Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sander A. <sa....@fz...> - 2023-01-03 14:15:18
|
Hi Krzysztof, On Tue, 2023-01-03 at 14:54 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 3.01.2023 o 07:39, Sander Apweiler pisze: > > Dear Krzysztof, > > first of all happy new year and all the best for 2023. > > > > After enabling two factor authentication on our services, we want > > to > > signal the usage of it to the services. In SAML we want to use the > > https://refeds.org/profile/mfa in AuthnContextClassRef. In OIDC we > > want > > to use the acr claim. Is this possible within unity? I didn't find > > anything in the manual about setting AuthnContextClassRef or acr. > > Unfortunately neither acr nor amr are not implemented in Unity as of > now. Same for SAML. > > > The second thing we are thinking about is proxying the information > > from > > the Upstream IdPs if there was 2FA used. I read that we can read > > the > > AuthnContextClassRef in SAML input translation profile. > > Yes, it is exposed as an attribute in the context. > > > > Is there also > > an action which removes the old value, if this is not covered in > > the > > next login anymore? > > Hm, I don't understand the question. In general I don't think it is > possible to set AuthnContextClassRef in SAML response manually. It > should be possible to set manually acr in output profile for OAuth > AS, > although with some some extra work (i.e. one would need to put that > in > output profile + add to some scope, like profile). Let me try to explain it. When I store the value of the AuthnContextClassRef from remote IdP on an attribute and it signals that 2FA was used but the next login the AuthnContextClassRef is not released by the IdP anymore, I can not use the old value anymore and must assume that no 2FA was performed. Of course I can create some complex MVEL expression, but maybe there is an easier was to drop the old information if the AuthnContextClassRef is not send by the remote IdP anymore. Best regards, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-01-03 13:54:48
|
W dniu 3.01.2023 o 14:51, Sander Apweiler pisze: > Dear Krzysztof, > thanks for the feedback. Yes the reason is that the group managers want > to invite only members to the group to have some more control about the > members because group membership includes quotas and permissions on > connected services. Would storing multiple email addresses, if their > are provided by the IdP, of the user also help here? Yes, I think so. |
|
From: Krzysztof B. <kb...@un...> - 2023-01-03 13:54:22
|
Hi Sander, W dniu 3.01.2023 o 07:39, Sander Apweiler pisze: > Dear Krzysztof, > first of all happy new year and all the best for 2023. > > After enabling two factor authentication on our services, we want to > signal the usage of it to the services. In SAML we want to use the > https://refeds.org/profile/mfa in AuthnContextClassRef. In OIDC we want > to use the acr claim. Is this possible within unity? I didn't find > anything in the manual about setting AuthnContextClassRef or acr. Unfortunately neither acr nor amr are not implemented in Unity as of now. Same for SAML. > The second thing we are thinking about is proxying the information from > the Upstream IdPs if there was 2FA used. I read that we can read the > AuthnContextClassRef in SAML input translation profile. Yes, it is exposed as an attribute in the context. > Is there also > an action which removes the old value, if this is not covered in the > next login anymore? Hm, I don't understand the question. In general I don't think it is possible to set AuthnContextClassRef in SAML response manually. It should be possible to set manually acr in output profile for OAuth AS, although with some some extra work (i.e. one would need to put that in output profile + add to some scope, like profile). Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-01-03 13:52:12
|
Dear Krzysztof, thanks for the feedback. Yes the reason is that the group managers want to invite only members to the group to have some more control about the members because group membership includes quotas and permissions on connected services. Would storing multiple email addresses, if their are provided by the IdP, of the user also help here? Best regards, Sander On Tue, 2023-01-03 at 14:06 +0100, Krzysztof Benedyczak wrote: > Dear Sander, > > W dniu 21.12.2022 o 11:06, Sander Apweiler pisze: > > Dear Krzysztof, > > > > On Wed, 2022-12-21 at 10:54 +0100, Krzysztof Benedyczak wrote: > > > Dear Sander, > > > > > > W dniu 20.12.2022 o 15:22, Sander Apweiler pisze: > > > > Dear Krzysztof, > > > > we have ticket from a user about a problem to join a group. He > > > > got > > > > an > > > > invitation, but when he tries to follow the link and selecting, > > > > that he > > > > has already an account an error is shown that the enquiry is > > > > not > > > > applicable. > > > > > > > > The log just shows: > > > > 2022-12-20T15:02:39,400 [qtp573262513-45704] DEBUG > > > > unity.server.web.EnquiryWellKnownURLViewProvider: Enquiry form > > > > DataHub- > > > > GFZ_TestmanagementJoinEnquiry is not applicable > > > > > > > > I saw that the user was in past in the group. We checked if the > > > > user is > > > > already in the group, but he is not. There is not open enquiry > > > > of > > > > this > > > > user. Do you have some further hints for us, why the user can't > > > > follow > > > > this enquiry? > > > Yes, however there is bunch of points to be verified. > > > > > > 1. Please note down the enquiry form in question condition (if > > > not > > > empty) and other general settings (is it sticky? is it by > > > invitation > > > only?) - basically everything that is on the first screen of the > > > enquiry > > > configuration in console. > > It's sticky and by invitation only. Targeted group is / and only if > > the > > upman manged group is not in groups attribute. Automation has auto > > accept if "validCode == true" and the addToGroup statement. > > > > > 2. For that user in console in the root group please check what > > > is a > > > value (if any) of the FilledEnquiries attribute. Note that this > > > is > > > system attribute, by default hidden, in attributes viewer you > > > have to > > > enable showing such in the menu. (<- I think this is the most > > > likely > > > to > > > be the reason) > > The user only has the sys:policy-agreement-state attribute but not > > the > > FilledEnquiries attribute. > > > It took a while, but I was finally able to reproduce and understand > what > happens. > > So in this case the user U is invited with some email E1, but has > account in Unity with email E2. In such case, Unity will show the > registration form after following the registration link, but the user > has an option to switch to an enquiry if wants (i.e. can decide that > instead of creating a new account will bind another, the existing one > with E2). And this fails as after switching to enquiry, Unity stops > to > treat the user as invited (as invitation was sent to E2). > > I'll open a ticket to fix that. > > For the workaround: invitation with the registered email (i.e. E1) > should work perfectly. It will also work if the join enquiry is not > set > as "by invitation only". But AFAIR it was don one some (other) > purpose, > right? > > Best regards, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2023-01-03 13:07:17
|
Dear Sander, W dniu 21.12.2022 o 11:06, Sander Apweiler pisze: > Dear Krzysztof, > > On Wed, 2022-12-21 at 10:54 +0100, Krzysztof Benedyczak wrote: >> Dear Sander, >> >> W dniu 20.12.2022 o 15:22, Sander Apweiler pisze: >>> Dear Krzysztof, >>> we have ticket from a user about a problem to join a group. He got >>> an >>> invitation, but when he tries to follow the link and selecting, >>> that he >>> has already an account an error is shown that the enquiry is not >>> applicable. >>> >>> The log just shows: >>> 2022-12-20T15:02:39,400 [qtp573262513-45704] DEBUG >>> unity.server.web.EnquiryWellKnownURLViewProvider: Enquiry form >>> DataHub- >>> GFZ_TestmanagementJoinEnquiry is not applicable >>> >>> I saw that the user was in past in the group. We checked if the >>> user is >>> already in the group, but he is not. There is not open enquiry of >>> this >>> user. Do you have some further hints for us, why the user can't >>> follow >>> this enquiry? >> Yes, however there is bunch of points to be verified. >> >> 1. Please note down the enquiry form in question condition (if not >> empty) and other general settings (is it sticky? is it by invitation >> only?) - basically everything that is on the first screen of the >> enquiry >> configuration in console. > It's sticky and by invitation only. Targeted group is / and only if the > upman manged group is not in groups attribute. Automation has auto > accept if "validCode == true" and the addToGroup statement. > >> 2. For that user in console in the root group please check what is a >> value (if any) of the FilledEnquiries attribute. Note that this is >> system attribute, by default hidden, in attributes viewer you have to >> enable showing such in the menu. (<- I think this is the most likely >> to >> be the reason) > The user only has the sys:policy-agreement-state attribute but not the > FilledEnquiries attribute. It took a while, but I was finally able to reproduce and understand what happens. So in this case the user U is invited with some email E1, but has account in Unity with email E2. In such case, Unity will show the registration form after following the registration link, but the user has an option to switch to an enquiry if wants (i.e. can decide that instead of creating a new account will bind another, the existing one with E2). And this fails as after switching to enquiry, Unity stops to treat the user as invited (as invitation was sent to E2). I'll open a ticket to fix that. For the workaround: invitation with the registered email (i.e. E1) should work perfectly. It will also work if the join enquiry is not set as "by invitation only". But AFAIR it was don one some (other) purpose, right? Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2023-01-03 06:40:18
|
Dear Krzysztof, first of all happy new year and all the best for 2023. After enabling two factor authentication on our services, we want to signal the usage of it to the services. In SAML we want to use the https://refeds.org/profile/mfa in AuthnContextClassRef. In OIDC we want to use the acr claim. Is this possible within unity? I didn't find anything in the manual about setting AuthnContextClassRef or acr. The second thing we are thinking about is proxying the information from the Upstream IdPs if there was 2FA used. I read that we can read the AuthnContextClassRef in SAML input translation profile. Is there also an action which removes the old value, if this is not covered in the next login anymore? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-21 11:38:10
|
W dniu 21.12.2022 o 10:05, Sander Apweiler pisze: > Dear Krzysztof, > by investigating a No SAML context error I had a look in the unity > manual. The link to the saml howto [1] in section 13.3 does not exist > any more. Thanks for the heads up, will be fixed. Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-21 10:06:15
|
Dear Krzysztof, On Wed, 2022-12-21 at 10:54 +0100, Krzysztof Benedyczak wrote: > Dear Sander, > > W dniu 20.12.2022 o 15:22, Sander Apweiler pisze: > > Dear Krzysztof, > > we have ticket from a user about a problem to join a group. He got > > an > > invitation, but when he tries to follow the link and selecting, > > that he > > has already an account an error is shown that the enquiry is not > > applicable. > > > > The log just shows: > > 2022-12-20T15:02:39,400 [qtp573262513-45704] DEBUG > > unity.server.web.EnquiryWellKnownURLViewProvider: Enquiry form > > DataHub- > > GFZ_TestmanagementJoinEnquiry is not applicable > > > > I saw that the user was in past in the group. We checked if the > > user is > > already in the group, but he is not. There is not open enquiry of > > this > > user. Do you have some further hints for us, why the user can't > > follow > > this enquiry? > > Yes, however there is bunch of points to be verified. > > 1. Please note down the enquiry form in question condition (if not > empty) and other general settings (is it sticky? is it by invitation > only?) - basically everything that is on the first screen of the > enquiry > configuration in console. It's sticky and by invitation only. Targeted group is / and only if the upman manged group is not in groups attribute. Automation has auto accept if "validCode == true" and the addToGroup statement. > > 2. For that user in console in the root group please check what is a > value (if any) of the FilledEnquiries attribute. Note that this is > system attribute, by default hidden, in attributes viewer you have to > enable showing such in the menu. (<- I think this is the most likely > to > be the reason) The user only has the sys:policy-agreement-state attribute but not the FilledEnquiries attribute. Best regards, Sander > > After having that info either we will know what is going on or I'll > have > to ask further, more precise question. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-21 09:54:25
|
Dear Sander, W dniu 20.12.2022 o 15:22, Sander Apweiler pisze: > Dear Krzysztof, > we have ticket from a user about a problem to join a group. He got an > invitation, but when he tries to follow the link and selecting, that he > has already an account an error is shown that the enquiry is not > applicable. > > The log just shows: > 2022-12-20T15:02:39,400 [qtp573262513-45704] DEBUG > unity.server.web.EnquiryWellKnownURLViewProvider: Enquiry form DataHub- > GFZ_TestmanagementJoinEnquiry is not applicable > > I saw that the user was in past in the group. We checked if the user is > already in the group, but he is not. There is not open enquiry of this > user. Do you have some further hints for us, why the user can't follow > this enquiry? Yes, however there is bunch of points to be verified. 1. Please note down the enquiry form in question condition (if not empty) and other general settings (is it sticky? is it by invitation only?) - basically everything that is on the first screen of the enquiry configuration in console. 2. For that user in console in the root group please check what is a value (if any) of the FilledEnquiries attribute. Note that this is system attribute, by default hidden, in attributes viewer you have to enable showing such in the menu. (<- I think this is the most likely to be the reason) After having that info either we will know what is going on or I'll have to ask further, more precise question. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-21 09:05:21
|
Dear Krzysztof, by investigating a No SAML context error I had a look in the unity manual. The link to the saml howto [1] in section 13.3 does not exist any more. Best regards, Sander [1]: https://www.unity-idm.eu/documentation/unity-3.11.2/manual.html#saml-howto.txt# -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-12-20 14:22:56
|
Dear Krzysztof, we have ticket from a user about a problem to join a group. He got an invitation, but when he tries to follow the link and selecting, that he has already an account an error is shown that the enquiry is not applicable. The log just shows: 2022-12-20T15:02:39,400 [qtp573262513-45704] DEBUG unity.server.web.EnquiryWellKnownURLViewProvider: Enquiry form DataHub- GFZ_TestmanagementJoinEnquiry is not applicable I saw that the user was in past in the group. We checked if the user is already in the group, but he is not. There is not open enquiry of this user. Do you have some further hints for us, why the user can't follow this enquiry? Best regards, Sander Apweiler -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-15 18:44:26
|
W dniu 15.12.2022 o 15:26, Sander Apweiler pisze: > Hi Krysztof, > eaatrs did not work because the information are in the same group where > I need the new one. So I made it like you described in the last mail. > Now I have all in one attribute and can release them in scim. > Wow, great :-) Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-15 14:26:46
|
Hi Krysztof, eaatrs did not work because the information are in the same group where I need the new one. So I made it like you described in the last mail. Now I have all in one attribute and can release them in scim. Best regards, Sander On Thu, 2022-12-15 at 13:27 +0100, Sander Apweiler wrote: > Hi Krzysztof, > that's what I'm trying to do. But I did not used the external > attributes. I'll try to do this ASAP. > > Thanks for your answers. > Sander > > On Thu, 2022-12-15 at 13:25 +0100, Krzysztof Benedyczak wrote: > > W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > > > Sorry I forgot to mention: eduPersonEntitlement-external is > > > mapped > > > in > > > input translation profile and eduPersonEntitlement-internal is > > > created > > > via two attribute statements with conflict resolution merge. > > > > OK. So wouldn't that work: > > > > create a 3rd dynamic attribute eduPersonEntitlement-all, which > > would > > be > > set by 3 attribute statements: the 2 are the same as the ones used > > for > > the -internal, plus 3rd which will add -external (should work as > > this > > is > > regular attribute), of course all with conflict resolution 'merge'. > > > > ? > > > > Cheers, > > Krzysztof > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-12-15 12:27:53
|
Hi Krzysztof, that's what I'm trying to do. But I did not used the external attributes. I'll try to do this ASAP. Thanks for your answers. Sander On Thu, 2022-12-15 at 13:25 +0100, Krzysztof Benedyczak wrote: > W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > > Sorry I forgot to mention: eduPersonEntitlement-external is mapped > > in > > input translation profile and eduPersonEntitlement-internal is > > created > > via two attribute statements with conflict resolution merge. > > OK. So wouldn't that work: > > create a 3rd dynamic attribute eduPersonEntitlement-all, which would > be > set by 3 attribute statements: the 2 are the same as the ones used > for > the -internal, plus 3rd which will add -external (should work as this > is > regular attribute), of course all with conflict resolution 'merge'. > > ? > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-15 12:25:41
|
W dniu 14.12.2022 o 16:18, Sander Apweiler pisze: > Sorry I forgot to mention: eduPersonEntitlement-external is mapped in > input translation profile and eduPersonEntitlement-internal is created > via two attribute statements with conflict resolution merge. OK. So wouldn't that work: create a 3rd dynamic attribute eduPersonEntitlement-all, which would be set by 3 attribute statements: the 2 are the same as the ones used for the -internal, plus 3rd which will add -external (should work as this is regular attribute), of course all with conflict resolution 'merge'. ? Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-14 15:18:23
|
Sorry I forgot to mention: eduPersonEntitlement-external is mapped in input translation profile and eduPersonEntitlement-internal is created via two attribute statements with conflict resolution merge. Best regards, Sander On Wed, 2022-12-14 at 16:16 +0100, Sander Apweiler wrote: > Dear Krzysztof, > being more precise. We have some entitlements coming from the > upstream > IdPs as eduPersonEntitlement and stored as eduPersonEntitlement- > external. Than we have some other information like group membership > information, expressed according to AARC guideline, store on > eduPersonEntitlement-internal. In output translation profiles for > SAML > and OAuth we are merging those two values. And we would need to do > the > same von SCIM to release there the entitlements as well. During my > tests I was not able to combine here the two attributes. > > Best regards, > Sander > > On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote: > > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > > > Dear Sander, > > > > > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > > > > Dear Krzysztof, > > > > we are using attribute statements to create some attributes. > > > > One > > > > of > > > > them is are the internal entitlements, where we express group > > > > membership information in a specific format. When we started to > > > > configure the SCIM API, we encountered that we can release here > > > > only > > > > single attributes but can not merge two attributes like we did > > > > in > > > > SAML/Oauth output translation profiles. For this reason we > > > > created > > > > another attribute statement, which merges external and internal > > > > entitlements. Sadly this only works for the external > > > > entitlements, but > > > > not for the internals (created by attribute statements). So my > > > > questions is, can I use attributes, which was created by an > > > > attribute > > > > statement within another attribute statement? > > > > > > To answer the specific question: yes, an attribute statement > > > generating a dynamic can use a dynamic attribute generated by > > > other > > > attribute statement, however only in another group (i.e. such > > > other > > > dynamic attribute can be only accessed using the eattr variable). > > > > > > Regarding your specific problem, let me ensure if I understand it > > > completely. > > > > > > So you have internalEntitlements dynamic attribute and a regular > > > attribute with externalEntitlements. Now you want to output over > > > SCIM > > > API an attribute which will have a union of values of > > > internalEntitlments and externalEntitlments? > > > > Maybe an additional explanation: I'm asking, as I think that the > > above > > case is supported in SCIM configuration, and so I guess your > > scenario > > is > > more complex. > > > > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-12-14 15:16:44
|
Dear Krzysztof, being more precise. We have some entitlements coming from the upstream IdPs as eduPersonEntitlement and stored as eduPersonEntitlement- external. Than we have some other information like group membership information, expressed according to AARC guideline, store on eduPersonEntitlement-internal. In output translation profiles for SAML and OAuth we are merging those two values. And we would need to do the same von SCIM to release there the entitlements as well. During my tests I was not able to combine here the two attributes. Best regards, Sander On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote: > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > > Dear Sander, > > > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > > > Dear Krzysztof, > > > we are using attribute statements to create some attributes. One > > > of > > > them is are the internal entitlements, where we express group > > > membership information in a specific format. When we started to > > > configure the SCIM API, we encountered that we can release here > > > only > > > single attributes but can not merge two attributes like we did in > > > SAML/Oauth output translation profiles. For this reason we > > > created > > > another attribute statement, which merges external and internal > > > entitlements. Sadly this only works for the external > > > entitlements, but > > > not for the internals (created by attribute statements). So my > > > questions is, can I use attributes, which was created by an > > > attribute > > > statement within another attribute statement? > > > > To answer the specific question: yes, an attribute statement > > generating a dynamic can use a dynamic attribute generated by other > > attribute statement, however only in another group (i.e. such other > > dynamic attribute can be only accessed using the eattr variable). > > > > Regarding your specific problem, let me ensure if I understand it > > completely. > > > > So you have internalEntitlements dynamic attribute and a regular > > attribute with externalEntitlements. Now you want to output over > > SCIM > > API an attribute which will have a union of values of > > internalEntitlments and externalEntitlments? > > Maybe an additional explanation: I'm asking, as I think that the > above > case is supported in SCIM configuration, and so I guess your scenario > is > more complex. > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-14 14:49:49
|
W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze: > Dear Sander, > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: >> Dear Krzysztof, >> we are using attribute statements to create some attributes. One of >> them is are the internal entitlements, where we express group >> membership information in a specific format. When we started to >> configure the SCIM API, we encountered that we can release here only >> single attributes but can not merge two attributes like we did in >> SAML/Oauth output translation profiles. For this reason we created >> another attribute statement, which merges external and internal >> entitlements. Sadly this only works for the external entitlements, but >> not for the internals (created by attribute statements). So my >> questions is, can I use attributes, which was created by an attribute >> statement within another attribute statement? > > To answer the specific question: yes, an attribute statement > generating a dynamic can use a dynamic attribute generated by other > attribute statement, however only in another group (i.e. such other > dynamic attribute can be only accessed using the eattr variable). > > Regarding your specific problem, let me ensure if I understand it > completely. > > So you have internalEntitlements dynamic attribute and a regular > attribute with externalEntitlements. Now you want to output over SCIM > API an attribute which will have a union of values of > internalEntitlments and externalEntitlments? Maybe an additional explanation: I'm asking, as I think that the above case is supported in SCIM configuration, and so I guess your scenario is more complex. |
|
From: Krzysztof B. <kb...@un...> - 2022-12-14 14:47:37
|
Dear Sander, W dniu 13.12.2022 o 09:35, Sander Apweiler pisze: > Dear Krzysztof, > we are using attribute statements to create some attributes. One of > them is are the internal entitlements, where we express group > membership information in a specific format. When we started to > configure the SCIM API, we encountered that we can release here only > single attributes but can not merge two attributes like we did in > SAML/Oauth output translation profiles. For this reason we created > another attribute statement, which merges external and internal > entitlements. Sadly this only works for the external entitlements, but > not for the internals (created by attribute statements). So my > questions is, can I use attributes, which was created by an attribute > statement within another attribute statement? To answer the specific question: yes, an attribute statement generating a dynamic can use a dynamic attribute generated by other attribute statement, however only in another group (i.e. such other dynamic attribute can be only accessed using the eattr variable). Regarding your specific problem, let me ensure if I understand it completely. So you have internalEntitlements dynamic attribute and a regular attribute with externalEntitlements. Now you want to output over SCIM API an attribute which will have a union of values of internalEntitlments and externalEntitlments? Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-13 08:35:27
|
Dear Krzysztof, we are using attribute statements to create some attributes. One of them is are the internal entitlements, where we express group membership information in a specific format. When we started to configure the SCIM API, we encountered that we can release here only single attributes but can not merge two attributes like we did in SAML/Oauth output translation profiles. For this reason we created another attribute statement, which merges external and internal entitlements. Sadly this only works for the external entitlements, but not for the internals (created by attribute statements). So my questions is, can I use attributes, which was created by an attribute statement within another attribute statement? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-12 14:18:35
|
Hi Sander,
W dniu 12.12.2022 o 07:04, Sander Apweiler pisze:
> Good Morniing Krzysztof,
> we tried "Invitation to ${formName}" in the invitation with code. We
> tried with and without the ". It worked when we set it in the UI, but
> loading from the config files, unity had an error because variable
> formName was unknown.
Yes, this is because there are config-file variables which are resolved
by file configuration processor. To workaround clashes (so that ${}
variable is tried to be expanded by configuration file processor) you
can use alternative form of template variable marking, which is
{{YOUR_VAR_NAME}}
HTH,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2022-12-12 06:04:49
|
Good Morniing Krzysztof,
we tried "Invitation to ${formName}" in the invitation with code. We
tried with and without the ". It worked when we set it in the UI, but
loading from the config files, unity had an error because variable
formName was unknown.
Best regards,
Sander
On Fri, 2022-12-09 at 14:59 +0100, Krzysztof Benedyczak wrote:
> Hi,
>
> W dniu 9.12.2022 o 12:24, Sander Apweiler pisze:
> > Hi Krzysztof,
> > during the rework of our message templates we realised that the
> > predefined variables are not working in message subjects. Unity is
> > not
> > starting because the variables are not defined. Is there a way to
> > hide
> > the variable during unity start up but using it in the subject?
> >
> Can you please add an example? I.e. not working subject with a
> variable
> that you used?
>
> Thanks,
> Krzysztof
>
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2022-12-09 13:59:37
|
Hi, W dniu 9.12.2022 o 12:24, Sander Apweiler pisze: > Hi Krzysztof, > during the rework of our message templates we realised that the > predefined variables are not working in message subjects. Unity is not > starting because the variables are not defined. Is there a way to hide > the variable during unity start up but using it in the subject? > Can you please add an example? I.e. not working subject with a variable that you used? Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-12-09 11:24:42
|
Hi Krzysztof, during the rework of our message templates we realised that the predefined variables are not working in message subjects. Unity is not starting because the variables are not defined. Is there a way to hide the variable during unity start up but using it in the subject? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-12-05 10:22:49
|
Dear Sander, W dniu 2.12.2022 o 12:43, Sander Apweiler pisze: > Dear Krzysztof, > is there a limitation in the supported authnContextClasses? We have a > client which requires a context class in their configuration. They > tried different which seems to fit but their receive just the message > "This implementation doesn't support requests with > RequestedAuthnContext set." Or does this message mean that service > providers must not set this? Yes, Unity does not support *requesting* authN context. Requesting authN context is a gigantic framework which governs which authN options user should get. This is very orthogonal to approach where Unity admin controls how to authenticate the user. Supporting that (even in very limited form, as this part of SAML is almost endless) would be a bigger work I'm afraid. What I think we can implement with a fairly low effort would be to support requesting the "unspecified" saml authn context. I'd need to verify it though (i.e. whether it is allowed). Best, Krzysztof |
