout=_LAST_USED _SEPARATOR_1
> _EXPAND\nunity.endpoint.web.authnShowLastOptionOnly=false\nunity.endp
> oint.web.authnGrid.1.gridContents=saml\nunity.endpoint.web.authnScree
> nLogo=https\\://m.media-amazon.com/images/I/91-
> Db4L6xjL.png\nunity.endpoint.web.authnScreenOptionsLabel.1.text=separ
> ator\nunity.endpoint.web.authnScreenColumn.1.columnTitle.pl=Lokalne
> metody\nunity.endpoint.web.authnGrid.1.gridRows=50\nunity.endpoint.we
> b.compactCredentialReset=true\nunity.endpoint.web.authnScreenColumn.2
> .columnWidth=21\nunity.endpoint.web.authnScreenColumn.1.columnWidth=2
> 1\nunity.endpoint.web.enableRegistration=false\nunity.endpoint.web.au
> thnTheme=unityThemeValo\nunity.endpoint.web.authnScreenColumn.2.colum
> nContents=_GRID_1
> oauth\nunity.endpoint.web.authnScreenColumn.2.columnTitle=\\
> \nunity.endpoint.web.authnScreenColumn.1.columnTitle=Local
> authentication\nunity.endpoint.web.mainTheme=unityThemeValo\nunity.en
> dpoint.web.authnScreenShowCancel=false\nunity.endpoint.web.template=d
> efault.ftl\nunity.endpoint.web.autoLogin=false\n",
>           "realm" : "admin",
>           "tag" : "yFWk6n2n7mcMeks+eH/YkqEg/WaqCg25HaLHE6/Xs84="
>         },
>         "revision" : 20,
>         "status" : "DEPLOYED"
>       }
>     }
> 
> When you refactor the "configuration.configuration" json part,
> meaning replace "\n" to a new line we will get the information about
> columnContents to put into your file:
> 
> unity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFrom
> Metadata_2bd7648301d749818fa038b51bf7f235+1. pwdSys _SEPARATOR fido
> _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR _SEPARATOR ldap
> _SEPARATOR _REGISTER
> 
> Please let me know if that answers your question.
> 
> Cheers,
> Roman
> 
> pon., 31 lip 2023 o 14:35 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Hi Krzysztof, hi Roman,
> > using the UI, I can configure the Authentitcation for the endpoints
> > having singleAuthN with IdPs from federation metadata. I attached a
> > screenshot with a test. Can I somehow do this with via
> > configuration
> > files as well?
> > 
> > Best regards,
> > Sander
> > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Roman K. <ro...@un...>]

Hi Sander,

Sorry to be long in my reply, the answer to your question is YES, it is
possible.
The easiest way to see the desired configuration file content, is to create
a database dump with the "System configuration" part (Console ->
Maintenance -> Backup & Restore) and search for the configuration of the
endpoint from the screenshot. I've made similar configuration for console
and here is the relevant json part for this endpoint:

{
"_updateTS" : 1691505258138,
"obj" : {
"name" : "Console",
"typeId" : "WebConsoleUI",
"contextAddress" : "/console",
"configuration" : {
"displayedName" : {
"Map" : {
"pl" : "Interfejs administracyjny Unity"
},
"DefaultValue" : "UNITY console administration interface"
},
"description" : "",
"authenticationOptions" : [ "pwdSys", "pwdComposite", "certFlow1",
"smsAndPass", "cert", "ldap", "ldapDN", "saml", "oauth", "fido" ],
"configuration" : "#\n#Tue Aug 08 16:34:18 CEST 2023\n
unity.endpoint.web.authnScreenShowSearch=false\nunity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd7648301d749818fa038b51bf7f235+1.
pwdSys _SEPARATOR fido _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR
_SEPARATOR ldap _SEPARATOR _REGISTER\nunity.endpoint.web.authnScreenTitle=title
of page\nunity.endpoint.web.authnScreenColumn.1.columnTitle.en=Local
authentication\nunity.endpoint.web.externalRegistrationURL=https\\://
www.wp.pl\nunity.endpoint.web.productionMode=false\n
unity.endpoint.web.authnScreenColumn.2.columnTitle.pl=Zdalne
logowanie\nunity.endpoint.web.authnScreenTitle.en=title
of page\nunity.endpoint.web.authnScreenOptionsLabel.1.text.en=separator\n
unity.endpoint.web.showRegistrationFormsInHeader=false\n
unity.endpoint.web.authnScreenShowAllOptions=false\nunity.endpoint.web.authnLastOptionOnlyLayout=_LAST_USED
_SEPARATOR_1 _EXPAND\nunity.endpoint.web.authnShowLastOptionOnly=false\n
unity.endpoint.web.authnGrid.1.gridContents=saml\n
unity.endpoint.web.authnScreenLogo=https\\://
m.media-amazon.com/images/I/91-Db4L6xjL.png\n
unity.endpoint.web.authnScreenOptionsLabel.1.text=separator\n
unity.endpoint.web.authnScreenColumn.1.columnTitle.pl=Lokalne metody\n
unity.endpoint.web.authnGrid.1.gridRows=50\n
unity.endpoint.web.compactCredentialReset=true\n
unity.endpoint.web.authnScreenColumn.2.columnWidth=21\n
unity.endpoint.web.authnScreenColumn.1.columnWidth=21\n
unity.endpoint.web.enableRegistration=false\n
unity.endpoint.web.authnTheme=unityThemeValo\nunity.endpoint.web.authnScreenColumn.2.columnContents=_GRID_1
oauth\nunity.endpoint.web.authnScreenColumn.2.columnTitle=\\
\nunity.endpoint.web.authnScreenColumn.1.columnTitle=Local
authentication\nunity.endpoint.web.mainTheme=unityThemeValo\n
unity.endpoint.web.authnScreenShowCancel=false\n
unity.endpoint.web.template=default.ftl\nunity.endpoint.web.autoLogin=false
\n",
"realm" : "admin",
"tag" : "yFWk6n2n7mcMeks+eH/YkqEg/WaqCg25HaLHE6/Xs84="
},
"revision" : 20,
"status" : "DEPLOYED"
}
}

When you refactor the "configuration.configuration" json part, meaning
replace "\n" to a new line we will get the information about columnContents
to put into your file:

unity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd7648301d749818fa038b51bf7f235+1.
pwdSys _SEPARATOR fido _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR
_SEPARATOR ldap _SEPARATOR _REGISTER

Please let me know if that answers your question.

Cheers,
Roman

pon., 31 lip 2023 o 14:35 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysztof, hi Roman,
> using the UI, I can configure the Authentitcation for the endpoints
> having singleAuthN with IdPs from federation metadata. I attached a
> screenshot with a test. Can I somehow do this with via configuration
> files as well?
>
> Best regards,
> Sander
>
> --
> Federated Systems and Data
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
> Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
using the UI, I can configure the Authentitcation for the endpoints
having singleAuthN with IdPs from federation metadata. I attached a
screenshot with a test. Can I somehow do this with via configuration
files as well?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Laura H. <l....@fz...>]

Hi Krzysztof,

yes, we are now in the process of testing 3.13.

Best regards,
Laura

Am 26.07.23 um 16:31 schrieb Krzysztof Benedyczak:
> Hi Laura,
>
> W dniu 26.07.2023 o 13:17, Laura Hofer pisze:
>> Hi Krzysztof,
>>
>> we wanted to recreate the error, but it seems to be working now. The 
>> application error does not appear anymore. 
>
> Does it mean that you can now successfully run 3.13 (or at least are 
> progressing with testing it)?
>
> Best,
> Krzysztof
>
>
-- 
Juelich Supercomputing Centre
Institute for Advanced Simulation
Forschungszentrum Juelich GmbH
52425 Juelich, Germany
E-Mail: l....@fz...
Phone: +49 2461 61-6576
Fax: +49 2461 61-6656

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Hi Laura,

W dniu 26.07.2023 o 13:17, Laura Hofer pisze:
> Hi Krzysztof,
>
> we wanted to recreate the error, but it seems to be working now. The 
> application error does not appear anymore. 

Does it mean that you can now successfully run 3.13 (or at least are 
progressing with testing it)?

Best,
Krzysztof

Re: [Unity-idm-discuss] Application Error while Logging in

[Laura H. <l....@fz...>]

Hi Krzysztof,

we wanted to recreate the error, but it seems to be working now. The 
application error does not appear anymore.

Best regards,
Laura

Am 26.07.23 um 13:15 schrieb Krzysztof Benedyczak:
> Hi Sander,
>
> Are there any updates on the below topic?
>
> We have some nice performance improvements prepared, that should help 
> with your perf-problems, but I'd prefer
> to release them only after investigating this issue, which sounds 
> critical.
>
> Best,
> Krzysztof
>
> W dniu 19.06.2023 o 11:46, Sander Apweiler pisze:
>> Dear Roman,
>> not yet since we are quite busy with preparing a summerschool. Maybe
>> later next week.
>>
>> Best regards,
>> Sander
>>
>> On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote:
>>> Dear Sander,
>>>
>>> Are there any news with regards to additional information?
>>>
>>> Thank you,
>>> Roman
>>>
>>>
>>> pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...>
>>> napisał(a):
>>>> Dear Krzysztof,
>>>> we will bring the information as soon as possible.
>>>>
>>>> Best regards,
>>>> Sander
>>>>
>>>> On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote:
>>>>> Dear Laura, Sander,
>>>>>
>>>>> W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
>>>>>> Dear Krzysztof, Dear Roman,
>>>>>>
>>>>>> we were just about to install unity 3.13.0 and then start
>>>>>> testing.
>>>>>> To
>>>>>> do this, we first switched from unity 3.11.2 to unity 3.12.0,
>>>>>> then
>>>>>> to
>>>>>> 3.13.0. After that, we received an application error message
>>>>>> when
>>>>>> logging in (see attached screenshot). Unfortunately we could
>>>>>> not
>>>>>> find
>>>>>> any error message in the stack trace, so we switched back to
>>>>>> 3.12.0.
>>>>>> There we got the same error message at login, but then we could
>>>>>> also
>>>>>> find an error message in the stack trace. This is also attached
>>>>>> as
>>>>>> a
>>>>>> txt file.
>>>>> So we have found the problem in 3.12 causing your error. We can
>>>>> fix
>>>>> it,
>>>>> no problem, however I don't think it makes a lot of sense: it is
>>>>> a
>>>>> minor
>>>>> bug, which will only occur on a database which was run on 3.13,
>>>>> and
>>>>> then
>>>>> used in 3.12. This problem on 3.12 is also for sure 100% not
>>>>> related
>>>>> to
>>>>> the (serious) sign-in problem you observed on 3.13.
>>>>>
>>>>> That said, to investigate the real issue we need to get back to
>>>>> 3.13,
>>>>> and diagnose the problem in there. In case of error like in your
>>>>> screenshot, you should rather get a stacktrace or at least ERROR
>>>>> message
>>>>> in log. It is possible we have some omission in logging, but
>>>>> unlikely.
>>>>>
>>>>> Can you please first enable debug logging, then repeat your
>>>>> failing
>>>>> sign-in on 3.13 and inspect log files one more time (or share it
>>>>> with
>>>>> us)? We need to find some clues on what is failing. Without
>>>>> access to
>>>>> your database it will be the only way forward.
>>>>>
>>>>> Best,
>>>>> Krzysztof
>>>>>
>>>>>
>
-- 
Juelich Supercomputing Centre
Institute for Advanced Simulation
Forschungszentrum Juelich GmbH
52425 Juelich, Germany
E-Mail: l....@fz...
Phone: +49 2461 61-6576
Fax: +49 2461 61-6656

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Hi Sander,

Are there any updates on the below topic?

We have some nice performance improvements prepared, that should help 
with your perf-problems, but I'd prefer
to release them only after investigating this issue, which sounds critical.

Best,
Krzysztof

W dniu 19.06.2023 o 11:46, Sander Apweiler pisze:
> Dear Roman,
> not yet since we are quite busy with preparing a summerschool. Maybe
> later next week.
>
> Best regards,
> Sander
>
> On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote:
>> Dear Sander,
>>
>> Are there any news with regards to additional information?
>>
>> Thank you,
>> Roman
>>
>>
>> pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...>
>> napisał(a):
>>> Dear Krzysztof,
>>> we will bring the information as soon as possible.
>>>
>>> Best regards,
>>> Sander
>>>
>>> On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote:
>>>> Dear Laura, Sander,
>>>>
>>>> W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
>>>>> Dear Krzysztof, Dear Roman,
>>>>>
>>>>> we were just about to install unity 3.13.0 and then start
>>>>> testing.
>>>>> To
>>>>> do this, we first switched from unity 3.11.2 to unity 3.12.0,
>>>>> then
>>>>> to
>>>>> 3.13.0. After that, we received an application error message
>>>>> when
>>>>> logging in (see attached screenshot). Unfortunately we could
>>>>> not
>>>>> find
>>>>> any error message in the stack trace, so we switched back to
>>>>> 3.12.0.
>>>>> There we got the same error message at login, but then we could
>>>>> also
>>>>> find an error message in the stack trace. This is also attached
>>>>> as
>>>>> a
>>>>> txt file.
>>>> So we have found the problem in 3.12 causing your error. We can
>>>> fix
>>>> it,
>>>> no problem, however I don't think it makes a lot of sense: it is
>>>> a
>>>> minor
>>>> bug, which will only occur on a database which was run on 3.13,
>>>> and
>>>> then
>>>> used in 3.12. This problem on 3.12 is also for sure 100% not
>>>> related
>>>> to
>>>> the (serious) sign-in problem you observed on 3.13.
>>>>
>>>> That said, to investigate the real issue we need to get back to
>>>> 3.13,
>>>> and diagnose the problem in there. In case of error like in your
>>>> screenshot, you should rather get a stacktrace or at least ERROR
>>>> message
>>>> in log. It is possible we have some omission in logging, but
>>>> unlikely.
>>>>
>>>> Can you please first enable debug logging, then repeat your
>>>> failing
>>>> sign-in on 3.13 and inspect log files one more time (or share it
>>>> with
>>>> us)? We need to find some clues on what is failing. Without
>>>> access to
>>>> your database it will be the only way forward.
>>>>
>>>> Best,
>>>> Krzysztof
>>>>
>>>>

Re: [Unity-idm-discuss] separator not shown

[Sander A. <sa....@fz...>]

Ok, just read in the manual, that separator is skipped when using other
text elements.


On Mon, 2023-07-17 at 11:06 +0200, Sander Apweiler wrote:
> Hi Krzysztof,
> hi Roman,
> 
> we are setting up a new service and while creating the endpoint
> layout
> we recognized that separators are not shown. Additionally the text
> from
> _HEADER_H1 and _SEPARATOR_OR are somehow linked. Changing one of the
> changes the other one as well. Since we are not using them on other
> instance, we do not know if this problem starts with 3.13 or earlier.
> 
> Best regards,
> Sander
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] separator not shown

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

we are setting up a new service and while creating the endpoint layout
we recognized that separators are not shown. Additionally the text from
_HEADER_H1 and _SEPARATOR_OR are somehow linked. Changing one of the
changes the other one as well. Since we are not using them on other
instance, we do not know if this problem starts with 3.13 or earlier.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] adding ORCID as attribute without identity linking

[Krzysztof B. <kb...@un...>]

Hi Sander,


W dniu 6.07.2023 o 12:18, Sander Apweiler pisze:
> Hi Krzysztof,
> we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity
> interacts as proxy. User can sign in with all of them, but using home
> IdP can give already access to resources. We can not use the account
> linking because the user must lose access to the resources, when they
> leave the home organisation.
>
> We have some services which already want to have the ORCID ID of the
> user. Of course we can create an attribute and user needs to enter it
> manually during sign up or later in userhome endpoint. But manual steps
> offer the option for mistakes. So our question would be if there is a
> way to get the ID from ORCID directly, like the sign up using ORCID,
> but without account linking.

Hmm, I was close to write this is not doable, but I realized I don't 
understand the scenario.

So on one hand you want to keep the feature to sign in using ORCID as an 
alternative to sign-in using your home org IdP. Right?

This means that you need those two sign-in methods supported and also 
both should be linked to the same entity in Unity.

At the same time if ORCID id is only stored as a plain attribute, users 
won't be able to login with ORCID.

What do I miss? Isn't it just a deprovisioning concern, that after user 
leaves home-org, some aspects of the Unity account should be removed so 
authZ is lost to relevant items?

Best,
Krzysztof

Re: [Unity-idm-discuss] adding ORCID as attribute without identity linking

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we have home IdPs + ORCID/Google/Github as upstream IdPs. Unity
interacts as proxy. User can sign in with all of them, but using home
IdP can give already access to resources. We can not use the account
linking because the user must lose access to the resources, when they
leave the home organisation.

We have some services which already want to have the ORCID ID of the
user. Of course we can create an attribute and user needs to enter it
manually during sign up or later in userhome endpoint. But manual steps
offer the option for mistakes. So our question would be if there is a
way to get the ID from ORCID directly, like the sign up using ORCID,
but without account linking.

Best regards,
Sander

On Thu, 2023-07-06 at 12:00 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 6.07.2023 o 10:42, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > we see a growing number of requests to the ORCID ID of researchers
> > and
> > services who want this information from the IdM system. The primary
> > identity of the users is bound to the home organisation. Since
> > there
> > are resources bound to this identities, we do not want to perform
> > account linking, unless we can remove all privileges, based on the
> > organisation login, of the users, if  the user left the
> > organisation.
> > ORCID login is an alternativ for researchers where the home
> > organisation does not release all mandatory attributes.
> > 
> > Is it possible to get the ID directly from ORCID and storing this
> > as
> > attribute, without account/identity linking?
> 
> I'm not sure if I understand the scenario. Can you describe the flow 
> precisely? I wonder how and when Unity instance shall authorize to
> ORCID 
> to get this identity info?
> 
> I understand that you have a user that has some home IdP + ORCID id. 
> This user can login via Unity acting as a proxy to home IdP. And now
> how 
> ORCID fits here?
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enforcing MFA for users in a specific group

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I already assumed, that it is not possible. Thanks for the information.

Best regards,
Sander

On Thu, 2023-07-06 at 11:57 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 5.07.2023 o 13:15, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > we have a group in our instance who asked if it is possible to
> > enforce
> > MFA for all their members. I know unity can enforce MFA on a
> > specific
> > endpoint/realm, but I don't know a possibility to enforce it to
> > users
> > from a specific group. Can you confirm this or explain how it would
> > work?
> 
> Unfortunately it is not supported.  Of course you can enable "MFA
> user 
> opt in" for all group users, but that can't be automated (and so will
> require additional action when a new user is added).
> 
> An improved solution would be to make management of the MFA opt in
> also 
> possible using a regular attribute. Then one would be able to setup 
> attribute statement on the root group to set this MFA opt in to true
> for 
> all members of a given group (or basing on any other condition). But 
> this will require additional MFA policies too, and we need a chain of
> decisions what happens in case of conflicts (e.g. user of that group
> has 
> no 2F credential or unset her MFA opt-in). Most likely a more 
> sophisticated policies in authN flows would be needed as well.
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] adding ORCID as attribute without identity linking

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 6.07.2023 o 10:42, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we see a growing number of requests to the ORCID ID of researchers and
> services who want this information from the IdM system. The primary
> identity of the users is bound to the home organisation. Since there
> are resources bound to this identities, we do not want to perform
> account linking, unless we can remove all privileges, based on the
> organisation login, of the users, if  the user left the organisation.
> ORCID login is an alternativ for researchers where the home
> organisation does not release all mandatory attributes.
>
> Is it possible to get the ID directly from ORCID and storing this as
> attribute, without account/identity linking?

I'm not sure if I understand the scenario. Can you describe the flow 
precisely? I wonder how and when Unity instance shall authorize to ORCID 
to get this identity info?

I understand that you have a user that has some home IdP + ORCID id. 
This user can login via Unity acting as a proxy to home IdP. And now how 
ORCID fits here?

Best,
Krzysztof

Re: [Unity-idm-discuss] Enforcing MFA for users in a specific group

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 5.07.2023 o 13:15, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we have a group in our instance who asked if it is possible to enforce
> MFA for all their members. I know unity can enforce MFA on a specific
> endpoint/realm, but I don't know a possibility to enforce it to users
> from a specific group. Can you confirm this or explain how it would
> work?

Unfortunately it is not supported.  Of course you can enable "MFA user 
opt in" for all group users, but that can't be automated (and so will 
require additional action when a new user is added).

An improved solution would be to make management of the MFA opt in also 
possible using a regular attribute. Then one would be able to setup 
attribute statement on the root group to set this MFA opt in to true for 
all members of a given group (or basing on any other condition). But 
this will require additional MFA policies too, and we need a chain of 
decisions what happens in case of conflicts (e.g. user of that group has 
no 2F credential or unset her MFA opt-in). Most likely a more 
sophisticated policies in authN flows would be needed as well.

Best,
Krzysztof

[Unity-idm-discuss] adding ORCID as attribute without identity linking

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we see a growing number of requests to the ORCID ID of researchers and
services who want this information from the IdM system. The primary
identity of the users is bound to the home organisation. Since there
are resources bound to this identities, we do not want to perform
account linking, unless we can remove all privileges, based on the
organisation login, of the users, if  the user left the organisation.
ORCID login is an alternativ for researchers where the home
organisation does not release all mandatory attributes.

Is it possible to get the ID directly from ORCID and storing this as
attribute, without account/identity linking?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Enforcing MFA for users in a specific group

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we have a group in our instance who asked if it is possible to enforce
MFA for all their members. I know unity can enforce MFA on a specific
endpoint/realm, but I don't know a possibility to enforce it to users
from a specific group. Can you confirm this or explain how it would
work?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Sander A. <sa....@fz...>]

Dear Roman,
not yet since we are quite busy with preparing a summerschool. Maybe
later next week.

Best regards,
Sander

On Mon, 2023-06-19 at 11:40 +0200, Roman Krysiński wrote:
> Dear Sander,
> 
> Are there any news with regards to additional information?
> 
> Thank you,
> Roman
> 
> 
> pon., 12 cze 2023 o 10:35 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Dear Krzysztof,
> > we will bring the information as soon as possible.
> > 
> > Best regards,
> > Sander
> > 
> > On Thu, 2023-06-08 at 10:16 +0200, Krzysztof Benedyczak wrote:
> > > Dear Laura, Sander,
> > > 
> > > W dniu 6.06.2023 o 13:19, Laura Hofer pisze:
> > > > Dear Krzysztof, Dear Roman,
> > > > 
> > > > we were just about to install unity 3.13.0 and then start
> > > > testing.
> > > > To 
> > > > do this, we first switched from unity 3.11.2 to unity 3.12.0,
> > > > then
> > > > to 
> > > > 3.13.0. After that, we received an application error message
> > > > when 
> > > > logging in (see attached screenshot). Unfortunately we could
> > > > not
> > > > find 
> > > > any error message in the stack trace, so we switched back to
> > > > 3.12.0. 
> > > > There we got the same error message at login, but then we could
> > > > also 
> > > > find an error message in the stack trace. This is also attached
> > > > as
> > > > a 
> > > > txt file. 
> > > 
> > > So we have found the problem in 3.12 causing your error. We can
> > > fix
> > > it, 
> > > no problem, however I don't think it makes a lot of sense: it is
> > > a
> > > minor 
> > > bug, which will only occur on a database which was run on 3.13,
> > > and
> > > then 
> > > used in 3.12. This problem on 3.12 is also for sure 100% not
> > > related
> > > to 
> > > the (serious) sign-in problem you observed on 3.13.
> > > 
> > > That said, to investigate the real issue we need to get back to
> > > 3.13,
> > > and diagnose the problem in there. In case of error like in your 
> > > screenshot, you should rather get a stacktrace or at least ERROR
> > > message 
> > > in log. It is possible we have some omission in logging, but
> > > unlikely.
> > > 
> > > Can you please first enable debug logging, then repeat your
> > > failing 
> > > sign-in on 3.13 and inspect log files one more time (or share it
> > > with
> > > us)? We need to find some clues on what is failing. Without
> > > access to
> > > your database it will be the only way forward.
> > > 
> > > Best,
> > > Krzysztof
> > > 
> > > 
> > 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------