Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2022-07-07 07:59:04
|
Hi Sander, W dniu 07.07.2022 o 07:46, Sander Apweiler pisze: > Good morning Krzysztof, > Good morning Roman, > > one of our connected services is a single page application using OIDC > with PKCE. They asked for a possibility to fetch new tokens using the > refresh token, without authenticating the client. Reading the > documentation, this is not possible. > > What is your opinion to this? Do you see another solution to their > problem getting new tokens without sendign client credentials? So yes, as of now for public clients Unity blocks the refresh token flow. Enabling that is not a big deal, but essentially means that we would have to lift bunch of very important security protections. When it comes to PKCE+refresh tokens use, the industry standard is to use one additional feature, which is called "refresh token rotation". This one is not that super easy to implement - not super hard either, but a noticeable amount of work. Surely we can put it on our roadmap if you have a decent use case. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-07-07 05:46:51
|
Good morning Krzysztof, Good morning Roman, one of our connected services is a single page application using OIDC with PKCE. They asked for a possibility to fetch new tokens using the refresh token, without authenticating the client. Reading the documentation, this is not possible. What is your opinion to this? Do you see another solution to their problem getting new tokens without sendign client credentials? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-06-30 05:09:28
|
Good morning Roman, I attached our log config file. We changed the Root Level from DEBUG to TRACE and from TRACE to DEBUG. In both cases the logging stopped and nothing was written to the file or the log rotation was not done for several days. Best regards, Sander On Wed, 2022-06-29 at 16:43 +0200, Roman Krysiński wrote: > Hi Sander, > > Could you please provide the log config file with information about > what changes were made? > > Thank you, > Roman > > wt., 28 cze 2022 o 14:48 Sander Apweiler <sa....@fz...> > napisał(a): > > Hi Krzysztof, > > hi Roman, > > > > we might have found a serious bug in unity. When we change the root > > loglevel and do not restart unity, it stops logging. We have > > reproduced > > this issue. Unity itself is running without any further problems, > > but > > we don't have any log entries since changing the log level. > > > > Best regards, > > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2022-06-29 14:43:44
|
Hi Sander, Could you please provide the log config file with information about what changes were made? Thank you, Roman wt., 28 cze 2022 o 14:48 Sander Apweiler <sa....@fz...> napisał(a): > Hi Krzysztof, > hi Roman, > > we might have found a serious bug in unity. When we change the root > loglevel and do not restart unity, it stops logging. We have reproduced > this issue. Unity itself is running without any further problems, but > we don't have any log entries since changing the log level. > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2022-06-28 12:48:44
|
Hi Krzysztof, hi Roman, we might have found a serious bug in unity. When we change the root loglevel and do not restart unity, it stops logging. We have reproduced this issue. Unity itself is running without any further problems, but we don't have any log entries since changing the log level. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-06-08 07:31:12
|
Hi Sander, W dniu 31.05.2022 o 13:16, Krzysztof Benedyczak pisze: >> 4. Is schema and mapping definition only online possible? I assume yes. > > No, you can also do it with config file. However, we haven't > documented the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a help of proper UI. > > Still if you want to eventually have this file configured we can > easily add an option to export schema with mapping as a file. Then it > would be only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) already. In case you missed that: in 3.9.1 the export feature mentioned above is already available. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-06-07 10:51:21
|
Dear Subscribers,
A new release was published with the following content:
* We have delivered further SAML performance optimizations which are
based on the groundwork of the 3.9.0 release. Currently speed of
loading, refreshing and handling of even super-large SAML
federations should be excellent. We are finally happy with
performance of this area now.
* Export of SCIM schema (together with mapping) was added. It can be
used in a file configuration
* Spring dependency with a serious (but rather not relevant for Unity)
security vulnerability was upgraded – to be on the safe side.
* Few minor bugs were fixed
All relevant assets are available at
https://unity-idm.eu/releases/release-3-9-1
Best regards,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2022-06-07 05:38:31
|
Good morning Krzysztof, today it works fine as expected. I assume that the IdP did still use the old certificate, although the admin said they updated it. Best regards, Sander On Fri, 2022-06-03 at 13:45 +0200, Sander Apweiler wrote: > Hi Krzysztof, > we updated our certificate today and splittet web part and SAML > signing > part into two different certificates. While the Webserver part and > the > SAML part in direction to SPs is working fine, I got errors while > trying to login with our IdP. I see an unable to find a decryption > key > error in the logs. The IdP admin said, he already fetched the new > federation metadata which contains the new signing certificate. Do > you > know some other reasons for the problem? Stacktrace and config is > below. > > Cheers, > Sander > > pki.properties: > unity.pki.credentials.SAML.format=pkcs12 > unity.pki.credentials.SAML.path=/usr/local/unity/pki/b2access.eudat.e > u_SAML.p12 > unity.pki.credentials.SAML.keyAlias=saml > unity.pki.credentials.SAML.password=******** > unity.pki.truststores.SAML.type=directory > unity.pki.truststores.SAML.allowProxy=DENY > unity.pki.truststores.SAML.directoryLocations.1=/usr/local/unity/cert > s/* > unity.pki.truststores.SAML.crlLocations.1=/etc/grid- > security/certificates/*.crl > unity.pki.truststores.SAML.directoryEncoding=PEM > unity.pki.truststores.SAML.crlUpdateInterval=400 > > remoteSamlAuth.properties: > unity.saml.requester.requesterCredential=SAML > > > 2022-06-03T13:36:27,462 [qtp1691841404-39] ERROR > org.apache.xml.security.encryption.XMLCipher: > XMLCipher::decryptElement unable to resolve a decryption key > 2022-06-03T13:36:27,462 [qtp1691841404-39] INFO > unity.server.saml.SAMLResponseVerificator: SAML response verification > or processing failed > pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: The > SAML response is either invalid or is issued by an untrusted identity > provider. > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:89) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.getRemotelyAuthentic > atedInput(SAMLResponseVerificator.java:118) ~[unity-server-saml- > 3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.verifySAMLResponse(S > AMLResponseVerificator.java:88) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.processResponse(SAML > ResponseVerificator.java:75) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.saml.sp.SAMLVerificator.processResponse(SAMLVerifica > tor.java:289) ~[unity-server-saml-3.8.1.jar:?] > at > pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.process > Answer(RedirectedAuthnState.java:99) ~[unity-server-engine-api- > 3.8.1.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.jav > a:62) ~[unity-server-engine-3.8.1.jar:?] > at > pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl > .processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity- > server-engine-3.8.1.jar:?] > at > pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProc > essingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.j > ava:78) ~[unity-server-web-common-3.8.1.jar:?] > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193 > ) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandle > r.java:1601) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java > :548) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl > er.java:1624) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandl > er.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl > er.java:1434) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:188) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java: > 501) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle > r.java:1594) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandle > r.java:186) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle > r.java:1349) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j > ava:141) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIP > SettingHandler.java:68) ~[unity-server-engine-3.8.1.jar:?] > at > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(Cont > extHandlerCollection.java:234) ~[jetty-server- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandle > r.java:322) ~[jetty-rewrite-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler. > java:763) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper > .java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at org.eclipse.jetty.server.Server.handle(Server.java:516) > ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java: > 216) ~[unity-server-engine-3.8.1.jar:?] > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java > :400) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) > [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) > [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.jav > a:277) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(Abstra > ctConnection.java:311) [jetty-io- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(S > slConnection.java:555) [jetty-io- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java: > 410) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java > :164) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhat > YouKill.java:338) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWh > atYouKill.java:315) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatW > hatYouKill.java:173) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouK > ill.java:131) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.r > un(ReservedThreadExecutor.java:409) [jetty-util- > 9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo > l.java:883) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThrea > dPool.java:1034) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927] > at java.lang.Thread.run(Thread.java:829) [?:?] > Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: XML > handling problem during retrieval of response assertions > at > eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAu > thnResponseValidator.java:97) ~[samly2-2.7.1.jar:?] > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?] > ... 49 more > Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > encryption.nokey > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCi > pher.java:1746) ~[xmlsec-2.2.2.jar:2.2.2] > at > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher > .java:1662) ~[xmlsec-2.2.2.jar:2.2.2] > at > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:9 > 46) ~[xmlsec-2.2.2.jar:2.2.2] > at > eu.unicore.security.enc.EncryptionUtil.decrypt(EncryptionUtil.java:53 > ) ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.assertion.AssertionParser.<init>(AssertionParser.ja > va:74) ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.SAMLUtils.extractAllAssertions(SAMLUtils.java:204) > ~[samly2-2.7.1.jar:?] > at > eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAu > thnResponseValidator.java:94) ~[samly2-2.7.1.jar:?] > at > pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SA > MLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?] > ... 49 more > 2022-06-03T13:36:27,463 [qtp1691841404-39] INFO > unity.server.authn.InteractiveAuthneticationProcessorImpl: > Authentication failure: AuthenticationProcessorImpl.authnFailed deny > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-06-03 11:45:40
|
Hi Krzysztof,
we updated our certificate today and splittet web part and SAML signing
part into two different certificates. While the Webserver part and the
SAML part in direction to SPs is working fine, I got errors while
trying to login with our IdP. I see an unable to find a decryption key
error in the logs. The IdP admin said, he already fetched the new
federation metadata which contains the new signing certificate. Do you
know some other reasons for the problem? Stacktrace and config is
below.
Cheers,
Sander
pki.properties:
unity.pki.credentials.SAML.format=pkcs12
unity.pki.credentials.SAML.path=/usr/local/unity/pki/b2access.eudat.eu_SAML.p12
unity.pki.credentials.SAML.keyAlias=saml
unity.pki.credentials.SAML.password=********
unity.pki.truststores.SAML.type=directory
unity.pki.truststores.SAML.allowProxy=DENY
unity.pki.truststores.SAML.directoryLocations.1=/usr/local/unity/certs/*
unity.pki.truststores.SAML.crlLocations.1=/etc/grid-security/certificates/*.crl
unity.pki.truststores.SAML.directoryEncoding=PEM
unity.pki.truststores.SAML.crlUpdateInterval=400
remoteSamlAuth.properties:
unity.saml.requester.requesterCredential=SAML
2022-06-03T13:36:27,462 [qtp1691841404-39] ERROR org.apache.xml.security.encryption.XMLCipher: XMLCipher::decryptElement unable to resolve a decryption key
2022-06-03T13:36:27,462 [qtp1691841404-39] INFO unity.server.saml.SAMLResponseVerificator: SAML response verification or processing failed
pl.edu.icm.unity.engine.api.authn.RemoteAuthenticationException: The SAML response is either invalid or is issued by an untrusted identity provider.
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:89) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.getRemotelyAuthenticatedInput(SAMLResponseVerificator.java:118) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.verifySAMLResponse(SAMLResponseVerificator.java:88) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLResponseVerificator.processResponse(SAMLResponseVerificator.java:75) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.saml.sp.SAMLVerificator.processResponse(SAMLVerificator.java:289) ~[unity-server-saml-3.8.1.jar:?]
at pl.edu.icm.unity.engine.api.authn.remote.RedirectedAuthnState.processAnswer(RedirectedAuthnState.java:99) ~[unity-server-engine-api-3.8.1.jar:?]
at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponseInProductionMode(RemoteAuthnResponseProcessorImpl.java:62) ~[unity-server-engine-3.8.1.jar:?]
at pl.edu.icm.unity.engine.authn.remote.RemoteAuthnResponseProcessorImpl.processResponse(RemoteAuthnResponseProcessorImpl.java:52) ~[unity-server-engine-3.8.1.jar:?]
at pl.edu.icm.unity.webui.authn.remote.RemoteRedirectedAuthnResponseProcessingFilter.doFilter(RemoteRedirectedAuthnResponseProcessingFilter.java:78) ~[unity-server-web-common-3.8.1.jar:?]
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) ~[jetty-servlet-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:68) ~[unity-server-engine-3.8.1.jar:?]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.Server.handle(Server.java:516) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.8.1.jar:?]
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:400) ~[jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:645) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:392) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) [jetty-server-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) [jetty-io-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) [jetty-util-9.4.44.v20210927.jar:9.4.44.v20210927]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: XML handling problem during retrieval of response assertions
at eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAuthnResponseValidator.java:97) ~[samly2-2.7.1.jar:?]
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?]
... 49 more
Caused by: org.apache.xml.security.encryption.XMLEncryptionException: encryption.nokey
at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1746) ~[xmlsec-2.2.2.jar:2.2.2]
at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1662) ~[xmlsec-2.2.2.jar:2.2.2]
at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:946) ~[xmlsec-2.2.2.jar:2.2.2]
at eu.unicore.security.enc.EncryptionUtil.decrypt(EncryptionUtil.java:53) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.assertion.AssertionParser.<init>(AssertionParser.java:74) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.SAMLUtils.extractAllAssertions(SAMLUtils.java:204) ~[samly2-2.7.1.jar:?]
at eu.unicore.samly2.validators.SSOAuthnResponseValidator.validate(SSOAuthnResponseValidator.java:94) ~[samly2-2.7.1.jar:?]
at pl.edu.icm.unity.saml.SAMLResponseValidatorUtil.verifySAMLResponse(SAMLResponseValidatorUtil.java:86) ~[unity-server-saml-3.8.1.jar:?]
... 49 more
2022-06-03T13:36:27,463 [qtp1691841404-39] INFO unity.server.authn.InteractiveAuthneticationProcessorImpl: Authentication failure: AuthenticationProcessorImpl.authnFailed deny
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2022-06-02 09:15:42
|
Good morning Sander, W dniu 02.06.2022 o 10:57, Sander Apweiler pisze: > Good morning Krzysztof, > thanks again for the information. It is working for password > authentication. Now we want to enable it for OAuth token as well. Can > we use normal tokens from unity, if they request sys:scim:read_profile > scope? Or do we need to configure a full authenticator beside of our > default OAauth authenticator? Great to hear that. Sure, you can use your "normal" tokens from Unity, after enabling SCIM scopes on the IdP OAuth endpoint which issue those tokens (and of course requesting them by your client). I'm sure what do you mean by "full" vs "default" OAuth authenticator. To enable access with OAuth tokens you need to add oauth-rp authenticator to your scim endpoint, and this authenticator should validate tokens issued by Unity (or any other provider which you choose). If you have one like that already - sure, you can reuse it, just enable it on the SCIM endpoint. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-06-02 08:57:32
|
Good morning Krzysztof, thanks again for the information. It is working for password authentication. Now we want to enable it for OAuth token as well. Can we use normal tokens from unity, if they request sys:scim:read_profile scope? Or do we need to configure a full authenticator beside of our default OAauth authenticator? Best regards, Sander On Tue, 2022-05-31 at 13:16 +0200, Krzysztof Benedyczak wrote: > > [resending my answer - by mistake I've excluded ML when answering] > > Good morning Sander, > > W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > at the moment we are trying to setup the scim API and we have some > > questions. > > > > 1. Do we need to configure the endpoint in core.module like the > > other > > endpoints as well? I assume yes. > > If you are not configuring it with console, then the setup of the > endpoint in configuration file is all the same as all other > endpoints. > > Whether you are putting that in the core.module file, or elsewhere is > up > to you. > > > 2. Do we need to configure all attributes which are available scim > > within unity.endpoint.scim.membershipAttributes.* ? > > No. This configuration option should enumerate all SCIM attribute > names > (typically just one: "groups") which hold information about user > group > memberships. This configuration is influencing authorization in case > of > OAuth access: there are separate scopes for accessing group > membership data. > > > 3. Do we need to configure all groups which are available scim > > within > > unity.endpoint.scim.membershipGroups.* ? > > The groups listed in that config setting will be subject to mapping > to > SCIM membership attributes. So yes, however note that child groups > are > also going to be included, what should limit the number of entries > greatly. > > > > 4. Is schema and mapping definition only online possible? I assume > > yes. > > No, you can also do it with config file. However, we haven't > documented > the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a > help of proper UI. > > Still if you want to eventually have this file configured we can > easily > add an option to export schema with mapping as a file. Then it would > be > only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) > already. > > Best, > Krzysztof > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2022-05-31 11:51:00
|
Dear Subscribers,
I'm thrilled to announce the availability of devops tooling for Unity-IdM!
We have developed a set of Ansible playbooks to make devops teams live
easier.
With the tooling you can automate the most common operations like:
* installation and reinstallation of Unity-IdM in given version,
* database backup and restore,
* start and stop the Unity-IdM instance,
* check status of instance, whether it is running or not
Devops tools are available on GitHub
https://github.com/unity-idm/unity-devops/, and are released under Open
Source license.
For more information please see the documentation available at GitHub.
Please use Unity-IdM mailing list (uni...@li...)
in case of questions or requests.
Best regards,
Unity-IdM team
|
|
From: Krzysztof B. <kb...@un...> - 2022-05-31 11:16:34
|
[resending my answer - by mistake I've excluded ML when answering] Good morning Sander, W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > > at the moment we are trying to setup the scim API and we have some > questions. > > 1. Do we need to configure the endpoint in core.module like the other > endpoints as well? I assume yes. If you are not configuring it with console, then the setup of the endpoint in configuration file is all the same as all other endpoints. Whether you are putting that in the core.module file, or elsewhere is up to you. > 2. Do we need to configure all attributes which are available scim > within unity.endpoint.scim.membershipAttributes.* ? No. This configuration option should enumerate all SCIM attribute names (typically just one: "groups") which hold information about user group memberships. This configuration is influencing authorization in case of OAuth access: there are separate scopes for accessing group membership data. > 3. Do we need to configure all groups which are available scim within > unity.endpoint.scim.membershipGroups.* ? The groups listed in that config setting will be subject to mapping to SCIM membership attributes. So yes, however note that child groups are also going to be included, what should limit the number of entries greatly. > 4. Is schema and mapping definition only online possible? I assume yes. No, you can also do it with config file. However, we haven't documented the JSON format :-). It is so complex that I think it is anyway the only way to do it with a help of proper UI. Still if you want to eventually have this file configured we can easily add an option to export schema with mapping as a file. Then it would be only pointed in the configuration. How does it sound? BTW note that in UI you can import schema file (w/o mappings) already. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-05-31 06:52:57
|
Good morning Krzysztof, good morning Roman, at the moment we are trying to setup the scim API and we have some questions. 1. Do we need to configure the endpoint in core.module like the other endpoints as well? I assume yes. 2. Do we need to configure all attributes which are available scim within unity.endpoint.scim.membershipAttributes.* ? 3. Do we need to configure all groups which are available scim within unity.endpoint.scim.membershipGroups.* ? 4. Is schema and mapping definition only online possible? I assume yes. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-05-05 09:53:17
|
Hi Roman, we will check this and search for a solution, where we can store it. Cheers, Sander On Thu, 2022-05-05 at 11:49 +0200, Roman Krysiński wrote: > Hi Sander, > > Thanks for reaching out, indeed we are in the process of > enhancing the saml metadata processing - which is not yet fully > completed. > Would it be possible to provide the anonymized sample of the log file > with representative records that floods the file? > > Thank you, > Roman > > > pon., 2 maj 2022 o 10:30 Sander Apweiler <sa....@fz...> > napisał(a): > > Good morning again, > > we inspected a few things. > > > > 1. The unity.saml.requester.metadataSource .*.refreshInterval is > > ignored. Instead of updating the metadata every 12 hours it updated > > it > > every hour. > > > > 2. The output of metadata updated increases very much. Having the > > same > > log config unity 3.8.1 created in one hour ~150.000 lines, unity > > 3.9.0 > > created in the first hour after startup 145.000.000 lines. Mainly > > by > > updating the IdPs from Metadatasource > > > > Best regards, > > Sander > > > > On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > > > Good Morning Krzysztof, > > > we updated on Friday afternoon one of our unity instances to > > > 3.9.0. > > > Today we saw that the log exploded after the update within 7 > > > hours > > > unity wrote 25GB log file. We had parts running on trace level > > > but > > > had > > > not that size before. The gzip-compressed log-files for the days > > > before > > > the update are 61MB. Because there is nothing about updating from > > > 3.8 > > > to 3.9 in the manual, do we need to change the log config? Of > > > course > > > there can be another reason for the log size and we are > > > investigating > > > the log at the moment. > > > > > > Best regards, > > > Sander > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2022-05-05 09:49:44
|
Hi Sander, Thanks for reaching out, indeed we are in the process of enhancing the saml metadata processing - which is not yet fully completed. Would it be possible to provide the anonymized sample of the log file with representative records that floods the file? Thank you, Roman pon., 2 maj 2022 o 10:30 Sander Apweiler <sa....@fz...> napisał(a): > Good morning again, > we inspected a few things. > > 1. The unity.saml.requester.metadataSource .*.refreshInterval is > ignored. Instead of updating the metadata every 12 hours it updated it > every hour. > > 2. The output of metadata updated increases very much. Having the same > log config unity 3.8.1 created in one hour ~150.000 lines, unity 3.9.0 > created in the first hour after startup 145.000.000 lines. Mainly by > updating the IdPs from Metadatasource > > Best regards, > Sander > > On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > > Good Morning Krzysztof, > > we updated on Friday afternoon one of our unity instances to 3.9.0. > > Today we saw that the log exploded after the update within 7 hours > > unity wrote 25GB log file. We had parts running on trace level but > > had > > not that size before. The gzip-compressed log-files for the days > > before > > the update are 61MB. Because there is nothing about updating from 3.8 > > to 3.9 in the manual, do we need to change the log config? Of course > > there can be another reason for the log size and we are investigating > > the log at the moment. > > > > Best regards, > > Sander > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2022-05-02 08:30:44
|
Good morning again, we inspected a few things. 1. The unity.saml.requester.metadataSource .*.refreshInterval is ignored. Instead of updating the metadata every 12 hours it updated it every hour. 2. The output of metadata updated increases very much. Having the same log config unity 3.8.1 created in one hour ~150.000 lines, unity 3.9.0 created in the first hour after startup 145.000.000 lines. Mainly by updating the IdPs from Metadatasource Best regards, Sander On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > Good Morning Krzysztof, > we updated on Friday afternoon one of our unity instances to 3.9.0. > Today we saw that the log exploded after the update within 7 hours > unity wrote 25GB log file. We had parts running on trace level but > had > not that size before. The gzip-compressed log-files for the days > before > the update are 61MB. Because there is nothing about updating from 3.8 > to 3.9 in the manual, do we need to change the log config? Of course > there can be another reason for the log size and we are investigating > the log at the moment. > > Best regards, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-05-02 07:03:49
|
Good Morning Krzysztof, we updated on Friday afternoon one of our unity instances to 3.9.0. Today we saw that the log exploded after the update within 7 hours unity wrote 25GB log file. We had parts running on trace level but had not that size before. The gzip-compressed log-files for the days before the update are 61MB. Because there is nothing about updating from 3.8 to 3.9 in the manual, do we need to change the log config? Of course there can be another reason for the log size and we are investigating the log at the moment. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-04-21 07:57:19
|
Hi Sander, W dniu 21.04.2022 o 07:47, Sander Apweiler pisze: > Good morning Krzysztof, > was this added to 3.9.0 release? If yes how do we configure this? At > least I didn't find it in the manual. Yes, it was :-) See https://www.unity-idm.eu/documentation/unity-3.9.0/manual.html#_output_translation in the mvel context you have new variables: 'mfa' and 'authenticatedWith'. HTH, Krzysztof > Best regards, > Sander > > On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: >> Hi, >> >> W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> >>> On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: >>>> hi, >>>> >>>> W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: >>>>> Good morning Krzysztof, >>>>> good morning Roman, >>>>> >>>>> sorry for the next topic I open here. Hopefully it is easy to >>>>> answer/solve. We are testing the 2FA using OTP. So far it works >>>>> fine. >>>>> But we are looking how we could signal a service that 2FA was >>>>> used. >>>>> Is >>>>> there a way to get this information within unity? Maybe >>>>> fetching >>>>> the >>>>> credentials status and if it is enabled for the user could >>>>> help. >>>> Unfortunately it is not exposed in output profile context. There >>>> are >>>> authenticated identities but no info about factors used to >>>> authenticate. >>>> Adding that is basically one line of code (maybe two - there are >>>> two >>>> factors) - so no problem to deliver that quickly. >>> That would be great. In this case we could avoid having multiple >>> Oauth >>> or SAML one with mandatory 2FA and one with optional. >> No problem, I've opened a ticket to track that, should be in the next >> feature release. >> >> Best, >> Krzysztof >> |
|
From: Sander A. <sa....@fz...> - 2022-04-21 05:47:01
|
Good morning Krzysztof, was this added to 3.9.0 release? If yes how do we configure this? At least I didn't find it in the manual. Best regards, Sander On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > > > hi, > > > > > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > sorry for the next topic I open here. Hopefully it is easy to > > > > answer/solve. We are testing the 2FA using OTP. So far it works > > > > fine. > > > > But we are looking how we could signal a service that 2FA was > > > > used. > > > > Is > > > > there a way to get this information within unity? Maybe > > > > fetching > > > > the > > > > credentials status and if it is enabled for the user could > > > > help. > > > Unfortunately it is not exposed in output profile context. There > > > are > > > authenticated identities but no info about factors used to > > > authenticate. > > > Adding that is basically one line of code (maybe two - there are > > > two > > > factors) - so no problem to deliver that quickly. > > That would be great. In this case we could avoid having multiple > > Oauth > > or SAML one with mandatory 2FA and one with optional. > > No problem, I've opened a ticket to track that, should be in the next > feature release. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-04-11 12:25:38
|
Dear Subscribers, I'm happy to announce general availability of the 3.9.0 release. It includes the following changes: * A major update of SAML authentication * SCIM read-only endpoint * Console attribute editor & string attributes editing improvements * New, fast REST APIs * Unity version information in console * Exposing factors used during authentication in Output profile as well as couple of bug fixes. More information is available at https://unity-idm.eu/releases/release-3-9-0/ Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-31 05:56:11
|
Good morning Krzysztof, thanks for all the information. We updated our second metadata file to the 12 hour interval. Best regards, Sander On Wed, 2022-03-30 at 12:47 +0200, Krzysztof Benedyczak wrote: > W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > > Good morning, > > we encountered a problem using > > unity.saml.requester.metadataSource.*.refreshInterval. Because the > > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down > > the > > login, we decided to update it every 12 hours instead of every > > hour. > > For this we set > > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > > and restartet unity. But instead of expected reload at 7 a.m and 7 > > p.m. > > the metadata is updated ever hour. It seems that this parameter is > > not > > taken from the config file. > > > And BTW in 3.9 refresh of edugain metadata should be in seconds. E.g. > on > my last test it was 19s, out of which more than a half was metadata > download, which is not blocking anything. > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-30 10:47:30
|
W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > Good morning, > we encountered a problem using > unity.saml.requester.metadataSource.*.refreshInterval. Because the > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the > login, we decided to update it every 12 hours instead of every hour. > For this we set > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. > the metadata is updated ever hour. It seems that this parameter is not > taken from the config file. And BTW in 3.9 refresh of edugain metadata should be in seconds. E.g. on my last test it was 19s, out of which more than a half was metadata download, which is not blocking anything. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-03-30 10:33:11
|
Hi Sander, W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > Good morning, > we encountered a problem using > unity.saml.requester.metadataSource.*.refreshInterval. Because the > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the > login, we decided to update it every 12 hours instead of every hour. > For this we set > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. > the metadata is updated ever hour. It seems that this parameter is not > taken from the config file. I guess it is, but the algorithm there is bit simplified, i.e. refreshing takes place at the lowest refresh interval of your all saml metadata sources. I will open a ticket to improve that, shouldn't be hard. Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-30 07:11:22
|
Good morning, we encountered a problem using unity.saml.requester.metadataSource.*.refreshInterval. Because the refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the login, we decided to update it every 12 hours instead of every hour. For this we set unity.saml.requester.metadataSource.edugain.refreshInterval=43200 and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. the metadata is updated ever hour. It seems that this parameter is not taken from the config file. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
