Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sander A. <sa....@fz...> - 2022-10-14 10:23:46
|
Hi Krzysztof, thanks for the swift reply. Just another question to the 3.11 release. Is there a (sub) logger which I can set to INFO level about the IdP image download? EduGAIN contains a lot of image URLs which are not existing anymore. Best regards, Sander On Fri, 2022-10-14 at 12:05 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 14.10.2022 o 10:38, Sander Apweiler pisze: > > Hi Krzysztof, > > we already started right now to test unity 3.11 but failed directly > > at > > the first user login. I got an error message about serious > > problems, > > see screenshot. In the log I saw that unity has some problems with > > parsing tokens in the UI. I wanted to delete them via console > > endpoint > > but there I got the error "Can not parse token's JSON". See second > > screenshot. Did I miss some migration steps? > > > Unfortunately we missed, and not in 3.11 but in 3.10. > > 3.11.1 will be released shortly, we are working on a fix. > > Sorry for the problem, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-10-14 10:05:29
|
Hi Sander, W dniu 14.10.2022 o 10:38, Sander Apweiler pisze: > Hi Krzysztof, > we already started right now to test unity 3.11 but failed directly at > the first user login. I got an error message about serious problems, > see screenshot. In the log I saw that unity has some problems with > parsing tokens in the UI. I wanted to delete them via console endpoint > but there I got the error "Can not parse token's JSON". See second > screenshot. Did I miss some migration steps? > Unfortunately we missed, and not in 3.11 but in 3.10. 3.11.1 will be released shortly, we are working on a fix. Sorry for the problem, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-10-14 08:38:39
|
Hi Krzysztof, we already started right now to test unity 3.11 but failed directly at the first user login. I got an error message about serious problems, see screenshot. In the log I saw that unity has some problems with parsing tokens in the UI. I wanted to delete them via console endpoint but there I got the error "Can not parse token's JSON". See second screenshot. Did I miss some migration steps? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-10-14 07:47:44
|
Hi Krzysztof, by setting up the scim api in unity 3.9.0 I found a problem. Our configuration is normally loaded from config files. I know this is not possible for the scim schema so I set up it in the console endpoint. For some reason one attribute was not released and I increased the log. Due the bug where unity stopped logging after changing the loglevel I restartet unity. But sadly all configured schema are gone. Is this intendend? If not, may this happen on latest version as well? We are going to start our tests on 3.11 next week. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-10-13 11:51:21
|
Dear Subscribers, I'm happy to announce availability of a new Unity release. As always all relevant links are available at https://unity-idm.eu/releases/release-3-11-0/ The 3.11.0 release is a major step towards Unity 4: big changes ahead. All upgrades should be carefully pre-tested, after review of Unity 3.11.0 update instruction, available in Unity manual. Java 17 supported & groovy update Java 17 is officially supported runtime since this release. It will become mandatory when Unity turns 4. To make it happen we had to upgrade Groovy to version 3.0.12. This means that Groovy 3 features can be used in Unity extension scripts. Please note that Groovy 3 introduces also couple of breaking changes over previously used Groovy 2. SAML related enhancements The biggest change in SAML area is pre-fetching of federation logo images by Unity, and serving them from the local HTTP server, on sign-in pages. This change resolves many problems related to the previous approach where a person entering Unity sign-in page could get requests (and get cookies) from a number of federation IdPs. Also certificate and TLS related misconfigurations of IdP servers could interfere with Unity page loading, what won’t happen any more. Besides of this change we have applied several smaller improvements to SAML federations handling: * Performance of the first loading of trusted SAML entities was significantly improved. * The first metadata refresh was always postponed for the metadata refresh interval which was effective at server start. So a decrease of the interval soon after server start could be made effective after prolonged amount of time. This problem was resolved. * A spurious metadata refresh that could randomly happen was eliminated. This situation was possible at server startup and after reconfiguration. OAuth: refresh tokens for public clients Unity OAuth Authorization server can now issue refresh tokens for public clients. This feature must be enabled, and also turns on extra security measure: tokens rotation. In this scenario, each refresh token can be used only once, and each refresh is returning a new access token and a new refresh token. Upman on the latest web technology stack This is by far the biggest change in this release, although touching the rarely used UpMan service. Web technology stack used by UpMan was upgraded from Vaadin 8 to Vaadin 23 and now is based on cutting edge web technologies, including web components. The default UI look and feel was refreshed, as the underlying theme was changed as well. Also all UI customizations need to be prepared in a different, significantly simpler, form. This change is the first step towards upgrading of all Unity web UIs, which will be rebased to the same technology as UpMan is using since this release. This bigger work will be available in the version 4 of Unity. Jetty 9 → 10 Jetty, our embedded HTTP server, was upgraded to the version 10. This change should not affect production setups, but allows us to expose new features in future like SNI. Miscellaneous improvements * “GN” is supported in X.500 identity as an alias to GIVENNAME. * Some parts of SCIM endpoint configuration can be controlled with its dedicated admin REST API. * Resending of invitations (especially expired ones) from UpMan was fixed and resets validity time. * Possible crashing of trusted applications tab loading in Home UI was fixed. Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-10-13 09:55:26
|
Hi Krzysztof, sorry for the delay. The project allows and uses sub-projects. There are only registration forms and sign-up enquiries configured. Both are available by invitation only. We do not have membership update enquiries configured. Do you need the full forms? Best regards, Sander On Thu, 2022-09-29 at 18:01 +0200, Krzysztof Benedyczak wrote: > Sander, > > A correction :-) > > W dniu 29.09.2022 o 17:18, Krzysztof Benedyczak pisze: > > > Hi Sander, > > > > Coming back to those issues > > > > W dniu 8.09.2022 o 13:04, Sander Apweiler pisze: > > > > > If a user sends an invitation into a subgroup of a project to an > > > collaborator who is already member of another subgroup of this > > > project > > > and the collaborator accepts the invitation, the collaborator is > > > removed from the previous subgroup. I don't know if this is > > > intended by > > > you, but I assume most users won't expect this behaviour. > > > Especially in > > > large projects with many users and subgroups it might be > > > difficult to > > > check if the invited person is already member of another > > > subgroup. > > Yes, we can confirm that. > > 1. Why this happens? The enquiry form which is used to invite an > > existing Unity user to a new project/group is set to be sticky. > > Sticky forms needs to be actively launched, are never shown > > automatically by Unity. Sticky forms also allow for modifying > > existing state of user's account, this is in fact "edit yourself" > > form. Non-sticky forms are collecting data which should be added to > > existing account. > > > > Now the form called by default <SomeProject>JoinEnquiry is set to > > be sticky as it can be enabled in HomeUI, so that users can apply > > for membership on their own (i.e. w/o invitation). Non sticky form > > would appear for each user entering any Unity endpoint. And as you > > noticed this is causing edit of the account, and overwriting user's > > groups when used in the by invitation flow. > > 2. Workaround. *If you don't use the feature to allow users to > > request project membership from HomeUI*, it should be possible to > > quickly fix the problem. Just in the ...JoinEnquiry form change two > > settings: > > i.e. make it non sticky and by invitation only. This will allow to > > invite users but the groups overwriting will disappear. > > 3. We are thinking about a proper solution, working also in the > > case when self-requested membership is enabled. Will keep you > > informed. Most likely this won't make it into the next release > > though. > I was just made aware by my colleague that what is above is only > partially correct. Or better said it is correct, but after some (IMHO > unlikely) reconfiguration of the default enquiry forms. Sorry for the > noise! > After joint session with my colleague, it seems that we have troubles > reproducing this issuey. Can you please describe the scenario more > closely? What is the setup of projects and (if used) sub projects? > What ways to invite are used? We have run bunch of tests here and all > were working fine. The only reproduction which we were able to have > was in so unlikely situation that I even won't waste your time > describing it... > Thank you, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-10-11 06:40:19
|
Hi Krzysztof, last week we had a meeting with service providers and the developers of their service about the token exchange mechanism in unity. We had the problem that the service did not work with unity anymore after a service update. The software is CERN's FTS3 (file transfer service). We also found the problem: Using the token exchange mechanism unity requires the audience claim, which is clearly written in the manual. But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by WLCG) do not require the audience claim for token exchange and CERN FTS does also not send this. What is the reason for unity to make it mandatory and do you see any possibilities to change this to optional? Is it possible to use multiple audiences in the claim if unity requires the requesting client_id to be in there? FTS needs to alter the audience for delegation on behalf of a user. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-09-29 16:01:29
|
Sander, A correction :-) W dniu 29.09.2022 o 17:18, Krzysztof Benedyczak pisze: > Hi Sander, > > Coming back to those issues > > W dniu 8.09.2022 o 13:04, Sander Apweiler pisze: >> If a user sends an invitation into a subgroup of a project to an >> collaborator who is already member of another subgroup of this project >> and the collaborator accepts the invitation, the collaborator is >> removed from the previous subgroup. I don't know if this is intended by >> you, but I assume most users won't expect this behaviour. Especially in >> large projects with many users and subgroups it might be difficult to >> check if the invited person is already member of another subgroup. > > Yes, we can confirm that. > > 1. Why this happens? The enquiry form which is used to invite an > existing Unity user to a new project/group is set to be sticky. Sticky > forms needs to be actively launched, are never shown automatically by > Unity. Sticky forms also allow for modifying existing state of user's > account, this is in fact "edit yourself" form. Non-sticky forms are > collecting data which should be added to existing account. > > Now the form called by default <SomeProject>JoinEnquiry is set to be > sticky as it can be enabled in HomeUI, so that users can apply for > membership on their own (i.e. w/o invitation). Non sticky form would > appear for each user entering any Unity endpoint. And as you noticed > this is causing edit of the account, and overwriting user's groups > when used in the by invitation flow. > > 2. Workaround. *If you don't use the feature to allow users to request > project membership from HomeUI*, it should be possible to quickly fix > the problem. Just in the ...JoinEnquiry form change two settings: > > i.e. make it non sticky and by invitation only. This will allow to > invite users but the groups overwriting will disappear. > > 3. We are thinking about a proper solution, working also in the case > when self-requested membership is enabled. Will keep you informed. > Most likely this won't make it into the next release though. > I was just made aware by my colleague that what is above is only partially correct. Or better said it is correct, but after some (IMHO unlikely) reconfiguration of the default enquiry forms. Sorry for the noise! After joint session with my colleague, it seems that we have troubles reproducing this issuey. Can you please describe the scenario more closely? What is the setup of projects and (if used) sub projects? What ways to invite are used? We have run bunch of tests here and all were working fine. The only reproduction which we were able to have was in so unlikely situation that I even won't waste your time describing it... Thank you, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-09-29 15:18:30
|
Hi Sander, Coming back to those issues W dniu 8.09.2022 o 13:04, Sander Apweiler pisze: > If a user sends an invitation into a subgroup of a project to an > collaborator who is already member of another subgroup of this project > and the collaborator accepts the invitation, the collaborator is > removed from the previous subgroup. I don't know if this is intended by > you, but I assume most users won't expect this behaviour. Especially in > large projects with many users and subgroups it might be difficult to > check if the invited person is already member of another subgroup. Yes, we can confirm that. 1. Why this happens? The enquiry form which is used to invite an existing Unity user to a new project/group is set to be sticky. Sticky forms needs to be actively launched, are never shown automatically by Unity. Sticky forms also allow for modifying existing state of user's account, this is in fact "edit yourself" form. Non-sticky forms are collecting data which should be added to existing account. Now the form called by default <SomeProject>JoinEnquiry is set to be sticky as it can be enabled in HomeUI, so that users can apply for membership on their own (i.e. w/o invitation). Non sticky form would appear for each user entering any Unity endpoint. And as you noticed this is causing edit of the account, and overwriting user's groups when used in the by invitation flow. 2. Workaround. *If you don't use the feature to allow users to request project membership from HomeUI*, it should be possible to quickly fix the problem. Just in the ...JoinEnquiry form change two settings: i.e. make it non sticky and by invitation only. This will allow to invite users but the groups overwriting will disappear. 3. We are thinking about a proper solution, working also in the case when self-requested membership is enabled. Will keep you informed. Most likely this won't make it into the next release though. > The usability enhancement is about resending invitations. Resending is > only possible if the invitation is still valid. The user asked if it > wouldn't be possible to resend them even if they are invalid and set a > new expiration date > That was fixed, will be released in 3.11, coming out soon. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-09-16 07:29:50
|
Hi Hubert, W dniu 14.09.2022 o 14:16, Hubert Siejkowski pisze: > Hi, > > we have recently upgraded to version 3.10.0 (from 3.8.2) and the > upgrade went smoothly except for the HomeUI endpoints. If the > trustedApplications are enabled in the HomeUI configuration, and after > the user logs in a following error occurs: After looking into it seems a gap in handling of legacy (i.e. slightly incomplete) data. We will fix that in the next release. Thx for the detailed report, Krzysztof |
|
From: Hubert S. <h.s...@cy...> - 2022-09-14 12:33:48
|
Hi, we have recently upgraded to version 3.10.0 (from 3.8.2) and the upgrade went smoothly except for the HomeUI endpoints. If the trustedApplications are enabled in the HomeUI configuration, and after the user logs in a following error occurs: An application error occurred when invoking the last operation. This means that either there is a mistake in the application code or a serious hardware problem on the service side. The error was reported to the staff and will be addressed as soon as possible. and in the log file we got a message: [UNITY user's account] [] ERROR unity.server.web.UnityUIBase: UI code got an unchecked and not handled properly exception: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'trustedApplicationTab' defined in URL [jar:file:/opt/unity-idm/unity-server-distribution-3.10.0/lib/unity-server-user-home-3.10.0.jar!/io/imunity/home/externalApplication/TrustedApplicationTab.class]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.imunity.home.externalApplication.TrustedApplicationTab]: Constructor threw exception; nested exception is java.lang.NullPointerException Full stack trace of the error is attached to this message. For now we disabled the trustedApplications section in the HomeUI configuration and the endpoint works well. Is this something wrong configured in our instance? Cheers, Hubert |
|
From: Krzysztof B. <kb...@un...> - 2022-09-09 08:55:30
|
Hi Sander, W dniu 8.09.2022 o 13:04, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > We got one "bug report" and one usability enhancement from users which > I want to share with you. > > If a user sends an invitation into a subgroup of a project to an > collaborator who is already member of another subgroup of this project > and the collaborator accepts the invitation, the collaborator is > removed from the previous subgroup. I don't know if this is intended by > you, but I assume most users won't expect this behaviour. Especially in > large projects with many users and subgroups it might be difficult to > check if the invited person is already member of another subgroup. We are currently testing bigger upman refresh, will check that issue as well. > The usability enhancement is about resending invitations. Resending is > only possible if the invitation is still valid. The user asked if it > wouldn't be possible to resend them even if they are invalid and set a > new expiration date > Should be doable, will open a ticket on that. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-09-08 11:04:53
|
Hi Krzysztof, hi Roman, We got one "bug report" and one usability enhancement from users which I want to share with you. If a user sends an invitation into a subgroup of a project to an collaborator who is already member of another subgroup of this project and the collaborator accepts the invitation, the collaborator is removed from the previous subgroup. I don't know if this is intended by you, but I assume most users won't expect this behaviour. Especially in large projects with many users and subgroups it might be difficult to check if the invited person is already member of another subgroup. The usability enhancement is about resending invitations. Resending is only possible if the invitation is still valid. The user asked if it wouldn't be possible to resend them even if they are invalid and set a new expiration date Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-09-02 10:35:27
|
W dniu 30.08.2022 o 10:06, Sander Apweiler pisze: > Good morning Krzysztof, > we tried with different configuration, but for some reason the metadata > file is not updated. Even with the default update configuration it is > not updated. It might be a bug within the refreshing part. During the > update to unity 3.9, the configuration did not change. Thanks, we will investigate then. Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-09-02 09:25:13
|
Hi Sander, W dniu 30.08.2022 o 09:12, Sander Apweiler pisze: > Good morning Krzysztof, > maybe you do not need a url attribute type. But parsing the input by > the java trim function removes all whitespace in the beginning and at > the end. This should also remove linebreak characters. This might be > useful for all attributes. What do you think? I'm afraid not. First of all range of use cases of string attributes is wide. We can not just start trimming all whitespaces, aven leading or trailing, may break many setups. Feature to trim whitespaces from strings (as an optional setting in attribute type definition) can be considered. Anyway proper support for URLs is still needed. Whitespaces are one edge case, what about other mistakes in syntax? So I'm afraid we do need the extra type anyway. Best, Krzysztof > Best regards, > Sander > > On Mon, 2022-08-29 at 13:15 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: >>> Hi Krzystzof, >>> after I had a longer debug session with an administrator of a >>> service >>> who said there where a problem in unity, I was able to show him, >>> that >>> he created a wrong config. He entered in the OAuth return URL a >>> linebreak. >>> >>> To avoid such problems, would it make sense to prohibit whitespace >>> characters to some attributes like return URL or email addresses? A >>> valid value never contains whitespace character. >> Yes, this situation unfortunately can happen. It is because we don't >> have a dedicated attribute value type for URLs (or URIs). And so >> OAuth >> client's return URL is stored in a plain string attribute. >> >> We were talking about that few times, but never approached that as we >> are bit afraid of the migration: it may happen that current values >> are >> not parsable as URL -> what then? Anyway as this was raised also on >> community side, not only randomly internally, I'm opening a ticket to >> cover that: introduce URL attribute value type, with proper >> validation, >> and migrate all system attributes to that type. Migration details >> TBD. >> >> >> In the case of emails this problem should not exist: we have a >> dedicated >> type for that, so as long as verifiableEmail type is used in >> attribute >> intended to store email, any invalid string should not be allowed. >> >> Best, >> Krzysztof >> |
|
From: Sander A. <sa....@fz...> - 2022-08-30 08:06:34
|
Good morning Krzysztof, we tried with different configuration, but for some reason the metadata file is not updated. Even with the default update configuration it is not updated. It might be a bug within the refreshing part. During the update to unity 3.9, the configuration did not change. Best regards, Sander On Wed, 2022-08-17 at 10:31 +0200, Krzysztof Benedyczak wrote: > hi, > > W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > > Good morning, > > it seems that we found the root of the problem. The server where we > > had > > the problems, did not update the downloaded metadata files since 2 > > weeks. After removing them and restarting unity new versions were > > downloaded and login is working. > > > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old > metadata file could happen in legitimate way according to your > configuration? > > Thanks, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-08-30 07:23:48
|
Good morning Krzysztof, maybe you do not need a url attribute type. But parsing the input by the java trim function removes all whitespace in the beginning and at the end. This should also remove linebreak characters. This might be useful for all attributes. What do you think? Best regards, Sander On Mon, 2022-08-29 at 13:15 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: > > Hi Krzystzof, > > after I had a longer debug session with an administrator of a > > service > > who said there where a problem in unity, I was able to show him, > > that > > he created a wrong config. He entered in the OAuth return URL a > > linebreak. > > > > To avoid such problems, would it make sense to prohibit whitespace > > characters to some attributes like return URL or email addresses? A > > valid value never contains whitespace character. > > Yes, this situation unfortunately can happen. It is because we don't > have a dedicated attribute value type for URLs (or URIs). And so > OAuth > client's return URL is stored in a plain string attribute. > > We were talking about that few times, but never approached that as we > are bit afraid of the migration: it may happen that current values > are > not parsable as URL -> what then? Anyway as this was raised also on > community side, not only randomly internally, I'm opening a ticket to > cover that: introduce URL attribute value type, with proper > validation, > and migrate all system attributes to that type. Migration details > TBD. > > > In the case of emails this problem should not exist: we have a > dedicated > type for that, so as long as verifiableEmail type is used in > attribute > intended to store email, any invalid string should not be allowed. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-29 11:15:47
|
Hi Sander, W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: > Hi Krzystzof, > after I had a longer debug session with an administrator of a service > who said there where a problem in unity, I was able to show him, that > he created a wrong config. He entered in the OAuth return URL a > linebreak. > > To avoid such problems, would it make sense to prohibit whitespace > characters to some attributes like return URL or email addresses? A > valid value never contains whitespace character. Yes, this situation unfortunately can happen. It is because we don't have a dedicated attribute value type for URLs (or URIs). And so OAuth client's return URL is stored in a plain string attribute. We were talking about that few times, but never approached that as we are bit afraid of the migration: it may happen that current values are not parsable as URL -> what then? Anyway as this was raised also on community side, not only randomly internally, I'm opening a ticket to cover that: introduce URL attribute value type, with proper validation, and migrate all system attributes to that type. Migration details TBD. In the case of emails this problem should not exist: we have a dedicated type for that, so as long as verifiableEmail type is used in attribute intended to store email, any invalid string should not be allowed. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-25 13:14:05
|
Hi Krzystzof, after I had a longer debug session with an administrator of a service who said there where a problem in unity, I was able to show him, that he created a wrong config. He entered in the OAuth return URL a linebreak. To avoid such problems, would it make sense to prohibit whitespace characters to some attributes like return URL or email addresses? A valid value never contains whitespace character. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-24 12:01:19
|
Dear Subscribers,
I'm happy to announce general availability of the 3.10.0 release. It
includes the following changes:
* Trusted Applications module in HomeUI (user profile UI)
* SCIM metadata endpoints
* More flexible SCIM exposed groups configuration
* New SCIM related OAuth scope providing access to group reading
* Support for selection of OAuth audience (RFC 8707)
* New authentication facility, validating local OAuth tokens w/
additional client authentication
* Blacklisting of SAML IdPs
* Small UI improvements: console warns when there are unsaved changes
from subviews, username is not cleared after typing wrong password
as well as couple of bug fixes.
More information is available at
https://unity-idm.eu/releases/release-3-10-0/
Best regards,
Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-17 08:39:55
|
Hi Krysztof, I'm not sure. We reduced the interval from 12 hours to one on the instance and they where still not reloaded. But in general, we are using the same config on all instances. I'll keep an eye on the metadata files and let you know if the problem comes up again. Best regards, Sander On Wed, 2022-08-17 at 10:31 +0200, Krzysztof Benedyczak wrote: > hi, > > W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > > Good morning, > > it seems that we found the root of the problem. The server where we > > had > > the problems, did not update the downloaded metadata files since 2 > > weeks. After removing them and restarting unity new versions were > > downloaded and login is working. > > > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old > metadata file could happen in legitimate way according to your > configuration? > > Thanks, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-17 08:31:29
|
hi, W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > Good morning, > it seems that we found the root of the problem. The server where we had > the problems, did not update the downloaded metadata files since 2 > weeks. After removing them and restarting unity new versions were > downloaded and login is working. > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old metadata file could happen in legitimate way according to your configuration? Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-17 05:43:01
|
Good morning, it seems that we found the root of the problem. The server where we had the problems, did not update the downloaded metadata files since 2 weeks. After removing them and restarting unity new versions were downloaded and login is working. Best regards, Sander On Mon, 2022-08-15 at 07:55 +0200, Sander Apweiler wrote: > Good morning Krzysztof, > good morning Roman, > > unity 3.9.0 has some issues on certificate renewal of remote IdPs. We > know 3 IdPs which renewed their certificate last week and connected > via > federation metadata. We have five unity instances running and on four > the renewal worked, but on one not. Because it is not the same > instance, we do not expect that it is a problem of the instance > itself. > > The problem in the log is: > Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: > Message signed with a key RSA Public Key > [ec:fe:73:15:c9:8d:5b:b7:f2:29:8f:14:d4:0c:7b:97:dd:77:18:f8],[56:66: > d1 > :a4] > modulus: > d1d91621db1e94605080cb67adb38b7fce48a377788402fadb7f1fc247468a09fec00 > d0 > a4ed28a0248888bab2d7677c4f849713386a9637e1b4d7ece6e249d52946abbb03607 > 0b > 2e9c3254acfe475c7cb0bc80e15a2acdbf05b6d7308b89529dbbec2fd39f5b16097cf > 5c > f39233ac1fd35875a1faae0c5fba2639a1068dd4d0347a3d82af2a3decb41a8bd7cc9 > 0f > 82c5959ba80452081ec4388e5720df4d20a45113b0f9fd4c786864a0d5d646dc78425 > 2a > f5b76a5558e683e963c39d54197f04b6145341a9114ab4039a21e653d42d2029caa1b > 81 > e0e276f86fefa7f6e941dd0a42d31683dbf7fd7b854512417900e37cb10cf809d31a4 > fb > 7e625877fcdfe3e7ceb5c1e4ed38fc67b1685ed2d5335309e42cf60859e5ca38022b6 > 84 > 9916d222f1c290090bb2e7523bc6f666bdc0714c9570382a1e49037f79a03bb0c07cf > 4d > 6446b6b1e9f176b375b414a0bb1905d789853bf6d39e9212f359ea39b1b6fb1bfe8de > e8 > 19a8a5d4efbe1b4864d797c26bbe289e09bbfb2ac9a9149c7eb529f743a3d10f65584 > 87 > 0adc9fdfcf4d7d6a6cff1c890998db9f9726b975446f469c6f8d30a77b9be1d6ed115 > bf > 80e62916b156ca67be4f1faf9ac423df9ae7fade2b7dffb22ea95bafcd5b724391b09 > da > f4deb5e48ea5564ac56cdcb0828732fa408165a17d1a8a3b1088920b3eaa1132cba57 > 66 > bf124c1fb824a4fd226d815c9140a1 > public exponent: 10001 > not registered for https://idp.desy.de/idp/shibboleth > > Best regards, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-08-15 05:56:04
|
Good morning Krzysztof,
good morning Roman,
unity 3.9.0 has some issues on certificate renewal of remote IdPs. We
know 3 IdPs which renewed their certificate last week and connected via
federation metadata. We have five unity instances running and on four
the renewal worked, but on one not. Because it is not the same
instance, we do not expect that it is a problem of the instance itself.
The problem in the log is:
Caused by: eu.unicore.samly2.exceptions.SAMLValidationException:
Message signed with a key RSA Public Key
[ec:fe:73:15:c9:8d:5b:b7:f2:29:8f:14:d4:0c:7b:97:dd:77:18:f8],[56:66:d1
:a4]
modulus:
d1d91621db1e94605080cb67adb38b7fce48a377788402fadb7f1fc247468a09fec00d0
a4ed28a0248888bab2d7677c4f849713386a9637e1b4d7ece6e249d52946abbb036070b
2e9c3254acfe475c7cb0bc80e15a2acdbf05b6d7308b89529dbbec2fd39f5b16097cf5c
f39233ac1fd35875a1faae0c5fba2639a1068dd4d0347a3d82af2a3decb41a8bd7cc90f
82c5959ba80452081ec4388e5720df4d20a45113b0f9fd4c786864a0d5d646dc784252a
f5b76a5558e683e963c39d54197f04b6145341a9114ab4039a21e653d42d2029caa1b81
e0e276f86fefa7f6e941dd0a42d31683dbf7fd7b854512417900e37cb10cf809d31a4fb
7e625877fcdfe3e7ceb5c1e4ed38fc67b1685ed2d5335309e42cf60859e5ca38022b684
9916d222f1c290090bb2e7523bc6f666bdc0714c9570382a1e49037f79a03bb0c07cf4d
6446b6b1e9f176b375b414a0bb1905d789853bf6d39e9212f359ea39b1b6fb1bfe8dee8
19a8a5d4efbe1b4864d797c26bbe289e09bbfb2ac9a9149c7eb529f743a3d10f6558487
0adc9fdfcf4d7d6a6cff1c890998db9f9726b975446f469c6f8d30a77b9be1d6ed115bf
80e62916b156ca67be4f1faf9ac423df9ae7fade2b7dffb22ea95bafcd5b724391b09da
f4deb5e48ea5564ac56cdcb0828732fa408165a17d1a8a3b1088920b3eaa1132cba5766
bf124c1fb824a4fd226d815c9140a1
public exponent: 10001
not registered for https://idp.desy.de/idp/shibboleth
Best regards,
Sander
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2022-08-08 10:02:55
|
Dear Sander, W dniu 01.08.2022 o 14:11, Sander Apweiler pisze: > Dear Krzysztof, > I found an issue in x500Name identity. It says that GN (givenname) is > not supported, while SN (surname) is supported. Could you add GN as > well? It is not Unity request I'm afraid, but one of the libs we are using: either CaNL (under my control) or BouncyCastele (3rd party). I will investigate, hopefully will be an easy patch. Best regards, Krzysztof |
