unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] attribute statement genereated attribute in attribute statement

[Sander A. <sa....@fz...>]

Sorry I forgot to mention: eduPersonEntitlement-external is mapped in
input translation profile and eduPersonEntitlement-internal is created
via two attribute statements with conflict resolution merge.

Best regards,
Sander


On Wed, 2022-12-14 at 16:16 +0100, Sander Apweiler wrote:
> Dear Krzysztof,
> being more precise. We have some entitlements coming from the
> upstream
> IdPs as eduPersonEntitlement and stored as eduPersonEntitlement-
> external. Than we have some other information like group membership
> information, expressed according to AARC guideline, store on
> eduPersonEntitlement-internal. In output translation profiles for
> SAML
> and OAuth we are merging those two values. And we would need to do
> the
> same von SCIM to release there the entitlements as well. During my
> tests I was not able to combine here the two attributes.
> 
> Best regards,
> Sander
> 
> On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote:
> > W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze:
> > > Dear Sander,
> > > 
> > > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze:
> > > > Dear Krzysztof,
> > > > we are using attribute statements to create some attributes.
> > > > One
> > > > of
> > > > them is are the internal entitlements, where we express group
> > > > membership information in a specific format. When we started to
> > > > configure the SCIM API, we encountered that we can release here
> > > > only
> > > > single attributes but can not merge two attributes like we did
> > > > in
> > > > SAML/Oauth output translation profiles. For this reason we
> > > > created
> > > > another attribute statement, which merges external and internal
> > > > entitlements. Sadly this only works for the external
> > > > entitlements, but
> > > > not for the internals (created by attribute statements). So my
> > > > questions is, can I use attributes, which was created by an
> > > > attribute
> > > > statement within another attribute statement?
> > > 
> > > To answer the specific question: yes, an attribute statement 
> > > generating a dynamic can use a dynamic attribute generated by
> > > other
> > > attribute statement, however only in another group (i.e. such
> > > other
> > > dynamic attribute can be only accessed using the eattr variable).
> > > 
> > > Regarding your specific problem, let me ensure if I understand it
> > > completely.
> > > 
> > > So you have internalEntitlements dynamic attribute and a regular 
> > > attribute with externalEntitlements. Now you want to output over
> > > SCIM 
> > > API an attribute which will have a union of values of 
> > > internalEntitlments and externalEntitlments? 
> > 
> > Maybe an additional explanation: I'm asking, as I think that the
> > above 
> > case is supported in SCIM configuration, and so I guess your
> > scenario
> > is 
> > more complex.
> > 
> > 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] attribute statement genereated attribute in attribute statement

[Sander A. <sa....@fz...>]

Dear Krzysztof,
being more precise. We have some entitlements coming from the upstream
IdPs as eduPersonEntitlement and stored as eduPersonEntitlement-
external. Than we have some other information like group membership
information, expressed according to AARC guideline, store on
eduPersonEntitlement-internal. In output translation profiles for SAML
and OAuth we are merging those two values. And we would need to do the
same von SCIM to release there the entitlements as well. During my
tests I was not able to combine here the two attributes.

Best regards,
Sander

On Wed, 2022-12-14 at 15:49 +0100, Krzysztof Benedyczak wrote:
> W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze:
> > Dear Sander,
> > 
> > W dniu 13.12.2022 o 09:35, Sander Apweiler pisze:
> > > Dear Krzysztof,
> > > we are using attribute statements to create some attributes. One
> > > of
> > > them is are the internal entitlements, where we express group
> > > membership information in a specific format. When we started to
> > > configure the SCIM API, we encountered that we can release here
> > > only
> > > single attributes but can not merge two attributes like we did in
> > > SAML/Oauth output translation profiles. For this reason we
> > > created
> > > another attribute statement, which merges external and internal
> > > entitlements. Sadly this only works for the external
> > > entitlements, but
> > > not for the internals (created by attribute statements). So my
> > > questions is, can I use attributes, which was created by an
> > > attribute
> > > statement within another attribute statement?
> > 
> > To answer the specific question: yes, an attribute statement 
> > generating a dynamic can use a dynamic attribute generated by other
> > attribute statement, however only in another group (i.e. such other
> > dynamic attribute can be only accessed using the eattr variable).
> > 
> > Regarding your specific problem, let me ensure if I understand it 
> > completely.
> > 
> > So you have internalEntitlements dynamic attribute and a regular 
> > attribute with externalEntitlements. Now you want to output over
> > SCIM 
> > API an attribute which will have a union of values of 
> > internalEntitlments and externalEntitlments? 
> 
> Maybe an additional explanation: I'm asking, as I think that the
> above 
> case is supported in SCIM configuration, and so I guess your scenario
> is 
> more complex.
> 
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] attribute statement genereated attribute in attribute statement

[Krzysztof B. <kb...@un...>]

W dniu 14.12.2022 o 15:47, Krzysztof Benedyczak pisze:
> Dear Sander,
>
> W dniu 13.12.2022 o 09:35, Sander Apweiler pisze:
>> Dear Krzysztof,
>> we are using attribute statements to create some attributes. One of
>> them is are the internal entitlements, where we express group
>> membership information in a specific format. When we started to
>> configure the SCIM API, we encountered that we can release here only
>> single attributes but can not merge two attributes like we did in
>> SAML/Oauth output translation profiles. For this reason we created
>> another attribute statement, which merges external and internal
>> entitlements. Sadly this only works for the external entitlements, but
>> not for the internals (created by attribute statements). So my
>> questions is, can I use attributes, which was created by an attribute
>> statement within another attribute statement?
>
> To answer the specific question: yes, an attribute statement 
> generating a dynamic can use a dynamic attribute generated by other 
> attribute statement, however only in another group (i.e. such other 
> dynamic attribute can be only accessed using the eattr variable).
>
> Regarding your specific problem, let me ensure if I understand it 
> completely.
>
> So you have internalEntitlements dynamic attribute and a regular 
> attribute with externalEntitlements. Now you want to output over SCIM 
> API an attribute which will have a union of values of 
> internalEntitlments and externalEntitlments? 

Maybe an additional explanation: I'm asking, as I think that the above 
case is supported in SCIM configuration, and so I guess your scenario is 
more complex.

Re: [Unity-idm-discuss] attribute statement genereated attribute in attribute statement

[Krzysztof B. <kb...@un...>]

Dear Sander,

W dniu 13.12.2022 o 09:35, Sander Apweiler pisze:
> Dear Krzysztof,
> we are using attribute statements to create some attributes. One of
> them is are the internal entitlements, where we express group
> membership information in a specific format. When we started to
> configure the SCIM API, we encountered that we can release here only
> single attributes but can not merge two attributes like we did in
> SAML/Oauth output translation profiles. For this reason we created
> another attribute statement, which merges external and internal
> entitlements. Sadly this only works for the external entitlements, but
> not for the internals (created by attribute statements). So my
> questions is, can I use attributes, which was created by an attribute
> statement within another attribute statement?

To answer the specific question: yes, an attribute statement generating 
a dynamic can use a dynamic attribute generated by other attribute 
statement, however only in another group (i.e. such other dynamic 
attribute can be only accessed using the eattr variable).

Regarding your specific problem, let me ensure if I understand it 
completely.

So you have internalEntitlements dynamic attribute and a regular 
attribute with externalEntitlements. Now you want to output over SCIM 
API an attribute which will have a union of values of 
internalEntitlments and externalEntitlments?

Best,
Krzysztof

[Unity-idm-discuss] attribute statement genereated attribute in attribute statement

[Sander A. <sa....@fz...>]

Dear Krzysztof,
we are using attribute statements to create some attributes. One of
them is are the internal entitlements, where we express group
membership information in a specific format. When we started to
configure the SCIM API, we encountered that we can release here only
single attributes but can not merge two attributes like we did in
SAML/Oauth output translation profiles. For this reason we created
another attribute statement, which merges external and internal
entitlements. Sadly this only works for the external entitlements, but
not for the internals (created by attribute statements). So my
questions is, can I use attributes, which was created by an attribute
statement within another attribute statement?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Using predefinded variables in message subjects from config

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 12.12.2022 o 07:04, Sander Apweiler pisze:
> Good Morniing Krzysztof,
> we tried "Invitation to ${formName}" in the invitation with code. We
> tried with and without the ". It worked when we set it in the UI, but
> loading from the config files, unity had an error because variable
> formName was unknown.

Yes, this is because there are config-file  variables which are resolved 
by file configuration processor. To workaround clashes (so that ${} 
variable is tried to be expanded by configuration file processor) you 
can use alternative form of template variable marking, which is 
{{YOUR_VAR_NAME}}

HTH,
Krzysztof

Re: [Unity-idm-discuss] Using predefinded variables in message subjects from config

[Sander A. <sa....@fz...>]

Good Morniing Krzysztof,
we tried "Invitation to ${formName}" in the invitation with code. We
tried with and without the ". It worked when we set it in the UI, but
loading from the config files, unity had an error because variable
formName was unknown.

Best regards,
Sander

On Fri, 2022-12-09 at 14:59 +0100, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 9.12.2022 o 12:24, Sander Apweiler pisze:
> > Hi Krzysztof,
> > during the rework of our message templates we realised that the
> > predefined variables are not working in message subjects. Unity is
> > not
> > starting because the variables are not defined. Is there a way to
> > hide
> > the variable during unity start up but using it in the subject?
> > 
> Can you please add an example? I.e. not working subject with a
> variable 
> that you used?
> 
> Thanks,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Using predefinded variables in message subjects from config

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 9.12.2022 o 12:24, Sander Apweiler pisze:
> Hi Krzysztof,
> during the rework of our message templates we realised that the
> predefined variables are not working in message subjects. Unity is not
> starting because the variables are not defined. Is there a way to hide
> the variable during unity start up but using it in the subject?
>
Can you please add an example? I.e. not working subject with a variable 
that you used?

Thanks,
Krzysztof

[Unity-idm-discuss] Using predefinded variables in message subjects from config

[Sander A. <sa....@fz...>]

Hi Krzysztof,
during the rework of our message templates we realised that the
predefined variables are not working in message subjects. Unity is not
starting because the variables are not defined. Is there a way to hide
the variable during unity start up but using it in the subject?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] supported saml authcontextclasses

[Krzysztof B. <kb...@un...>]

Dear Sander,

W dniu 2.12.2022 o 12:43, Sander Apweiler pisze:
> Dear Krzysztof,
> is there a limitation in the supported authnContextClasses? We have a
> client which requires a context class in their configuration. They
> tried different which seems to fit but their receive just the message
> "This implementation doesn't support requests with
> RequestedAuthnContext set." Or does this message mean that service
> providers must not set this?

Yes, Unity does not support *requesting* authN context. Requesting authN 
context is a gigantic framework which governs which authN options user 
should get. This is very orthogonal to approach where Unity admin 
controls how to authenticate the user.

Supporting that (even in very limited form, as this part of SAML is 
almost endless) would be a bigger work I'm afraid.

What I think we can implement with a fairly low effort would be to 
support requesting the "unspecified" saml authn context. I'd need to 
verify it though (i.e. whether it is allowed).

Best,
Krzysztof

Re: [Unity-idm-discuss] IllegalStateException

[Krzysztof B. <kb...@un...>]

Hi Sander,

(This reply likely won't be correctly threaded under you original email, 
sorry about that -> result of recent problems with email provider we 
experienced)

> Hi Krzysztof,
> we have one user where we get IllegalStateException with the message
> "Comitted" at one service, stacktrace is attached.
>
> The user only receive it for this service and the service works for
> other users. Do you have a hin what could raise this exception?
>
> Best regards,
> Sander

That's Jetty error, i.e. related to HTTP protocol or even something at 
lower level as TCP. AFAICS it is when sending a final OAuth reply after 
authn.

To be able to say more I'd need to know details of the configuration, 
user's browser and especially what happens on user's side.

Best,
Krzysztof

[Unity-idm-discuss] supported saml authcontextclasses

[Sander A. <sa....@fz...>]

Dear Krzysztof,
is there a limitation in the supported authnContextClasses? We have a
client which requires a context class in their configuration. They
tried different which seems to fit but their receive just the message
"This implementation doesn't support requests with
RequestedAuthnContext set." Or does this message mean that service
providers must not set this?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] IllegalStateException

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we have one user where we get IllegalStateException with the message
"Comitted" at one service, stacktrace is attached.

The user only receive it for this service and the service works for
other users. Do you have a hin what could raise this exception?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.11.2 release

[Krzysztof B. <kb...@un...>]

Dear All,

A bigger Unity patch release was published. It contains fixes to quite a 
few problems, both reported recently and some long lasting.

Please pay attention to a change in configuration: thread pools 
configuration of Unity was split into two pools:

  * One pool controls periodically scheduled tasks, requires rather
    small number of threads (the default is 4, which can be slightly
    increased for big deployments). Its size is controlled withthe so
    far only configuration option |unityServer.core.threadPoolSize.|
  * The new option, |unityServer.core.concurrentThreadPoolSize|, with
    default of 16, is used for concurrent asynchronous executions of
    immediate tasks. It is used in bulk way (e.g. during logo download)
    by many tasks.


        Addressed problems

  * Several enhancements to SAML logo prefetching:
      o logo download process will never overlap with previous
        iteration, even on short SAML metadata refresh interval
      o logos are available as soon as are downloaded (previously only
        after prefetching of all)
      o TCP connection and read timeouts have better defaults and can be
        fine tuned by administrator
      o other minor improvements were applied
  * Bugfix: after redeploying of an endpoint, one of the handlers was
    executed twice, causing duplicated log messages
  * Default SAML metadata generated by Unity IdP endpoint was missing
    Organization element
  * Added possibility to load SCIM schema from external files
  * Fixed loading of SCIM configuration if REST admins group was not set
  * Fixed loading of trusted applications module in HomeUI in case of
    broken client URLs
  * Upgraded some of dependencies


Best regards,
Krzysztof

Re: [Unity-idm-discuss] error on scim editor

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.10.2022 o 11:33, Sander Apweiler pisze:
> Hi Krzysztof,
> while testing the SCIM API we got another error. When we open the
> configuration in console endpoint (Services -> SCIM REST API), a pop-up
> appears with "Please check the form for invalid and missing mandatory
> values". The log indicates a null pointer, but I do not get which
> mandatory value is missing. Following the manual
> unity.endpoint.scim.rootGroup is the only mandatory config. This is set
> in our config:
>
> cat modules/core/scim.properties
> unity.endpoint.scim.rootGroup=/
> unity.endpoint.scim.membershipGroups.1=groups
> unity.endpoint.scim.membershipAttributes.1=/

That's s small bug on our side. We have added one extra config option 
which was not marked as mandatory in configuration, while in code we 
assumed its presence.

It will be fixed in the next patch (this expected week), in that way 
that this extra option will be really optional.

As a workaround you can add

unity.endpoint.scim.|restAdminGroup=/some/group|

setting it to a group. Use an empty group if you don't want to give 
anyone capabilities to use the SCIM admin REST API (what would be 
equivalent to not setting the property in 3.11.2) .

HTH,
Krzysztof

Re: [Unity-idm-discuss] Failure in trusted application

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.10.2022 o 13:20, Sander Apweiler pisze:
> Hi Krzysztof,
> sadly we find another problem in the trusted application tab. If a user
> tries to log into userhome, unity throws an URIAccessException. Are
> there some changes in the checks compared to unity 3.9 or is this
> completly new stuff?

That a small bug: logo can not be downloaded as the server serving it 
has an expired certificate.

We will add a patch ignoring logos which can not be fetched. Will be in 
3.11.2

Best,
Krzysztof

[Unity-idm-discuss] Failure in trusted application

[Sander A. <sa....@fz...>]

Hi Krzysztof,
sadly we find another problem in the trusted application tab. If a user
tries to log into userhome, unity throws an URIAccessException. Are
there some changes in the checks compared to unity 3.9 or is this
completly new stuff?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] error on scim editor

[Sander A. <sa....@fz...>]

Hi Krzysztof,
while testing the SCIM API we got another error. When we open the
configuration in console endpoint (Services -> SCIM REST API), a pop-up
appears with "Please check the form for invalid and missing mandatory
values". The log indicates a null pointer, but I do not get which
mandatory value is missing. Following the manual
unity.endpoint.scim.rootGroup is the only mandatory config. This is set
in our config:

cat modules/core/scim.properties 
unity.endpoint.scim.rootGroup=/
unity.endpoint.scim.membershipGroups.1=groups
unity.endpoint.scim.membershipAttributes.1=/

cat modules/core.module
unityServer.core.endpoints.scim.endpointType=SCIM
unityServer.core.endpoints.scim.endpointConfigurationFile=${CONF}/modul
es/core/scim.properties
unityServer.core.endpoints.scim.contextPath=/scim
unityServer.core.endpoints.scim.endpointRealm=defaultRealm
unityServer.core.endpoints.scim.endpointName=SCIM REST API
unityServer.core.endpoints.scim.endpointAuthenticators=pwd;

This config worked on 3.9. Are there some changes to 3.11.1?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.10.2022 o 13:39, Sander Apweiler pisze:
> Hi Krzysztof,
> sadly this didn't solve the stack traces. They are still occuring. But
> I guess decreasing the loglevel after our test might also remove them
> from the logs.
>
> 2022-10-18T11:09:11,807 [pool-2-thread-8] TRACE unity.server.core.URIAccessServiceImpl: Can not read uri:

If you enable TRACE level anywhere it is going to print you sometimes 
even enormous amounts of data. Just decrease it.

Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Hi Krzysztof,
sadly this didn't solve the stack traces. They are still occuring. But
I guess decreasing the loglevel after our test might also remove them
from the logs.

2022-10-18T11:09:11,807 [pool-2-thread-8] TRACE unity.server.core.URIAccessServiceImpl: Can not read uri: https://idp.iitbhilai.ac.in/images/logo.png
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421) ~[?:?]
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.13.jar:4.5.13]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.13.jar:4.5.13]
        at pl.edu.icm.unity.engine.files.RemoteFileNetworkClient.download(RemoteFileNetworkClient.java:89) ~[unity-server-engine-3.11.1.jar:?]
        at pl.edu.icm.unity.engine.files.RemoteFileNetworkClient.download(RemoteFileNetworkClient.java:70) ~[unity-server-engine-3.11.1.jar:?]
        at pl.edu.icm.unity.engine.files.URIAccessServiceImpl.readURL(URIAccessServiceImpl.java:226) ~[unity-server-engine-3.11.1.jar:?]
        at pl.edu.icm.unity.engine.files.URIAccessServiceImpl.readURL(URIAccessServiceImpl.java:102) ~[unity-server-engine-3.11.1.jar:?]
        at jdk.internal.reflect.GeneratedMethodAccessor107.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:89) ~[spring-aop-5.3.23.jar:5.3.23]
        at pl.edu.icm.unity.store.rdbms.tx.SQLTransactionEngine.runInTransaction(SQLTransactionEngine.java:45) ~[unity-server-storage-3.11.1.jar:?]
        at pl.edu.icm.unity.store.tx.TransactionalAspect.retryIfNeeded4Method(TransactionalAspect.java:75) ~[unity-server-storage-3.11.1.jar:?]
        at jdk.internal.reflect.GeneratedMethodAccessor28.invoke(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:634) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:624) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:72) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.23.jar:5.3.23]
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215) ~[spring-aop-5.3.23.jar:5.3.23]
        at com.sun.proxy.$Proxy96.readURL(Unknown Source) ~[?:?]
        at pl.edu.icm.unity.saml.metadata.cfg.AsyncExternalLogoFileDownloader.downloadFile(AsyncExternalLogoFileDownloader.java:188) ~[unity-server-saml-3.11.1.jar:?]
        at pl.edu.icm.unity.saml.metadata.cfg.AsyncExternalLogoFileDownloader.fetchAndSaveFileOnDisk(AsyncExternalLogoFileDownloader.java:165) ~[unity-server-saml-3.11.1.jar:?]
        at pl.edu.icm.unity.saml.metadata.cfg.AsyncExternalLogoFileDownloader.lambda$downloadFiles$7(AsyncExternalLogoFileDownloader.java:152) ~[unity-server-saml-3.11.1.jar:?]
        at java.util.HashMap.forEach(HashMap.java:1337) ~[?:?]
        at pl.edu.icm.unity.saml.metadata.cfg.AsyncExternalLogoFileDownloader.downloadFiles(AsyncExternalLogoFileDownloader.java:148) ~[unity-server-saml-3.11.1.jar:?]
        at pl.edu.icm.unity.saml.metadata.cfg.AsyncExternalLogoFileDownloader.lambda$downloadLogoFilesAsync$0(AsyncExternalLogoFileDownloader.java:81) ~[unity-server-saml-3.11.1.jar:?]
        at java.util.concurrent.CompletableFuture$AsyncRun.run(CompletableFuture.java:1736) ~[?:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
        at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
        at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[?:?]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?]
        ... 60 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[?:?]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?]
        ... 60 more



Best regards,
Sander

On Fri, 2022-10-14 at 12:39 +0200, Krzysztof Benedyczak wrote:
> W dniu 14.10.2022 o 12:36, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > On Fri, 2022-10-14 at 12:29 +0200, Krzysztof Benedyczak wrote:
> > > W dniu 14.10.2022 o 12:23, Sander Apweiler pisze:
> > > > Hi Krzysztof,
> > > > 
> > > > thanks for the swift reply. Just another question to the 3.11
> > > > release.
> > > > Is there a (sub) logger which I can set to INFO level about the
> > > > IdP
> > > > image download? EduGAIN contains a lot of image URLs which are
> > > > not
> > > > existing anymore.
> > > Do you want to disable info about image download, filter it or
> > > otherwise: enable?
> > In general the info would not bother, but the long stack traces if
> > the
> > image can not be loaded let the log increase heavily. If it is the
> > easiest to suppress the whole log about image load, I'm fine, too.
> 
> then set unity.server.saml.AsyncExternalLogoFileDownloader to INFO, 
> should help
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] audience in token exchange

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 11.10.2022 o 08:40, Sander Apweiler pisze:
> Hi Krzysztof,
> last week we had a meeting with service providers and the developers of
> their service about the token exchange mechanism in unity. We had the
> problem that the service did not work with unity anymore  after a
> service update. The software is CERN's FTS3 (file transfer service). We
> also found the problem: Using the token exchange mechanism unity
> requires the audience claim, which is clearly written in the manual.
> But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as
> optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by
> WLCG) do not require the audience claim for token exchange and CERN FTS
> does also not send this. What is the reason for unity to make it
> mandatory and do you see any possibilities to change this to optional?
> Is it possible to use multiple audiences in the claim if unity requires
> the requesting client_id to be in there? FTS needs to alter the
> audience for delegation on behalf of a user.

All you wrote is correct. For the early use-cases of token exchange back 
when it was implemented, we added a simplification which you described 
around mandatory audience. The reason is: we have simpler code and have 
to worry about AuthZ less :-)

Yes, it should be possible to lift this limitation, as well as allow for 
multiple audiences. It won't be a very easy change, but also not super 
difficult.

Best,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

But after update to 3.11.1 the error is gone.

Thanks,
Sander

On Mon, 2022-10-17 at 12:45 +0200, Sander Apweiler wrote:
> Sadly it has no stack trace. Even on TRACE loglevel I don't got more
> information.
> 
> Best regards,
> Sander
> 
> On Mon, 2022-10-17 at 11:15 +0200, Krzysztof Benedyczak wrote:
> > W dniu 17.10.2022 o 10:28, Sander Apweiler pisze:
> > > Hi Krzysztof,
> > > goinig on with our tests, we have a problem with our OIDC
> > > service.
> > > May
> > > the token parsing problem also cause this error:
> > > 
> > > 2022-10-17T08:24:06,004 [qtp35962870-8752] DEBUG
> > > unity.server.oauth.BaseOAuthResource: Retuning OAuth error
> > > response:
> > > invalid_request: Invalid request; wrong refresh token
> > 
> > It seems very likely - but to confirm, is there any stack trace in
> > logs 
> > near this log entry?
> > 
> > Best,
> > Krzysztof
> > 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] invitations from upman

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 13.10.2022 o 11:55, Sander Apweiler pisze:
> Hi Krzysztof,
> sorry for the delay.
>
> The project allows and uses sub-projects. There are only registration
> forms and sign-up enquiries configured. Both are available by
> invitation only. We do not have membership update enquiries configured.
>
> Do you need the full forms?

If default forms are used then no. If some non-presentational (if you 
only updated some label or image that doesn't matter) changes were made 
then yes.

But what is even more important is detailed description of the scenario. 
I was asking about sub projects, as with sub-projects the range of 
possible scenarios is bigger, and most likely we haven't tried the one 
you are hitting. So please provide the details of:

0. starting structure of (relevant) project(s) and subproject(s)

1. the starting situation of a user (member of what groups? attributes?)

2. what invitation is sent and how it is accepted

3. what happens in the end (i.e. what is the problem)

Thank you,
Krzysztof

Re: [Unity-idm-discuss] unity 3.11 can't parse tokens JSON

[Sander A. <sa....@fz...>]

Sadly it has no stack trace. Even on TRACE loglevel I don't got more
information.

Best regards,
Sander

On Mon, 2022-10-17 at 11:15 +0200, Krzysztof Benedyczak wrote:
> W dniu 17.10.2022 o 10:28, Sander Apweiler pisze:
> > Hi Krzysztof,
> > goinig on with our tests, we have a problem with our OIDC service.
> > May
> > the token parsing problem also cause this error:
> > 
> > 2022-10-17T08:24:06,004 [qtp35962870-8752] DEBUG
> > unity.server.oauth.BaseOAuthResource: Retuning OAuth error
> > response:
> > invalid_request: Invalid request; wrong refresh token
> 
> It seems very likely - but to confirm, is there any stack trace in
> logs 
> near this log entry?
> 
> Best,
> Krzysztof
> 

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.11.1 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

A small, but important patch release was published today. It fixed the 
problem reported last week, related to migrated deployments using OAuth. 
Update should be seamless, the change was minimal.

More details and links to all release assets are available from 
https://unity-idm.eu/releases/release-3-11-1/

Best regards,
Krzysztof