Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2021-12-06 09:16:48
|
Hi Anthony, W dniu 03.12.2021 o 22:27, Anthony M pisze: > Hello, > > Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing. > > What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint. Well, hard to say precisely, there is couple of places where the process can fail. I'd in order, do the following: 1. Enable debug logging for oauth, saml and externaltranslation. 2. Test drive the process and check in logs at which step it fails. 3. If it fails early, i.e. verification of the access token against Keycloack then we need to look at the protocol compatibility. -> Keycloack is not directly supported, so it may work or not. 4. (if above is fine) Check in logs whether user profile is fetched 5. (if above is fine) Check what happens with the mapping. If you haven't setup a mapping then Unity most likely won't be able to map information retrieved from Keycloack to its own attributes and identities. Logs should tell you what is received, and this will help you to setup a proper mapping. HTH, Krzysztof |
|
From: Anthony M <ant...@gm...> - 2021-12-03 21:27:23
|
Hello, Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing. What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint. Thank you for your help. Regards, Anthony Mammoliti |
|
From: Krzysztof B. <kb...@un...> - 2021-12-03 11:40:30
|
Hi Sander, W dniu 03.12.2021 o 12:27, Sander Apweiler pisze: > Hi Krzysztof, > We have an SP, which is a SPA using PKCE with CORS. This part is > working now. We set the clientType to PUBLIC. When the SP requests the > user token the error message "Invalid user name, credential or external > authentication failed." is shown. Investigating the logs a little bit > more it shows "No HTTP BASIC auth header was found". This should not > the case for PKCE, isn't it? Yeah, that's one known issue we had in our impl. Currently even for public client you have to setup some password (publicly known) and use it. We can fix that problem now, as in 3.7.0 we have introduced optionally authenticated REST endpoints feature, which enables proper handling of this case. That should be a small change now I'll put the corresponding ticket on the short term queue. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-12-03 11:27:04
|
Hi Krzysztof, We have an SP, which is a SPA using PKCE with CORS. This part is working now. We set the clientType to PUBLIC. When the SP requests the user token the error message "Invalid user name, credential or external authentication failed." is shown. Investigating the logs a little bit more it shows "No HTTP BASIC auth header was found". This should not the case for PKCE, isn't it? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:55:52
|
Hi Marcus, W dniu 01.12.2021 o 11:21, Marcus Hardt pisze: > On 01. Dec 2021 11:08, Sander Apweiler wrote: >> Hi Krzysztof, >> in past we did not support/use SLO due most user did not want to logged >> out on all services if the logout from one. This opinion is changing >> especially on the user who are the managers. > I'd express it more like: There is a 2nd use-case coming up. I.e. we may > need two different ways to log out: > 1: Log out of Unity > 2: Log out of all sessions (e.g. at the end of a guest session of somebody > elses computer) > > I think two different buttons (unity-logout and global-logout) would be best. Yes, so we have those two options supported, but can be configured for the whole server only. We can make it more flexible in the way you have described above, but note that there is also another case (which I believe is by far more common) of logout initiated from a SP, not from unity directly. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:53:18
|
Hi Sander, W dniu 01.12.2021 o 11:08, Sander Apweiler pisze: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. > > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. that's hard question, as you have a proxy. And SLO may mean many things in case of proxy. So first the global parameter: it rules what happens when there is any logout in unity. It can be triggered in one of unity's UIs (e.g. home) or via API (currently only SAML endpoint offers that). So it can be no-SLO (just kill local session) or SLO (kill local session and trigger logouts of all peers that support SLO - again only supported for SAML). So everything more that you need to configure are proper endpoints of SAML-SPs (that you want to logout from unity) of Unity IdP (so that SAML SPs relying on Unity can request logout) and of external IdPs (so that unity can logout upstream IdPs). You can enable this little by little and test - what I strongly suggest. Also pay attention to your configuration of realms - SLO never crosses realm's boundary. This is still pretty valid, although not mentioning configuration via Console UI: https://www.unity-idm.eu/documentation/unity-1.9.0/saml-howto.html#_using_single_logout_slo Best, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2021-12-01 10:46:11
|
On 01. Dec 2021 11:08, Sander Apweiler wrote: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. I'd express it more like: There is a 2nd use-case coming up. I.e. we may need two different ways to log out: 1: Log out of Unity 2: Log out of all sessions (e.g. at the end of a guest session of somebody elses computer) I think two different buttons (unity-logout and global-logout) would be best. M. > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Marcus. |
|
From: Sander A. <sa....@fz...> - 2021-12-01 10:08:13
|
Hi Krzysztof, in past we did not support/use SLO due most user did not want to logged out on all services if the logout from one. This opinion is changing especially on the user who are the managers. We did not change any attributes from the default unity config. Can you give us a hint which attributes must be configured to perform SLO? Of course we must configure the SLO endpoints of the accepted SPs. The SLO endpoints from the upstream IdPs should be fetched from the metadata file, if they are provided within. Is this assumption correct? Beside of this, do we only need to configure - unity.saml.requester.sloPath=/SLO-WEB - unity.saml.requester.sloRealm=defaultRealm I guess unityServer.core.logoutMode is only for clicking on the logout button on unity. But also here we recognized using the default value internalAndSyncPeers doesn't you logout from the IdP. But maybe this is also not working because we did not enable SLO. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-11-19 20:22:43
|
Dear Subscribers, Release 3.7.0 is out bringing numerous improvements. Among others: * Enhanced group attribute statements * Group properties * New MVEL editor * Easier configuration of registration with remote IdP * IdP endpoint usage statistics * OAuth token revocation fully compliant with RFC 7009 * Endpoint configuration reload from file * Account selection for enquiry forms accessed by invitation In this release we have also couple of important bug fixes. See https://www.unity-idm.eu/downloads/ for more details. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-18 14:16:18
|
Hi Sander, W dniu 18.11.2021 o 10:09, Sander Apweiler pisze: > Good morning Krzysztof, > we got tickets from two users which stock in a login loop with > username/password. After some investigation we found that credentials > were outdated. Both confirmed that the outdate credentials form was not > shown to them. Maybe here is a bug. > Got it, indeed a bug. Fix already on the way will be in released soon. Thank you, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-11-18 09:10:02
|
Good morning Krzysztof, we got tickets from two users which stock in a login loop with username/password. After some investigation we found that credentials were outdated. Both confirmed that the outdate credentials form was not shown to them. Maybe here is a bug. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2021-11-03 10:32:01
|
Hi Krzysztof, I fully understand your thoughts. And yes you are right the browser certificates are used to perform the handshake. We can just avoid this by disabling client authentication. But if we disable it, users are not able to authenticate to unity using the certificate. Sadly the self-signed certificate from MS is stored in the browser. And Apple uses the keychain and they stored their seld-signed certificate within it too. I guess we should make some more thoughts about the problem before you start to implement something. And of course the browsers are part of this problem too. The wording in the pop-up is just default ok or cancel which is not understandable for users without certificate knowledge. Best regards, Sander On Wed, 2021-11-03 at 10:54 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 02.11.2021 o 13:39, Sander Apweiler pisze: > > Hello Krzysztof, > > We are using certificate login as one option for user > > authentication. > > The positiv aspect of certificate authentication is users are > > checked > > before they get a certificate from a trustful CA. > > > > Sadly after apple deals since several years with self-sigend > > certificates, which are offered to the users, Microsoft starts with > > the > > same bullshit in the last year. Of course self-sigend certificates > > are > > not trustful and we do not support them for authentication. But > > because > > unity uses the client authentication mechanism in SSL handshake, > > the > > user certificates are rejected before user reach the service and > > the > > user just see a certificate error in their browser which they do > > not > > understand. And those users do not use certificate authentication. > > They > > use normally the account at their home organisation or their social > > ID > > for authentication. > > > > Is there another way for certificate authentication without using > > the > > client authentication from SSL handshake? > > [I may be wrong here.] Up to my knowledge, browser certificates are > used > *by the browser* to setup TLS layer connection, dot. So Unity can't > do > much about it. > > I can think about a solution here, though: Unity on TLS level would > be > configured to trust all client certificates (that's easily doable of > course). So TLS connection would be setup without any problem. > > However, the certificate chain would be separately validated against > the > truststore by the Unity authentication module (that is currently not > implemented) and assumed to be present only if trusted. We would need > to > conduct a security analysis here first, to make sure we won't > introduce > any vulnerability by such change. But I think that could work. > > For sure this would NOT prevent any web-browser side popups like > "please > select your certificate" or "do you want to use this certificate for > authentication?". > > > One more option is to use hardware tokens and FIDO2 - also > certificates, > also supported by unity and browsers, no user headache. > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 10:22:23
|
Hi Sander, W dniu 02.11.2021 o 10:20, Sander Apweiler pisze: > Good morning Krzysztof, > we are testing 3.6.1 release and have some additional test we did not > perform previously. When we submit a user updated without selecting a > subgroup and the update is accepted, the use is not added to the group > where group management was delegated. The user is only added if a > subgroup is selected. Is this behaviour intended? Or do we need to add > an add to group rule in automation section? I assume we are talking here about "project joining forms" which are unity enquires, used to enroll existing unity users into an upman project. In those cases, yes, the enquiry form should contain an add to project's group action in its automation. The default (auto generated) forms do have this configured, so at least in the default case it works out of the box. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 09:55:03
|
Hi Sander, W dniu 02.11.2021 o 13:39, Sander Apweiler pisze: > Hello Krzysztof, > We are using certificate login as one option for user authentication. > The positiv aspect of certificate authentication is users are checked > before they get a certificate from a trustful CA. > > Sadly after apple deals since several years with self-sigend > certificates, which are offered to the users, Microsoft starts with the > same bullshit in the last year. Of course self-sigend certificates are > not trustful and we do not support them for authentication. But because > unity uses the client authentication mechanism in SSL handshake, the > user certificates are rejected before user reach the service and the > user just see a certificate error in their browser which they do not > understand. And those users do not use certificate authentication. They > use normally the account at their home organisation or their social ID > for authentication. > > Is there another way for certificate authentication without using the > client authentication from SSL handshake? [I may be wrong here.] Up to my knowledge, browser certificates are used *by the browser* to setup TLS layer connection, dot. So Unity can't do much about it. I can think about a solution here, though: Unity on TLS level would be configured to trust all client certificates (that's easily doable of course). So TLS connection would be setup without any problem. However, the certificate chain would be separately validated against the truststore by the Unity authentication module (that is currently not implemented) and assumed to be present only if trusted. We would need to conduct a security analysis here first, to make sure we won't introduce any vulnerability by such change. But I think that could work. For sure this would NOT prevent any web-browser side popups like "please select your certificate" or "do you want to use this certificate for authentication?". One more option is to use hardware tokens and FIDO2 - also certificates, also supported by unity and browsers, no user headache. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 09:42:27
|
Hi Sander, W dniu 03.11.2021 o 09:48, Sander Apweiler pisze: > Good morning Krzysztof, > we have an SP which operates a single page application (SPA) and want > to use PKCE. The browser expect HTTP header "access-control-allow- > origin" to CORS requests, but it seems that unity does not send them: Yes, PKCS is supported, but CORS needs to be properly configured separately (it may be also needed in other than PKCE scenarios). See http://www.unity-idm.eu/documentation/unity-3.6.0/manual.html#_http_server_settings (section on "CORS settings"). For sure you have to enable it, likely set origins properly and maybe more, depending on security requirements. HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-11-03 08:48:57
|
Good morning Krzysztof, we have an SP which operates a single page application (SPA) and want to use PKCE. The browser expect HTTP header "access-control-allow- origin" to CORS requests, but it seems that unity does not send them: HTTP/1.1 200 OK Date: Wed, 03 Nov 2021 08:04:10 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY Allow: POST,GET,OPTIONS,HEAD Content-Length: 0 After switching the client type to public, because this is the only section in documentation where PKCE is mentioned the header looks like this: Endpoint: https://login-dev.helmholtz.de/oauth2/token OPTIONS /oauth2/token HTTP/1.1 Host: login-dev.helmholtz.de User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Access-Control-Request-Method: POST Referer: https://rz-vm64.gfz-potsdam.de:3000/ Origin: https://rz-vm64.gfz-potsdam.de:3000 DNT: 1 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache Is PKCE already fully supported in unity? Do we need to do some further configuration to allow PKCE for this client? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Tomasz G. <ymg...@cy...> - 2021-11-02 14:39:18
|
Hi Krzysztof, We have recently upgraded to the new version of Unity and I can confirm that the problem with autofill in chrome has been solved. Thanks again for your help! Cheers, Tom On Wed, 15 Sept 2021 at 15:59, Tomasz Grabarczyk <ymg...@cy...> wrote: > Hi Krzysztof, > > Thanks for the update! It's good to know it will be solved soon > > Cheers > Tomek > > > śr., 15 wrz 2021 o 15:49 Krzysztof Benedyczak <kb...@un...> > napisał(a): > > > > Hi Tomasz, > > > > W dniu 02.08.2021 o 13:05, Piotr Piernik pisze: > > > Hi Tomasz > > > We investigating this problem. We are trying to recreate this > > > situation on varius browser and systems. We hope to fix this in the > > > next release. > > > > > A small update on that issue. That's really hard one as the logic/rules > > behind Chrome's password manager site introspection are pretty much > > confusing/undefined/... > > > > > > Anyway we finally managed to build a prototype that fixes this issue. It > > will take bit time to refactor that prototype into final version so it > > won't make it into the upcoming 3.6, but will be soon after either in a > > patch or in 3.7 latest. > > > > > > Cheers, > > Krzysztof > > > > > > > |
|
From: Sander A. <sa....@fz...> - 2021-11-02 12:45:40
|
Hello Krzysztof, We are using certificate login as one option for user authentication. The positiv aspect of certificate authentication is users are checked before they get a certificate from a trustful CA. Sadly after apple deals since several years with self-sigend certificates, which are offered to the users, Microsoft starts with the same bullshit in the last year. Of course self-sigend certificates are not trustful and we do not support them for authentication. But because unity uses the client authentication mechanism in SSL handshake, the user certificates are rejected before user reach the service and the user just see a certificate error in their browser which they do not understand. And those users do not use certificate authentication. They use normally the account at their home organisation or their social ID for authentication. Is there another way for certificate authentication without using the client authentication from SSL handshake? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2021-11-02 09:20:33
|
Good morning Krzysztof, we are testing 3.6.1 release and have some additional test we did not perform previously. When we submit a user updated without selecting a subgroup and the update is accepted, the use is not added to the group where group management was delegated. The user is only added if a subgroup is selected. Is this behaviour intended? Or do we need to add an add to group rule in automation section? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-10-26 19:25:04
|
W dniu 26.10.2021 o 11:55, Sander Apweiler pisze: > Hello Krzysztof, > we have the case that we, as unity administrator, need to merge two > accounts because the remote IdP changed the value we are using for > account mapping. We disabled the account merging for users because of > access rights to connected services. > > It seems that the texts for the merging dialog are not properly set on > 3.5.1 version. I tested it on several instances and it looks equal on > all systems. I pasted a screenshot of the dialog. > Got it, thx! Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-10-26 10:01:50
|
Hello Krzysztof, we have the case that we, as unity administrator, need to merge two accounts because the remote IdP changed the value we are using for account mapping. We disabled the account merging for users because of access rights to connected services. It seems that the texts for the merging dialog are not properly set on 3.5.1 version. I tested it on several instances and it looks equal on all systems. I pasted a screenshot of the dialog. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-10-18 14:09:12
|
Dear Subscribers, As Java 8 in EoL period, is officially unsupported by Oracle and also a second post-8 Long-Term-Support version of Java was recently published (Java 17), Unity will soon drop its support for the dated Java 8. Unity, since a long time (3.0.0 version), supports running on Java 11. Since version *3.8.0* (roughly expected in December 2021) *Java 11 will be *also *the minimum version of JVM*, on which Unity will run. It is advised to update Unity deployments to use Java 11 even before that release. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-10-18 14:07:54
|
Dear Subscribers,
A new update is available in the 3.6.x stream. It includes the following
improvements:
* Bugfix: proper determination of the filling status of a sticky
enquiry in HomeUI
* Support for SAML authentication assertions without subject
identifier. Note that in such case SLO can’t work as well as the
‘id’ variable in the input profile is set to null.
* A workaround was implemented making Chrome password manager properly
filling (and collecting) passwords in Unity.
More details available at https://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2021-10-12 09:47:02
|
Hi Sander, W dniu 12.10.2021 o 11:22, Sander Apweiler pisze: > Hi Krzysztof, > the enquiry is filled via home endpoint. > > The type is sticky and only available to / and /theme_test > In collected data only the group can be selected "/theme_test/?*/**" > with multiple group selection. The rest of the enquiry is empty. > > If you want I can provide you screenshots of the config. Reproduced - as expected bug (rather serious :/ - but easy to fix). Will be patched in 3.6.1. Thanks for the report, Krzysztof > Cheers, > Sander > > On Tue, 2021-10-12 at 11:08 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 12.10.2021 o 10:23, Sander Apweiler pisze: >>> Good morning Krzysztof, >>> we encountered a problem with account updates. If user A fills an >>> account update enquiry to join a group, this enquiry is filled for >>> all >>> users. User B and C have only the button "Remove last request and >>> create a new". For me this behaviour is very strange and feels >>> wrong. >>> Is this behaviour intended or a bug? >> Certainly sounds like a bug. Can you please provide bit more color? >> How >> this enquiry is acessed, what is the configuration? >> >> Thank you, >> Krzysztof >> >> |
|
From: Sander A. <sa....@fz...> - 2021-10-12 09:22:39
|
Hi Krzysztof, the enquiry is filled via home endpoint. The type is sticky and only available to / and /theme_test In collected data only the group can be selected "/theme_test/?*/**" with multiple group selection. The rest of the enquiry is empty. If you want I can provide you screenshots of the config. Cheers, Sander On Tue, 2021-10-12 at 11:08 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 12.10.2021 o 10:23, Sander Apweiler pisze: > > Good morning Krzysztof, > > we encountered a problem with account updates. If user A fills an > > account update enquiry to join a group, this enquiry is filled for > > all > > users. User B and C have only the button "Remove last request and > > create a new". For me this behaviour is very strange and feels > > wrong. > > Is this behaviour intended or a bug? > > Certainly sounds like a bug. Can you please provide bit more color? > How > this enquiry is acessed, what is the configuration? > > Thank you, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
