Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
(1) |
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2022-09-02 09:25:13
|
Hi Sander, W dniu 30.08.2022 o 09:12, Sander Apweiler pisze: > Good morning Krzysztof, > maybe you do not need a url attribute type. But parsing the input by > the java trim function removes all whitespace in the beginning and at > the end. This should also remove linebreak characters. This might be > useful for all attributes. What do you think? I'm afraid not. First of all range of use cases of string attributes is wide. We can not just start trimming all whitespaces, aven leading or trailing, may break many setups. Feature to trim whitespaces from strings (as an optional setting in attribute type definition) can be considered. Anyway proper support for URLs is still needed. Whitespaces are one edge case, what about other mistakes in syntax? So I'm afraid we do need the extra type anyway. Best, Krzysztof > Best regards, > Sander > > On Mon, 2022-08-29 at 13:15 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: >>> Hi Krzystzof, >>> after I had a longer debug session with an administrator of a >>> service >>> who said there where a problem in unity, I was able to show him, >>> that >>> he created a wrong config. He entered in the OAuth return URL a >>> linebreak. >>> >>> To avoid such problems, would it make sense to prohibit whitespace >>> characters to some attributes like return URL or email addresses? A >>> valid value never contains whitespace character. >> Yes, this situation unfortunately can happen. It is because we don't >> have a dedicated attribute value type for URLs (or URIs). And so >> OAuth >> client's return URL is stored in a plain string attribute. >> >> We were talking about that few times, but never approached that as we >> are bit afraid of the migration: it may happen that current values >> are >> not parsable as URL -> what then? Anyway as this was raised also on >> community side, not only randomly internally, I'm opening a ticket to >> cover that: introduce URL attribute value type, with proper >> validation, >> and migrate all system attributes to that type. Migration details >> TBD. >> >> >> In the case of emails this problem should not exist: we have a >> dedicated >> type for that, so as long as verifiableEmail type is used in >> attribute >> intended to store email, any invalid string should not be allowed. >> >> Best, >> Krzysztof >> |
|
From: Sander A. <sa....@fz...> - 2022-08-30 08:06:34
|
Good morning Krzysztof, we tried with different configuration, but for some reason the metadata file is not updated. Even with the default update configuration it is not updated. It might be a bug within the refreshing part. During the update to unity 3.9, the configuration did not change. Best regards, Sander On Wed, 2022-08-17 at 10:31 +0200, Krzysztof Benedyczak wrote: > hi, > > W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > > Good morning, > > it seems that we found the root of the problem. The server where we > > had > > the problems, did not update the downloaded metadata files since 2 > > weeks. After removing them and restarting unity new versions were > > downloaded and login is working. > > > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old > metadata file could happen in legitimate way according to your > configuration? > > Thanks, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-08-30 07:23:48
|
Good morning Krzysztof, maybe you do not need a url attribute type. But parsing the input by the java trim function removes all whitespace in the beginning and at the end. This should also remove linebreak characters. This might be useful for all attributes. What do you think? Best regards, Sander On Mon, 2022-08-29 at 13:15 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: > > Hi Krzystzof, > > after I had a longer debug session with an administrator of a > > service > > who said there where a problem in unity, I was able to show him, > > that > > he created a wrong config. He entered in the OAuth return URL a > > linebreak. > > > > To avoid such problems, would it make sense to prohibit whitespace > > characters to some attributes like return URL or email addresses? A > > valid value never contains whitespace character. > > Yes, this situation unfortunately can happen. It is because we don't > have a dedicated attribute value type for URLs (or URIs). And so > OAuth > client's return URL is stored in a plain string attribute. > > We were talking about that few times, but never approached that as we > are bit afraid of the migration: it may happen that current values > are > not parsable as URL -> what then? Anyway as this was raised also on > community side, not only randomly internally, I'm opening a ticket to > cover that: introduce URL attribute value type, with proper > validation, > and migrate all system attributes to that type. Migration details > TBD. > > > In the case of emails this problem should not exist: we have a > dedicated > type for that, so as long as verifiableEmail type is used in > attribute > intended to store email, any invalid string should not be allowed. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-29 11:15:47
|
Hi Sander, W dniu 25.08.2022 o 15:13, Sander Apweiler pisze: > Hi Krzystzof, > after I had a longer debug session with an administrator of a service > who said there where a problem in unity, I was able to show him, that > he created a wrong config. He entered in the OAuth return URL a > linebreak. > > To avoid such problems, would it make sense to prohibit whitespace > characters to some attributes like return URL or email addresses? A > valid value never contains whitespace character. Yes, this situation unfortunately can happen. It is because we don't have a dedicated attribute value type for URLs (or URIs). And so OAuth client's return URL is stored in a plain string attribute. We were talking about that few times, but never approached that as we are bit afraid of the migration: it may happen that current values are not parsable as URL -> what then? Anyway as this was raised also on community side, not only randomly internally, I'm opening a ticket to cover that: introduce URL attribute value type, with proper validation, and migrate all system attributes to that type. Migration details TBD. In the case of emails this problem should not exist: we have a dedicated type for that, so as long as verifiableEmail type is used in attribute intended to store email, any invalid string should not be allowed. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-25 13:14:05
|
Hi Krzystzof, after I had a longer debug session with an administrator of a service who said there where a problem in unity, I was able to show him, that he created a wrong config. He entered in the OAuth return URL a linebreak. To avoid such problems, would it make sense to prohibit whitespace characters to some attributes like return URL or email addresses? A valid value never contains whitespace character. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-24 12:01:19
|
Dear Subscribers,
I'm happy to announce general availability of the 3.10.0 release. It
includes the following changes:
* Trusted Applications module in HomeUI (user profile UI)
* SCIM metadata endpoints
* More flexible SCIM exposed groups configuration
* New SCIM related OAuth scope providing access to group reading
* Support for selection of OAuth audience (RFC 8707)
* New authentication facility, validating local OAuth tokens w/
additional client authentication
* Blacklisting of SAML IdPs
* Small UI improvements: console warns when there are unsaved changes
from subviews, username is not cleared after typing wrong password
as well as couple of bug fixes.
More information is available at
https://unity-idm.eu/releases/release-3-10-0/
Best regards,
Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-17 08:39:55
|
Hi Krysztof, I'm not sure. We reduced the interval from 12 hours to one on the instance and they where still not reloaded. But in general, we are using the same config on all instances. I'll keep an eye on the metadata files and let you know if the problem comes up again. Best regards, Sander On Wed, 2022-08-17 at 10:31 +0200, Krzysztof Benedyczak wrote: > hi, > > W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > > Good morning, > > it seems that we found the root of the problem. The server where we > > had > > the problems, did not update the downloaded metadata files since 2 > > weeks. After removing them and restarting unity new versions were > > downloaded and login is working. > > > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old > metadata file could happen in legitimate way according to your > configuration? > > Thanks, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-17 08:31:29
|
hi, W dniu 17.08.2022 o 07:42, Sander Apweiler pisze: > Good morning, > it seems that we found the root of the problem. The server where we had > the problems, did not update the downloaded metadata files since 2 > weeks. After removing them and restarting unity new versions were > downloaded and login is working. > Ok. Do you suspect a bug in metadata refreshing, or this 2 weeks old metadata file could happen in legitimate way according to your configuration? Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-17 05:43:01
|
Good morning, it seems that we found the root of the problem. The server where we had the problems, did not update the downloaded metadata files since 2 weeks. After removing them and restarting unity new versions were downloaded and login is working. Best regards, Sander On Mon, 2022-08-15 at 07:55 +0200, Sander Apweiler wrote: > Good morning Krzysztof, > good morning Roman, > > unity 3.9.0 has some issues on certificate renewal of remote IdPs. We > know 3 IdPs which renewed their certificate last week and connected > via > federation metadata. We have five unity instances running and on four > the renewal worked, but on one not. Because it is not the same > instance, we do not expect that it is a problem of the instance > itself. > > The problem in the log is: > Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: > Message signed with a key RSA Public Key > [ec:fe:73:15:c9:8d:5b:b7:f2:29:8f:14:d4:0c:7b:97:dd:77:18:f8],[56:66: > d1 > :a4] > modulus: > d1d91621db1e94605080cb67adb38b7fce48a377788402fadb7f1fc247468a09fec00 > d0 > a4ed28a0248888bab2d7677c4f849713386a9637e1b4d7ece6e249d52946abbb03607 > 0b > 2e9c3254acfe475c7cb0bc80e15a2acdbf05b6d7308b89529dbbec2fd39f5b16097cf > 5c > f39233ac1fd35875a1faae0c5fba2639a1068dd4d0347a3d82af2a3decb41a8bd7cc9 > 0f > 82c5959ba80452081ec4388e5720df4d20a45113b0f9fd4c786864a0d5d646dc78425 > 2a > f5b76a5558e683e963c39d54197f04b6145341a9114ab4039a21e653d42d2029caa1b > 81 > e0e276f86fefa7f6e941dd0a42d31683dbf7fd7b854512417900e37cb10cf809d31a4 > fb > 7e625877fcdfe3e7ceb5c1e4ed38fc67b1685ed2d5335309e42cf60859e5ca38022b6 > 84 > 9916d222f1c290090bb2e7523bc6f666bdc0714c9570382a1e49037f79a03bb0c07cf > 4d > 6446b6b1e9f176b375b414a0bb1905d789853bf6d39e9212f359ea39b1b6fb1bfe8de > e8 > 19a8a5d4efbe1b4864d797c26bbe289e09bbfb2ac9a9149c7eb529f743a3d10f65584 > 87 > 0adc9fdfcf4d7d6a6cff1c890998db9f9726b975446f469c6f8d30a77b9be1d6ed115 > bf > 80e62916b156ca67be4f1faf9ac423df9ae7fade2b7dffb22ea95bafcd5b724391b09 > da > f4deb5e48ea5564ac56cdcb0828732fa408165a17d1a8a3b1088920b3eaa1132cba57 > 66 > bf124c1fb824a4fd226d815c9140a1 > public exponent: 10001 > not registered for https://idp.desy.de/idp/shibboleth > > Best regards, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-08-15 05:56:04
|
Good morning Krzysztof,
good morning Roman,
unity 3.9.0 has some issues on certificate renewal of remote IdPs. We
know 3 IdPs which renewed their certificate last week and connected via
federation metadata. We have five unity instances running and on four
the renewal worked, but on one not. Because it is not the same
instance, we do not expect that it is a problem of the instance itself.
The problem in the log is:
Caused by: eu.unicore.samly2.exceptions.SAMLValidationException:
Message signed with a key RSA Public Key
[ec:fe:73:15:c9:8d:5b:b7:f2:29:8f:14:d4:0c:7b:97:dd:77:18:f8],[56:66:d1
:a4]
modulus:
d1d91621db1e94605080cb67adb38b7fce48a377788402fadb7f1fc247468a09fec00d0
a4ed28a0248888bab2d7677c4f849713386a9637e1b4d7ece6e249d52946abbb036070b
2e9c3254acfe475c7cb0bc80e15a2acdbf05b6d7308b89529dbbec2fd39f5b16097cf5c
f39233ac1fd35875a1faae0c5fba2639a1068dd4d0347a3d82af2a3decb41a8bd7cc90f
82c5959ba80452081ec4388e5720df4d20a45113b0f9fd4c786864a0d5d646dc784252a
f5b76a5558e683e963c39d54197f04b6145341a9114ab4039a21e653d42d2029caa1b81
e0e276f86fefa7f6e941dd0a42d31683dbf7fd7b854512417900e37cb10cf809d31a4fb
7e625877fcdfe3e7ceb5c1e4ed38fc67b1685ed2d5335309e42cf60859e5ca38022b684
9916d222f1c290090bb2e7523bc6f666bdc0714c9570382a1e49037f79a03bb0c07cf4d
6446b6b1e9f176b375b414a0bb1905d789853bf6d39e9212f359ea39b1b6fb1bfe8dee8
19a8a5d4efbe1b4864d797c26bbe289e09bbfb2ac9a9149c7eb529f743a3d10f6558487
0adc9fdfcf4d7d6a6cff1c890998db9f9726b975446f469c6f8d30a77b9be1d6ed115bf
80e62916b156ca67be4f1faf9ac423df9ae7fade2b7dffb22ea95bafcd5b724391b09da
f4deb5e48ea5564ac56cdcb0828732fa408165a17d1a8a3b1088920b3eaa1132cba5766
bf124c1fb824a4fd226d815c9140a1
public exponent: 10001
not registered for https://idp.desy.de/idp/shibboleth
Best regards,
Sander
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2022-08-08 10:02:55
|
Dear Sander, W dniu 01.08.2022 o 14:11, Sander Apweiler pisze: > Dear Krzysztof, > I found an issue in x500Name identity. It says that GN (givenname) is > not supported, while SN (surname) is supported. Could you add GN as > well? It is not Unity request I'm afraid, but one of the libs we are using: either CaNL (under my control) or BouncyCastele (3rd party). I will investigate, hopefully will be an easy patch. Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-08-01 12:12:04
|
Dear Krzysztof, I found an issue in x500Name identity. It says that GN (givenname) is not supported, while SN (surname) is supported. Could you add GN as well? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-08-01 11:27:28
|
Hi Hubert, W dniu 29.07.2022 o 11:05, Hubert Siejkowski pisze: > Hi, > > we get feedback from our users and two things make us troubles to solve: > > 1. While a user logs in to Unity using the local account and she/he > types a wrong password, both fields username and password are cleared > out. In other systems (e.g. GitHub) only the password is cleared out. > Is there any way to keep the username in the login form from the first > attempt? > Yes, sounds good. There is always a concern that users might be fouled that the username (preserved) was entered correctly, while in fact it has a typo. But at scale most likely the password is most often the problem, so your suggestion makes sense. We will add it in one of upcoming releases (it is trivial). > 2. A user creates an account with remote authentication in an external > system. After some time the user forgets that she/he should use the > external authentication and tries to log in using his username and a > possible password. Of course, the user is denied access but is there > possible to: > - redirect the users to the remote authentication system (best scenario); > - or show information that the authentication should be done in the > remote system given the name or link to the system; > - or at least show information that the login is done via a remote > system? That one is more tricky. I don't think that general feature allowing anyone to enter a username/email and get information on the all possible authentication options for that identity is eligible due to sensitive information exposure. Implementing the first, the most preferred option also requires a major change in authN flow: that Unity first asks for username alone, and only then for password, or allows for choosing option, or just redirects to proper source system. We have some plans around a feature like that, but that would be augmented with server-side configuration, so that admins can control (and take responsibility) how much of authN setup of each account is exposed publiclly. Also this approach has a range of other concerns (e.g. now if I wanted to authN with Google I was one click away from that; after such change I'd need to first enter my email identity...). Anyway long-term we should have a feature like that available. Currently we store this information in a cookie. So if you are returning to Unity from the same browser, you should be automatically presented with your last authN option that you successfully used. Most of the time that works nicely. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-08-01 11:12:15
|
Hi Daniel, W dniu 28.07.2022 o 11:03, Fernandez Rodriguez Daniel pisze: > Dear all, > > Ok so my problem was that I assigned "Privileged Inspector" to > sys:AuthorizationRole for my user "*test-user**"* but I did it within > the /unicore/users group and not in Root (/). > After now the mapping works \o/ > > ----------------------------- > > Identities: > - MappedIdentity [mode=CREATE_OR_MATCH, identity=IdentityParam > [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], > metadata=null], credentialRequirement=Certificate requirement] > Attributes: > - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=name[/]: [danielfr]] > - MappedAttribute [mode=CREATE_OR_UPDATE, > attribute=urn:unicore:attrType:xlogin[/unicore]: [danielfr]] > Groups: > - /unicore/users > > > Thank you very much for your help, > Daniel. Cool, that big upgrade surely was pretty involving. Should be way smoother from now on. Best, Krzysztof |
|
From: Hubert S. <h.s...@cy...> - 2022-07-29 09:23:24
|
Hi, we get feedback from our users and two things make us troubles to solve: 1. While a user logs in to Unity using the local account and she/he types a wrong password, both fields username and password are cleared out. In other systems (e.g. GitHub) only the password is cleared out. Is there any way to keep the username in the login form from the first attempt? 2. A user creates an account with remote authentication in an external system. After some time the user forgets that she/he should use the external authentication and tries to log in using his username and a possible password. Of course, the user is denied access but is there possible to: - redirect the users to the remote authentication system (best scenario); - or show information that the authentication should be done in the remote system given the name or link to the system; - or at least show information that the login is done via a remote system? Our Unity is quite recent (3.8.2). Cheers, Hubert |
|
From: Krzysztof B. <kb...@un...> - 2022-07-28 09:24:25
|
W dniu 22.07.2022 o 13:10, Sander Apweiler pisze: > Hi Krzysztof, > there is an error in unitys Authentication failed error message. The > message says: > "The remote authentication was successful, however the the > server's policy requires more information then was provided to > register your account" > > There is an the to much. It should be: > > "The remote authentication was successful, however the > server's policy requires more information then was provided to > register your account" > Thanks, fixed |
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-28 09:03:38
|
Dear all, Ok so my problem was that I assigned "Privileged Inspector" to sys:AuthorizationRole for my user "test-user" but I did it within the /unicore/users group and not in Root (/). After now the mapping works \o/ ----------------------------- Identities: - MappedIdentity [mode=CREATE_OR_MATCH, identity=IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null], credentialRequirement=Certificate requirement] Attributes: - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=name[/]: [danielfr]] - MappedAttribute [mode=CREATE_OR_UPDATE, attribute=urn:unicore:attrType:xlogin[/unicore]: [danielfr]] Groups: - /unicore/users Thank you very much for your help, Daniel. ________________________________ From: Fernandez Rodriguez Daniel Sent: Wednesday, July 27, 2022 7:00:57 PM To: Krzysztof Benedyczak; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Dear Krzysztof and all, Thanks a lot for your answer, I think I made some progress. Long story short, the reason why I could not connect from Unicore to Unity was because the UNICORE/X certificate I am using does not have a CN set (apparently certbot does not set CN https://github.com/certbot/certbot/issues/6463#issuecomment-435151087 so there is nothing I can do...) Because of this, the server’s DN extracted from the certificate was empty and therefore Unity was throwing an "Authentication failed" error. (more info: https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#saml-pull-and-unicore-basic-case) So, to workaround this, I created a Unity local user "test-user" and assigned it the “Priviledged Inspector” role. I specify this user and its password in the unicorex/vo.config file, and now there is no error anymore from UnicoreX about connecting to Unity's attribute source. Yay! External connections ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] VO-PULL attribute source: OK [VO-PULL connected to https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] But still when I try to run a job via Unicore I get: "Access is denied. The operation getPreference requires 'read' capability" in the Unity logs. ==> /opt/unity/logs/unity-server.log <== 2022-07-27T18:44:14,247 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [] INFO unity.server.authn.SessionManagementImpl: Created a new session c1c531fe-d09b-4992-887d-ef0844968aa7 for logged entity danielfr (5) in realm defaultRealm 2022-07-27T18:44:14,324 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-27T18:44:15,722 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [test-user] WARN unity.server.web.IdPPreferences: It was impossible to establish preferences for [x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH for https://bbpcb133.bbp.epfl.ch:8080/BB5-CSCS@defaultRealm will use defaults pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. The operation getPreference requires 'read' capability ------------------------------- Any idea what else do I need to do? Thank you very much, Daniel. ________________________________ From: Krzysztof Benedyczak <kb...@un...> Sent: Monday, July 18, 2022 5:55:31 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-27 17:01:13
|
Dear Krzysztof and all, Thanks a lot for your answer, I think I made some progress. Long story short, the reason why I could not connect from Unicore to Unity was because the UNICORE/X certificate I am using does not have a CN set (apparently certbot does not set CN https://github.com/certbot/certbot/issues/6463#issuecomment-435151087 so there is nothing I can do...) Because of this, the server’s DN extracted from the certificate was empty and therefore Unity was throwing an "Authentication failed" error. (more info: https://unicore-docs.readthedocs.io/en/latest/admin-docs/unicorex/manual.html#saml-pull-and-unicore-basic-case) So, to workaround this, I created a Unity local user "test-user" and assigned it the “Priviledged Inspector” role. I specify this user and its password in the unicorex/vo.config file, and now there is no error anymore from UnicoreX about connecting to Unity's attribute source. Yay! External connections ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] VO-PULL attribute source: OK [VO-PULL connected to https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] But still when I try to run a job via Unicore I get: "Access is denied. The operation getPreference requires 'read' capability" in the Unity logs. ==> /opt/unity/logs/unity-server.log <== 2022-07-27T18:44:14,247 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [] INFO unity.server.authn.SessionManagementImpl: Created a new session c1c531fe-d09b-4992-887d-ef0844968aa7 for logged entity danielfr (5) in realm defaultRealm 2022-07-27T18:44:14,324 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-27T18:44:15,722 [qtp1993606315-61] [UNITY UNICORE SOAP SAML service for REST queries] [test-user] WARN unity.server.web.IdPPreferences: It was impossible to establish preferences for [x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH for https://bbpcb133.bbp.epfl.ch:8080/BB5-CSCS@defaultRealm will use defaults pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. The operation getPreference requires 'read' capability ------------------------------- Any idea what else do I need to do? Thank you very much, Daniel. ________________________________ From: Krzysztof Benedyczak <kb...@un...> Sent: Monday, July 18, 2022 5:55:31 PM To: Fernandez Rodriguez Daniel; uni...@li... Subject: Re: [Unity-idm-discuss] VO-PULL attribute source: CAN'T CONNECT Invalid user name, credential or external authentication failed. Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-07-22 11:11:10
|
Hi Krzysztof, there is an error in unitys Authentication failed error message. The message says: "The remote authentication was successful, however the the server's policy requires more information then was provided to register your account" There is an the to much. It should be: "The remote authentication was successful, however the server's policy requires more information then was provided to register your account" Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-07-18 15:55:52
|
Hi Daniel, W dniu 15.07.2022 o 16:25, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: > > Hello, > > > my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. > > > I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server > from a colleague who left months ago, and now I am trying to replace > it with a new instance running a more up-to-date version of everything. > > > There is NO documentation about what the changes my colleague did but > I have access to the old running instance. > > > In the new server I am running the latest version of all packages: > unicore-servers-8.3.0-p2 and Unity 3.9.1. > > > This is the authentication workflow we have: > > - Users get an OIDC token from Keycloak > > - Use that bearer token to send a request to our Unicore rest API > > - We configured Unity to use a custom translationProfile and get users > information (username) > > > But this is not working in the new server, all services are running > (unicoreX, registry, gateway, unity, remote tsi server) but when I try > to launch a job it fails. > > > From the UnicoreX logs I get: > > > ******************** > Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] > VO-PULL attribute source: CAN'T CONNECT [ERROR: > org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential > or external authentication failed. ] > Registry: OK [connected to > https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry > ] > TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS > listens on port 7654]] > > Subsystems > *********** > User authentication: > * Unity with OAuth Bearer token > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > * Unity with username+password > [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] > User mapping & user attributes: SAMLPullAuthoriser > > *** Note* that both OAuth Bearer token and username+password point to > same endpoint. (it was like this is current running system) > > And from Unity logs in DEBUG: > > 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.AuthnResponseProcessor: Requested identity > urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to > x500Name, returning identities: [IdentityParam [[x500Name] > CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], > metadata=null]] > 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam > [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne > (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, > remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo > [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] > 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.saml.BaseResponseProcessor: Processed attributes to be > returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: > [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], > memberOf[/]: [/, /unicore, /unicore/users]] > 2022-07-15T15:05:13,497 > [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, > (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG > unicore.connections.SecuredServerConnector: Connection attempt from > 10.80.65.154 > 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 > request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] DEBUG > unity.server.rest.AuthenticationInterceptor: Authentication set failed > to authenticate the client using flow oauthWS, will try another: > pl.edu.icm.unity.engine.api.authn.AuthenticationException: > AuthenticationProcessorImpl.authnFailed > 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML > service for REST queries] [danielfr] INFO > unity.server.rest.AuthenticationInterceptor: Authentication failed for > client > > ------------------------------- > > From the logs we can assume: > - the translation profile works and it is able to map my username > (danielfr) from the OIDC token to the x509 identity > - *auth fails when "using flow oauthWS" > * > > This oauthWS flow is defined as: > > > unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS > unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp > unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties > <------ file containing verificationEndpoint, clientID, clientSecret, etc. > > And this flow is also referenced in unicoreWithOAuthRP.module as: > > unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS > > --- > > Can you please help me with this? I can of course provide more > detailed information or try to answer any question. > I am no expert in UNICORE/UNITY but I will try my best. > Yes, your findings seems correct. So we can have two cases: 1. Unity gets no token for the failing request in header. UNICORE client config should be checked (or UNICORE support contacted, although Bernd might be on this list as well) 2. Unity gets the token, but fails to verify it. I'd try first to enable TRACE logging for the oauth facility on Unity and also try to look into Keycloak logs. If we are right then something is failing there, hopefully logs will give some clue. Essentially Unity should contact Keycloak to check whether the access token issued from Keycloack is genuine. Best, Krzysztof |
|
From: Fernandez R. D. <dan...@ep...> - 2022-07-15 14:26:09
|
Hello, my name is Daniel, I am an SRE working for the EPFL's BlueBrain project. I inherited a VERY old UNICORE+UNITY (7.13 and unity 2.6.2) server from a colleague who left months ago, and now I am trying to replace it with a new instance running a more up-to-date version of everything. There is NO documentation about what the changes my colleague did but I have access to the old running instance. In the new server I am running the latest version of all packages: unicore-servers-8.3.0-p2 and Unity 3.9.1. This is the authentication workflow we have: - Users get an OIDC token from Keycloak - Use that bearer token to send a request to our Unicore rest API - We configured Unity to use a custom translationProfile and get users information (username) But this is not working in the new server, all services are running (unicoreX, registry, gateway, unity, remote tsi server) but when I try to launch a job it fails. >From the UnicoreX logs I get: ******************** Gateway: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/BB5-CSCS] VO-PULL attribute source: CAN'T CONNECT [ERROR: org.apache.cxf.binding.soap.SoapFault: Invalid user name, credential or external authentication failed. ] Registry: OK [connected to https://bbpcb144.bbp.epfl.ch:8080/REGISTRY/services/Registry?res=default_registry ] TSI 1: OK [TSI v8.0.0 (1/1 nodes up) at bbpv2.epfl.ch:4433, XNJS listens on port 7654]] Subsystems *********** User authentication: * Unity with OAuth Bearer token [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] * Unity with username+password [https://bbpcb144.bbp.epfl.ch:2443/unicore-soapidp/saml2unicoreidp-soap/AuthenticationService] User mapping & user attributes: SAMLPullAuthoriser ** Note that both OAuth Bearer token and username+password point to same endpoint. (it was like this is current running system) And from Unity logs in DEBUG: 2022-07-15T15:05:13,108 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.AuthnResponseProcessor: Requested identity urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, mapped to x500Name, returning identities: [IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null]] 2022-07-15T15:05:13,110 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.saml.SAMLETDAuthnImpl: Authentication of IdentityParam [[x500Name] CN=danielfr, O=Ecole polytechnique federale de Lausanne (EPFL),L=Lausanne,ST=Vaud,C=CH, translationProfile=keycloak2UNICORE, remoteIdp=oauth-rp, confirmationInfo=ConfirmationInfo [confirmed=false, confirmationDate=0, sentRequestAmount=0], metadata=null] 2022-07-15T15:05:13,111 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.saml.BaseResponseProcessor: Processed attributes to be returned: [urn:unicore:attrType:role[/unicore]: [user], name[/]: [danielfr], urn:unicore:attrType:xlogin[/unicore]: [danielfr], memberOf[/]: [/, /unicore, /unicore/users]] 2022-07-15T15:05:13,497 [qtp1546629479-31-acceptor-0@3e3b616-SecuredServerConnector@7352cf80{SSL, (ssl, http/1.1)}{bbpcb144.bbp.epfl.ch:2443}] [] [] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 10.80.65.154 2022-07-15T15:05:13,683 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.core.ClientIPSettingHandler: Handling client 10.80.65.154 request to URL /unicore-soapidp/saml2unicoreidp-soap/AssertionQueryService 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] DEBUG unity.server.rest.AuthenticationInterceptor: Authentication set failed to authenticate the client using flow oauthWS, will try another: pl.edu.icm.unity.engine.api.authn.AuthenticationException: AuthenticationProcessorImpl.authnFailed 2022-07-15T15:05:13,733 [qtp1546629479-33] [UNITY UNICORE SOAP SAML service for REST queries] [danielfr] INFO unity.server.rest.AuthenticationInterceptor: Authentication failed for client ------------------------------- >From the logs we can assume: - the translation profile works and it is able to map my username (danielfr) from the OIDC token to the x509 identity - auth fails when "using flow oauthWS" This oauthWS flow is defined as: unityServer.core.authenticators.oauthWS.authenticatorName=oauthWS unityServer.core.authenticators.oauthWS.authenticatorType=oauth-rp unityServer.core.authenticators.oauthWS.configurationFile=${CONF}/modules/oauth/remoteOAuth-RP.properties <------ file containing verificationEndpoint, clientID, clientSecret, etc. And this flow is also referenced in unicoreWithOAuthRP.module as: unityServer.core.endpoints.unicoreSOAP.endpointAuthenticators=pwd;oauthWS --- Can you please help me with this? I can of course provide more detailed information or try to answer any question. I am no expert in UNICORE/UNITY but I will try my best. Thank you, Daniel. |
|
From: Krzysztof B. <kb...@un...> - 2022-07-15 09:07:37
|
Hi, W dniu 13.07.2022 o 15:37, Sander Apweiler pisze: > Hi Krzysztof, > the refresh token rotation mechanism would be a suitable solution for > the application and it would be great to get this into unity. You might > know the next question. When could it be available? Makes sense - I'm adding it to our backlog. Re timing - let's sync up separately - I have bunch of questions around relative priority of various tasks we have from your side in our queue. There is also a potential for this work in HIFIS context. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-07-13 13:38:12
|
Hi Krzysztof, the refresh token rotation mechanism would be a suitable solution for the application and it would be great to get this into unity. You might know the next question. When could it be available? Best regards, Sander On Thu, 2022-07-07 at 09:58 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 07.07.2022 o 07:46, Sander Apweiler pisze: > > Good morning Krzysztof, > > Good morning Roman, > > > > one of our connected services is a single page application using > > OIDC > > with PKCE. They asked for a possibility to fetch new tokens using > > the > > refresh token, without authenticating the client. Reading the > > documentation, this is not possible. > > > > What is your opinion to this? Do you see another solution to their > > problem getting new tokens without sendign client credentials? > > So yes, as of now for public clients Unity blocks the refresh token > flow. > > Enabling that is not a big deal, but essentially means that we would > have to lift bunch of very important security protections. > > When it comes to PKCE+refresh tokens use, the industry standard is to > use one additional feature, which is called "refresh token rotation". > This one is not that super easy to implement - not super hard either, > but a noticeable amount of work. Surely we can put it on our roadmap > if > you have a decent use case. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-07-12 07:38:14
|
Hi Sander, W dniu 08.07.2022 o 10:53, Sander Apweiler pisze: > Hi Krzysztof, > hi Roman, > > is there a way to confirm multiple email address, provided by the IdP > in input translation profiles, like attr["emailAddress"] + > "[CONFIRMED]". Just using attrs would not work. Do I need to build a > loop over the provided emails and confirm them one by one and return an > array of confirmed email addresses? Yes, precisely :-) You need to output MVEL array of confirmed email addresses, i.e. end result should be like this: |['fo...@ex...[CONFIRMED]', 'ba...@ex...[CONFIRMED]']| HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-07-08 08:53:54
|
Hi Krzysztof, hi Roman, is there a way to confirm multiple email address, provided by the IdP in input translation profiles, like attr["emailAddress"] + "[CONFIRMED]". Just using attrs would not work. Do I need to build a loop over the provided emails and confirm them one by one and return an array of confirmed email addresses? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
