Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sander A. <sa....@fz...> - 2022-06-02 08:57:32
|
Good morning Krzysztof, thanks again for the information. It is working for password authentication. Now we want to enable it for OAuth token as well. Can we use normal tokens from unity, if they request sys:scim:read_profile scope? Or do we need to configure a full authenticator beside of our default OAauth authenticator? Best regards, Sander On Tue, 2022-05-31 at 13:16 +0200, Krzysztof Benedyczak wrote: > > [resending my answer - by mistake I've excluded ML when answering] > > Good morning Sander, > > W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > at the moment we are trying to setup the scim API and we have some > > questions. > > > > 1. Do we need to configure the endpoint in core.module like the > > other > > endpoints as well? I assume yes. > > If you are not configuring it with console, then the setup of the > endpoint in configuration file is all the same as all other > endpoints. > > Whether you are putting that in the core.module file, or elsewhere is > up > to you. > > > 2. Do we need to configure all attributes which are available scim > > within unity.endpoint.scim.membershipAttributes.* ? > > No. This configuration option should enumerate all SCIM attribute > names > (typically just one: "groups") which hold information about user > group > memberships. This configuration is influencing authorization in case > of > OAuth access: there are separate scopes for accessing group > membership data. > > > 3. Do we need to configure all groups which are available scim > > within > > unity.endpoint.scim.membershipGroups.* ? > > The groups listed in that config setting will be subject to mapping > to > SCIM membership attributes. So yes, however note that child groups > are > also going to be included, what should limit the number of entries > greatly. > > > > 4. Is schema and mapping definition only online possible? I assume > > yes. > > No, you can also do it with config file. However, we haven't > documented > the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a > help of proper UI. > > Still if you want to eventually have this file configured we can > easily > add an option to export schema with mapping as a file. Then it would > be > only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) > already. > > Best, > Krzysztof > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2022-05-31 11:51:00
|
Dear Subscribers,
I'm thrilled to announce the availability of devops tooling for Unity-IdM!
We have developed a set of Ansible playbooks to make devops teams live
easier.
With the tooling you can automate the most common operations like:
* installation and reinstallation of Unity-IdM in given version,
* database backup and restore,
* start and stop the Unity-IdM instance,
* check status of instance, whether it is running or not
Devops tools are available on GitHub
https://github.com/unity-idm/unity-devops/, and are released under Open
Source license.
For more information please see the documentation available at GitHub.
Please use Unity-IdM mailing list (uni...@li...)
in case of questions or requests.
Best regards,
Unity-IdM team
|
|
From: Krzysztof B. <kb...@un...> - 2022-05-31 11:16:34
|
[resending my answer - by mistake I've excluded ML when answering] Good morning Sander, W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > > at the moment we are trying to setup the scim API and we have some > questions. > > 1. Do we need to configure the endpoint in core.module like the other > endpoints as well? I assume yes. If you are not configuring it with console, then the setup of the endpoint in configuration file is all the same as all other endpoints. Whether you are putting that in the core.module file, or elsewhere is up to you. > 2. Do we need to configure all attributes which are available scim > within unity.endpoint.scim.membershipAttributes.* ? No. This configuration option should enumerate all SCIM attribute names (typically just one: "groups") which hold information about user group memberships. This configuration is influencing authorization in case of OAuth access: there are separate scopes for accessing group membership data. > 3. Do we need to configure all groups which are available scim within > unity.endpoint.scim.membershipGroups.* ? The groups listed in that config setting will be subject to mapping to SCIM membership attributes. So yes, however note that child groups are also going to be included, what should limit the number of entries greatly. > 4. Is schema and mapping definition only online possible? I assume yes. No, you can also do it with config file. However, we haven't documented the JSON format :-). It is so complex that I think it is anyway the only way to do it with a help of proper UI. Still if you want to eventually have this file configured we can easily add an option to export schema with mapping as a file. Then it would be only pointed in the configuration. How does it sound? BTW note that in UI you can import schema file (w/o mappings) already. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-05-31 06:52:57
|
Good morning Krzysztof, good morning Roman, at the moment we are trying to setup the scim API and we have some questions. 1. Do we need to configure the endpoint in core.module like the other endpoints as well? I assume yes. 2. Do we need to configure all attributes which are available scim within unity.endpoint.scim.membershipAttributes.* ? 3. Do we need to configure all groups which are available scim within unity.endpoint.scim.membershipGroups.* ? 4. Is schema and mapping definition only online possible? I assume yes. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-05-05 09:53:17
|
Hi Roman, we will check this and search for a solution, where we can store it. Cheers, Sander On Thu, 2022-05-05 at 11:49 +0200, Roman Krysiński wrote: > Hi Sander, > > Thanks for reaching out, indeed we are in the process of > enhancing the saml metadata processing - which is not yet fully > completed. > Would it be possible to provide the anonymized sample of the log file > with representative records that floods the file? > > Thank you, > Roman > > > pon., 2 maj 2022 o 10:30 Sander Apweiler <sa....@fz...> > napisał(a): > > Good morning again, > > we inspected a few things. > > > > 1. The unity.saml.requester.metadataSource .*.refreshInterval is > > ignored. Instead of updating the metadata every 12 hours it updated > > it > > every hour. > > > > 2. The output of metadata updated increases very much. Having the > > same > > log config unity 3.8.1 created in one hour ~150.000 lines, unity > > 3.9.0 > > created in the first hour after startup 145.000.000 lines. Mainly > > by > > updating the IdPs from Metadatasource > > > > Best regards, > > Sander > > > > On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > > > Good Morning Krzysztof, > > > we updated on Friday afternoon one of our unity instances to > > > 3.9.0. > > > Today we saw that the log exploded after the update within 7 > > > hours > > > unity wrote 25GB log file. We had parts running on trace level > > > but > > > had > > > not that size before. The gzip-compressed log-files for the days > > > before > > > the update are 61MB. Because there is nothing about updating from > > > 3.8 > > > to 3.9 in the manual, do we need to change the log config? Of > > > course > > > there can be another reason for the log size and we are > > > investigating > > > the log at the moment. > > > > > > Best regards, > > > Sander > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2022-05-05 09:49:44
|
Hi Sander, Thanks for reaching out, indeed we are in the process of enhancing the saml metadata processing - which is not yet fully completed. Would it be possible to provide the anonymized sample of the log file with representative records that floods the file? Thank you, Roman pon., 2 maj 2022 o 10:30 Sander Apweiler <sa....@fz...> napisał(a): > Good morning again, > we inspected a few things. > > 1. The unity.saml.requester.metadataSource .*.refreshInterval is > ignored. Instead of updating the metadata every 12 hours it updated it > every hour. > > 2. The output of metadata updated increases very much. Having the same > log config unity 3.8.1 created in one hour ~150.000 lines, unity 3.9.0 > created in the first hour after startup 145.000.000 lines. Mainly by > updating the IdPs from Metadatasource > > Best regards, > Sander > > On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > > Good Morning Krzysztof, > > we updated on Friday afternoon one of our unity instances to 3.9.0. > > Today we saw that the log exploded after the update within 7 hours > > unity wrote 25GB log file. We had parts running on trace level but > > had > > not that size before. The gzip-compressed log-files for the days > > before > > the update are 61MB. Because there is nothing about updating from 3.8 > > to 3.9 in the manual, do we need to change the log config? Of course > > there can be another reason for the log size and we are investigating > > the log at the moment. > > > > Best regards, > > Sander > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2022-05-02 08:30:44
|
Good morning again, we inspected a few things. 1. The unity.saml.requester.metadataSource .*.refreshInterval is ignored. Instead of updating the metadata every 12 hours it updated it every hour. 2. The output of metadata updated increases very much. Having the same log config unity 3.8.1 created in one hour ~150.000 lines, unity 3.9.0 created in the first hour after startup 145.000.000 lines. Mainly by updating the IdPs from Metadatasource Best regards, Sander On Mon, 2022-05-02 at 09:03 +0200, Sander Apweiler wrote: > Good Morning Krzysztof, > we updated on Friday afternoon one of our unity instances to 3.9.0. > Today we saw that the log exploded after the update within 7 hours > unity wrote 25GB log file. We had parts running on trace level but > had > not that size before. The gzip-compressed log-files for the days > before > the update are 61MB. Because there is nothing about updating from 3.8 > to 3.9 in the manual, do we need to change the log config? Of course > there can be another reason for the log size and we are investigating > the log at the moment. > > Best regards, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-05-02 07:03:49
|
Good Morning Krzysztof, we updated on Friday afternoon one of our unity instances to 3.9.0. Today we saw that the log exploded after the update within 7 hours unity wrote 25GB log file. We had parts running on trace level but had not that size before. The gzip-compressed log-files for the days before the update are 61MB. Because there is nothing about updating from 3.8 to 3.9 in the manual, do we need to change the log config? Of course there can be another reason for the log size and we are investigating the log at the moment. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-04-21 07:57:19
|
Hi Sander, W dniu 21.04.2022 o 07:47, Sander Apweiler pisze: > Good morning Krzysztof, > was this added to 3.9.0 release? If yes how do we configure this? At > least I didn't find it in the manual. Yes, it was :-) See https://www.unity-idm.eu/documentation/unity-3.9.0/manual.html#_output_translation in the mvel context you have new variables: 'mfa' and 'authenticatedWith'. HTH, Krzysztof > Best regards, > Sander > > On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: >> Hi, >> >> W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> >>> On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: >>>> hi, >>>> >>>> W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: >>>>> Good morning Krzysztof, >>>>> good morning Roman, >>>>> >>>>> sorry for the next topic I open here. Hopefully it is easy to >>>>> answer/solve. We are testing the 2FA using OTP. So far it works >>>>> fine. >>>>> But we are looking how we could signal a service that 2FA was >>>>> used. >>>>> Is >>>>> there a way to get this information within unity? Maybe >>>>> fetching >>>>> the >>>>> credentials status and if it is enabled for the user could >>>>> help. >>>> Unfortunately it is not exposed in output profile context. There >>>> are >>>> authenticated identities but no info about factors used to >>>> authenticate. >>>> Adding that is basically one line of code (maybe two - there are >>>> two >>>> factors) - so no problem to deliver that quickly. >>> That would be great. In this case we could avoid having multiple >>> Oauth >>> or SAML one with mandatory 2FA and one with optional. >> No problem, I've opened a ticket to track that, should be in the next >> feature release. >> >> Best, >> Krzysztof >> |
|
From: Sander A. <sa....@fz...> - 2022-04-21 05:47:01
|
Good morning Krzysztof, was this added to 3.9.0 release? If yes how do we configure this? At least I didn't find it in the manual. Best regards, Sander On Thu, 2022-03-03 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi, > > W dniu 02.03.2022 o 09:39, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > On Tue, 2022-03-01 at 17:24 +0100, Krzysztof Benedyczak wrote: > > > hi, > > > > > > W dniu 01.03.2022 o 08:15, Sander Apweiler pisze: > > > > Good morning Krzysztof, > > > > good morning Roman, > > > > > > > > sorry for the next topic I open here. Hopefully it is easy to > > > > answer/solve. We are testing the 2FA using OTP. So far it works > > > > fine. > > > > But we are looking how we could signal a service that 2FA was > > > > used. > > > > Is > > > > there a way to get this information within unity? Maybe > > > > fetching > > > > the > > > > credentials status and if it is enabled for the user could > > > > help. > > > Unfortunately it is not exposed in output profile context. There > > > are > > > authenticated identities but no info about factors used to > > > authenticate. > > > Adding that is basically one line of code (maybe two - there are > > > two > > > factors) - so no problem to deliver that quickly. > > That would be great. In this case we could avoid having multiple > > Oauth > > or SAML one with mandatory 2FA and one with optional. > > No problem, I've opened a ticket to track that, should be in the next > feature release. > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-04-11 12:25:38
|
Dear Subscribers, I'm happy to announce general availability of the 3.9.0 release. It includes the following changes: * A major update of SAML authentication * SCIM read-only endpoint * Console attribute editor & string attributes editing improvements * New, fast REST APIs * Unity version information in console * Exposing factors used during authentication in Output profile as well as couple of bug fixes. More information is available at https://unity-idm.eu/releases/release-3-9-0/ Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-31 05:56:11
|
Good morning Krzysztof, thanks for all the information. We updated our second metadata file to the 12 hour interval. Best regards, Sander On Wed, 2022-03-30 at 12:47 +0200, Krzysztof Benedyczak wrote: > W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > > Good morning, > > we encountered a problem using > > unity.saml.requester.metadataSource.*.refreshInterval. Because the > > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down > > the > > login, we decided to update it every 12 hours instead of every > > hour. > > For this we set > > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > > and restartet unity. But instead of expected reload at 7 a.m and 7 > > p.m. > > the metadata is updated ever hour. It seems that this parameter is > > not > > taken from the config file. > > > And BTW in 3.9 refresh of edugain metadata should be in seconds. E.g. > on > my last test it was 19s, out of which more than a half was metadata > download, which is not blocking anything. > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-30 10:47:30
|
W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > Good morning, > we encountered a problem using > unity.saml.requester.metadataSource.*.refreshInterval. Because the > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the > login, we decided to update it every 12 hours instead of every hour. > For this we set > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. > the metadata is updated ever hour. It seems that this parameter is not > taken from the config file. And BTW in 3.9 refresh of edugain metadata should be in seconds. E.g. on my last test it was 19s, out of which more than a half was metadata download, which is not blocking anything. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-03-30 10:33:11
|
Hi Sander, W dniu 30.03.2022 o 09:11, Sander Apweiler pisze: > Good morning, > we encountered a problem using > unity.saml.requester.metadataSource.*.refreshInterval. Because the > refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the > login, we decided to update it every 12 hours instead of every hour. > For this we set > unity.saml.requester.metadataSource.edugain.refreshInterval=43200 > and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. > the metadata is updated ever hour. It seems that this parameter is not > taken from the config file. I guess it is, but the algorithm there is bit simplified, i.e. refreshing takes place at the lowest refresh interval of your all saml metadata sources. I will open a ticket to improve that, shouldn't be hard. Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-30 07:11:22
|
Good morning, we encountered a problem using unity.saml.requester.metadataSource.*.refreshInterval. Because the refresh of eduGAIN metadata takes up to 3-4 minutes and slows down the login, we decided to update it every 12 hours instead of every hour. For this we set unity.saml.requester.metadataSource.edugain.refreshInterval=43200 and restartet unity. But instead of expected reload at 7 a.m and 7 p.m. the metadata is updated ever hour. It seems that this parameter is not taken from the config file. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-21 12:45:31
|
Hi Sander, W dniu 18.03.2022 o 13:43, Sander Apweiler pisze: > Hi Krzysztof, > sorry for raising the next topic. Is it possible to sign the emails > sent by unity? I didn't find something in the manual or config about > it. Nope, sorry, there is no support for digital signing of emails outgoing from Unity (and we had no plans/requests to support that). Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-18 12:43:24
|
Hi Krzysztof, sorry for raising the next topic. Is it possible to sign the emails sent by unity? I didn't find something in the manual or config about it. Have a nice weekend, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-08 14:59:52
|
Hi, W dniu 08.03.2022 o 15:48, Marcus Hardt pisze: > Hi There, > > one note on this: > > if there is only a `scopes`, and no `scopes_at` in the request, one could > default to putting the same scopes into the AT and in the userinfo. I > think then it's least painful to introduce this. Well, only governed by endpoint config option "by default put all claims in JWT AT". We won't turn that on for everybody after an update, as we may run into problems in setups which relay on small AT (as your ;). KB |
|
From: Marcus H. <ha...@ki...> - 2022-03-08 14:48:24
|
Hi There, one note on this: if there is only a `scopes`, and no `scopes_at` in the request, one could default to putting the same scopes into the AT and in the userinfo. I think then it's least painful to introduce this. M. On 08. Mar 2022 07:20, Sander Apweiler wrote: > Good morning Krzysztof, > sorry for the delay. I had this still on my agenda. I think this would > work, too. > > I fully understand that the request of individuell claims is a lot of > work with very few usage. > > Cheers, > Sander > > On Mon, 2022-03-07 at 15:31 +0100, Krzysztof Benedyczak wrote: > > hi, > > > > W dniu 01.03.2022 o 17:06, Krzysztof Benedyczak pisze: > > > Hi, > > > > > > W dniu 01.03.2022 o 09:46, Sander Apweiler pisze: > > > > Good morning, > > > > > > > > a short addition. It is not only the oidc-agent witch has a > > > > problem > > > > with the token size. EUDAT B2SAFE has it as well because they use > > > > the > > > > token as password in iRODS and this has also limitations in size. > > > > > > > > And yes the most problems for switching the scopes would be for > > > > the > > > > users of the oidc-agent. Because all other set them once. > > > > > > So maybe after all a proprietary request flag saying "add all > > > claims > > > to JWT AT"? Proprietary, but also dead simple and addressing your > > > use > > > cases in a direct way. > > > > Sander, any opinions here? > > > > Wrt to Marcus proposal, the name of the parameter can be "scopes_at" > > (or > > alike). > > > > That said I'm very doubtful whether this should go inside the > > 'claims' > > request parameter. Which as spec says is to request individual claims > > and would be counter intuitive to use it for specifying which scopes > > should go to AT (and we would need to support the base spec, which is > > kinda "ton of work and no one will use it"). > > > > Best, > > Krzysztof > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > -- Marcus. |
|
From: Krzysztof B. <kb...@un...> - 2022-03-08 14:18:39
|
W dniu 08.03.2022 o 07:20, Sander Apweiler pisze: > Good morning Krzysztof, > sorry for the delay. I had this still on my agenda. I think this would > work, too. > > I fully understand that the request of individuell claims is a lot of > work with very few usage. OK, I've added that to backlog. Request to put all claims in JWT AT should be easy and we should have it relatively shortly, however we will see if we will also approach selection by scopes. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-03-08 14:13:27
|
Sander, W dniu 08.03.2022 o 07:24, Sander Apweiler pisze: > Good morning Krzysztof, > thanks for the swift reply. We updated it. Does it use a grid with > search option or do we have a very long list, because we are using > eduGAIN? It can use grid, and for a federation with many options there is no question that you should put it in the grid. Authentication configuration of this endpoint is all the same as all other endpoints. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2022-03-08 06:23:58
|
Good morning Krzysztof, thanks for the swift reply. We updated it. Does it use a grid with search option or do we have a very long list, because we are using eduGAIN? Cheers, Sander On Mon, 2022-03-07 at 15:26 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 07.03.2022 o 07:40, Sander Apweiler pisze: > > Good morning Krzysztof, > > we encountered a small problem if an invitation was send to another > > email address than the IdP provides. The switch to the login for > > existing users works fine, but we see only username/password input > > and > > not SAML/OIDC logins. I guess this is only a miss-configuration on > > out > > side. Can you give us a hint where we must perform the update? > > > This should be configured on a special Unity endpoint, which is > responsible for exposing mostly enquiry forms (what means that > requires > prior authentication). You can configure authentication of this > endpoint > in the way you want. The type of this endpoint is 'WellKnownLinks' > (should be ease to find it among your Services in Console). > > HTH, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2022-03-08 06:20:07
|
Good morning Krzysztof, sorry for the delay. I had this still on my agenda. I think this would work, too. I fully understand that the request of individuell claims is a lot of work with very few usage. Cheers, Sander On Mon, 2022-03-07 at 15:31 +0100, Krzysztof Benedyczak wrote: > hi, > > W dniu 01.03.2022 o 17:06, Krzysztof Benedyczak pisze: > > Hi, > > > > W dniu 01.03.2022 o 09:46, Sander Apweiler pisze: > > > Good morning, > > > > > > a short addition. It is not only the oidc-agent witch has a > > > problem > > > with the token size. EUDAT B2SAFE has it as well because they use > > > the > > > token as password in iRODS and this has also limitations in size. > > > > > > And yes the most problems for switching the scopes would be for > > > the > > > users of the oidc-agent. Because all other set them once. > > > > So maybe after all a proprietary request flag saying "add all > > claims > > to JWT AT"? Proprietary, but also dead simple and addressing your > > use > > cases in a direct way. > > Sander, any opinions here? > > Wrt to Marcus proposal, the name of the parameter can be "scopes_at" > (or > alike). > > That said I'm very doubtful whether this should go inside the > 'claims' > request parameter. Which as spec says is to request individual claims > and would be counter intuitive to use it for specifying which scopes > should go to AT (and we would need to support the base spec, which is > kinda "ton of work and no one will use it"). > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2022-03-07 14:31:33
|
hi, W dniu 01.03.2022 o 17:06, Krzysztof Benedyczak pisze: > Hi, > > W dniu 01.03.2022 o 09:46, Sander Apweiler pisze: >> Good morning, >> >> a short addition. It is not only the oidc-agent witch has a problem >> with the token size. EUDAT B2SAFE has it as well because they use the >> token as password in iRODS and this has also limitations in size. >> >> And yes the most problems for switching the scopes would be for the >> users of the oidc-agent. Because all other set them once. > > So maybe after all a proprietary request flag saying "add all claims > to JWT AT"? Proprietary, but also dead simple and addressing your use > cases in a direct way. Sander, any opinions here? Wrt to Marcus proposal, the name of the parameter can be "scopes_at" (or alike). That said I'm very doubtful whether this should go inside the 'claims' request parameter. Which as spec says is to request individual claims and would be counter intuitive to use it for specifying which scopes should go to AT (and we would need to support the base spec, which is kinda "ton of work and no one will use it"). Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2022-03-07 14:26:45
|
Hi Sander, W dniu 07.03.2022 o 07:40, Sander Apweiler pisze: > Good morning Krzysztof, > we encountered a small problem if an invitation was send to another > email address than the IdP provides. The switch to the login for > existing users works fine, but we see only username/password input and > not SAML/OIDC logins. I guess this is only a miss-configuration on out > side. Can you give us a hint where we must perform the update? > This should be configured on a special Unity endpoint, which is responsible for exposing mostly enquiry forms (what means that requires prior authentication). You can configure authentication of this endpoint in the way you want. The type of this endpoint is 'WellKnownLinks' (should be ease to find it among your Services in Console). HTH, Krzysztof |
