Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2022-01-14 20:33:13
|
Dear Subscribers,
A new feature release 3.8.0 was published today. It brings huge number
of improvements and couple of important bugfixes. The main highlights are:
* Java 8 support dropped
* Many OAuth enhancements: prompt param, offline_access scope,
ui_locales param, standard compliant errors, no authN for public
clients, and more
* New remote IdP attribute introspection endpoint
* Dropped support for Hazelcast
* Multiple performance improvements on large setups
… and that’s by far not not all.
See Downloads <https://www.unity-idm.eu/downloads/> page for a detailed
list of changes.
It is worth mentioning here that starting from the 3.8.0 release (or
better said its planning phase) we have switched to a new tasks
prioritization process. Thanks to that change, you will see much more of
Community requests being addressed on a faster timeline. In particular,
in the 3.8.0 release we have shipped 9 features requested by our Community.
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2022-01-14 08:53:08
|
Dear Daniel, W dniu 13.01.2022 o 15:39, Fernandez Rodriguez Daniel via Unity-idm-discuss pisze: > > Dear Unity admins, > > > my name is Daniel Fernandez. > > A few werks ago, I inherited a working Unicore/Unity deployment. > Unfortunately its configuration is not documented AT ALL and the > person who configured it left the company some time ago... > > I would like to login into the UNITY administration interface but > unfortunately I don't have the admin password. > Is there a way I can reset the password for the admin user? I have > full access to the server and the H2 database files. > > I tried to connect to the H2 database with the user 'sa' (same > password) but it did not work.. > We are running Unity 2.6.2 version. Ouch, that's an old instance. Set those two properties in unityServer.conf (also - worth trying if you still have those, whether the credentials from there work?): |unityServer.core.initialAdminUsername=my-new-admin-user| ||unityServer.core.initialAdminPassword=my-new-admin-pass|| and restart. You have full reference here http://www.unity-idm.eu/documentation/unity-2.6.0/manual.html#configuration That might not be all. Inspect logs carefully. In general you should have new user added with the above password. However there are two caveats: 1. (unlikely) the password you set need not to be super easy, might be rejected. The best is to use something random and longer than few chars. 2. (possible) the password will be assigned to a credential with id 'sys:password'. Now, your former admin could disable this credential from the authn options enabled on AdminUI. If that is the case you will have to add it in unityServer.conf (there should be authenticator using this credential + the authenticator needs to be enabled on AdminUI endpoint. HTH, Krzysztof |
|
From: Fernandez R. D. <dan...@ep...> - 2022-01-13 14:39:32
|
Dear Unity admins, my name is Daniel Fernandez. A few werks ago, I inherited a working Unicore/Unity deployment. Unfortunately its configuration is not documented AT ALL and the person who configured it left the company some time ago... I would like to login into the UNITY administration interface but unfortunately I don't have the admin password. Is there a way I can reset the password for the admin user? I have full access to the server and the H2 database files. I tried to connect to the H2 database with the user 'sa' (same password) but it did not work.. We are running Unity 2.6.2 version. Thank you very much for your help, Daniel. |
|
From: Roman K. <ro...@un...> - 2022-01-13 09:28:19
|
Hi Sander, This is currently not supported, but it sounds like a legitimate feature. I'll open a ticket to cover this, and put it on top of our OSS queue of requests. Please note that we have recently changed the prioritization of tickets and such requests are now evaluated and handled on a release basis. It is very likely we will be implementing this sooner than later given the latest process changes. Best, Roman wt., 11 sty 2022 o 11:51 Sander Apweiler <sa....@fz...> napisał(a): > Hi Krzysztof, > we have the request from a user to put some attributes in the id token > to avoid querying the userinfo endpoint. Is this possible to add some > claims to the default ones in unity? I had a look in manual section > 14.14 but didn't find something. > > Cheers, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
|
From: Sander A. <sa....@fz...> - 2022-01-11 11:08:51
|
Hi Krzysztof, we have the request from a user to put some attributes in the id token to avoid querying the userinfo endpoint. Is this possible to add some claims to the default ones in unity? I had a look in manual section 14.14 but didn't find something. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-12-16 10:02:17
|
Dear Subscribers, Unity 3.7.2 bundling an updated log4j library (2.16.0) with a fix for the CVE-2021-45046 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046> vulnerability was published today. If you can’t update immediately follow the instructions from the previous post on the topic. Links and changelog available in Downloads <https://www.unity-idm.eu/downloads/>. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-15 14:25:29
|
Hi Tim, All, W dniu 15.12.2021 o 08:37, Tim Kreuzer pisze: > Hi Krzysztof, > > I don't know if you already know, but another log4j update > is required: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 Yes, we are heads down on this one since morning. Unity 3.7.2 including updated library is being released. It takes ages as sonatype nexus server (tool used to publish to Maven central repo) is super slow (quite easy to guess why). After this is completed I will provide a separate update. Investigation of the new vulnerability discovered that there Unity server can be affected assuming: 1. it is version 3.5.0 or newer. 3.4.5 and earlier versions are not affected. Note: the previous log4j vulnerability was affecting all Unity versions (maybe except some ancient ones - we haven't checked unity 1.x or 2.x). 2. Context variables are used in logging configuration. Context variables is used when you use any of the following variables in logging pattern: ${ctx:___}, %X, %mdc, %MDC. To mitigate the problem, until 3.7.2 is installed, the following options are available: 1. Manual update of all log4j* libraries to version 2.16.0. Should be safe on all affected versions of Unity. 2. Make sure you don't use any of the context variables in logging pattern layout. More precisely there is a single context variable in Unity which looks likely as a candidate for attack, but the safest bet is to not use context variables at all, until the patched version is installed. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-13 20:35:18
|
Dear Subscribers, Unity 3.7.1 bundling an updated log4j library with a fix for the CVE-2021-44228 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> vulnerability was published today. If you can’t update immediately follow the instructions from the previous post Log4j vulnerability <https://www.unity-idm.eu/2021/12/13/log4j-vulnerability/>. Links and changelog available in Downloads <https://www.unity-idm.eu/downloads/>. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-13 12:08:24
|
Dear Subscribers, As you may noticed Unity is using the vulnerable log4j library (see CVE <https://nvd.nist.gov/vuln/detail/CVE-2021-44228> for details). Version 3.7.1 (soon to be published) will contain a fixed dependency. Until it is available (and in cases you can't upgrade stright away) the following workaround is strongly advised. In the file |conf/startup.properties| add the following line towards the end of the file: |OPTS=$OPTS" -Dlog4j2.formatMsgNoLookups=true"| Server restart is required after this change. Best regards, Krzysztof |
|
From: Bernd S. <b.s...@fz...> - 2021-12-06 09:44:41
|
hi Anthony, we have the UNICORE authentication by Keycloak OAuth tokens up and running (the EBRAINS IdP is Keycloak). To complememt what Krzysztof has written, you'll need an input translation profile that maps the info from the token to an x500 identity I've attached two screenshots, the one is the authenticator config, the other the input profile. Of course the authenticator needs to be active on the UNICORE SAML SOAP endpoint Hope this helps! Best regards, Bernd On 03.12.21 22:27, Anthony M wrote: > Hello, > > Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing. > > What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint. > > > Thank you for your help. > > > > Regards, > > Anthony Mammoliti > -- Dr. Bernd Schuller Federated Systems and Data, Juelich Supercomputing Centre https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html Phone: +49 246161-8736 (fax -8556) ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <kb...@un...> - 2021-12-06 09:16:48
|
Hi Anthony, W dniu 03.12.2021 o 22:27, Anthony M pisze: > Hello, > > Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing. > > What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint. Well, hard to say precisely, there is couple of places where the process can fail. I'd in order, do the following: 1. Enable debug logging for oauth, saml and externaltranslation. 2. Test drive the process and check in logs at which step it fails. 3. If it fails early, i.e. verification of the access token against Keycloack then we need to look at the protocol compatibility. -> Keycloack is not directly supported, so it may work or not. 4. (if above is fine) Check in logs whether user profile is fetched 5. (if above is fine) Check what happens with the mapping. If you haven't setup a mapping then Unity most likely won't be able to map information retrieved from Keycloack to its own attributes and identities. Logs should tell you what is received, and this will help you to setup a proper mapping. HTH, Krzysztof |
|
From: Anthony M <ant...@gm...> - 2021-12-03 21:27:23
|
Hello, Currently, I have incorporated Unity as an OAuth client using Keycloak. This allows users to login to the /home endpoint, resulting in user creation (including X500 name). However, I want to authenticate these newly created users through UNICORE by passing OAuth tokens (from Keycloak). I set up a Oauth RP in Unity by including the Keycloak “openid-connect/token/introspect” endpoint for token verification, and respective Keycloak profile endpoint (/userinfo). In addition, I connected the RP to a SAML SOAP endpoint (unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService). However, user authentication is failing. What would be the necessary steps to get this workflow working? Currently I have no remote data mapping set up with the OAuth RP, which may be causing issues when trying to map the verified tokens to the SOAP endpoint. Thank you for your help. Regards, Anthony Mammoliti |
|
From: Krzysztof B. <kb...@un...> - 2021-12-03 11:40:30
|
Hi Sander, W dniu 03.12.2021 o 12:27, Sander Apweiler pisze: > Hi Krzysztof, > We have an SP, which is a SPA using PKCE with CORS. This part is > working now. We set the clientType to PUBLIC. When the SP requests the > user token the error message "Invalid user name, credential or external > authentication failed." is shown. Investigating the logs a little bit > more it shows "No HTTP BASIC auth header was found". This should not > the case for PKCE, isn't it? Yeah, that's one known issue we had in our impl. Currently even for public client you have to setup some password (publicly known) and use it. We can fix that problem now, as in 3.7.0 we have introduced optionally authenticated REST endpoints feature, which enables proper handling of this case. That should be a small change now I'll put the corresponding ticket on the short term queue. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-12-03 11:27:04
|
Hi Krzysztof, We have an SP, which is a SPA using PKCE with CORS. This part is working now. We set the clientType to PUBLIC. When the SP requests the user token the error message "Invalid user name, credential or external authentication failed." is shown. Investigating the logs a little bit more it shows "No HTTP BASIC auth header was found". This should not the case for PKCE, isn't it? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:55:52
|
Hi Marcus, W dniu 01.12.2021 o 11:21, Marcus Hardt pisze: > On 01. Dec 2021 11:08, Sander Apweiler wrote: >> Hi Krzysztof, >> in past we did not support/use SLO due most user did not want to logged >> out on all services if the logout from one. This opinion is changing >> especially on the user who are the managers. > I'd express it more like: There is a 2nd use-case coming up. I.e. we may > need two different ways to log out: > 1: Log out of Unity > 2: Log out of all sessions (e.g. at the end of a guest session of somebody > elses computer) > > I think two different buttons (unity-logout and global-logout) would be best. Yes, so we have those two options supported, but can be configured for the whole server only. We can make it more flexible in the way you have described above, but note that there is also another case (which I believe is by far more common) of logout initiated from a SP, not from unity directly. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-12-01 14:53:18
|
Hi Sander, W dniu 01.12.2021 o 11:08, Sander Apweiler pisze: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. > > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. that's hard question, as you have a proxy. And SLO may mean many things in case of proxy. So first the global parameter: it rules what happens when there is any logout in unity. It can be triggered in one of unity's UIs (e.g. home) or via API (currently only SAML endpoint offers that). So it can be no-SLO (just kill local session) or SLO (kill local session and trigger logouts of all peers that support SLO - again only supported for SAML). So everything more that you need to configure are proper endpoints of SAML-SPs (that you want to logout from unity) of Unity IdP (so that SAML SPs relying on Unity can request logout) and of external IdPs (so that unity can logout upstream IdPs). You can enable this little by little and test - what I strongly suggest. Also pay attention to your configuration of realms - SLO never crosses realm's boundary. This is still pretty valid, although not mentioning configuration via Console UI: https://www.unity-idm.eu/documentation/unity-1.9.0/saml-howto.html#_using_single_logout_slo Best, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2021-12-01 10:46:11
|
On 01. Dec 2021 11:08, Sander Apweiler wrote: > Hi Krzysztof, > in past we did not support/use SLO due most user did not want to logged > out on all services if the logout from one. This opinion is changing > especially on the user who are the managers. I'd express it more like: There is a 2nd use-case coming up. I.e. we may need two different ways to log out: 1: Log out of Unity 2: Log out of all sessions (e.g. at the end of a guest session of somebody elses computer) I think two different buttons (unity-logout and global-logout) would be best. M. > We did not change any attributes from the default unity config. Can you > give us a hint which attributes must be configured to perform SLO? Of > course we must configure the SLO endpoints of the accepted SPs. The SLO > endpoints from the upstream IdPs should be fetched from the metadata > file, if they are provided within. Is this assumption correct? > Beside of this, do we only need to configure > - unity.saml.requester.sloPath=/SLO-WEB > - unity.saml.requester.sloRealm=defaultRealm > > I guess unityServer.core.logoutMode is only for clicking on the logout > button on unity. But also here we recognized using the default value > internalAndSyncPeers doesn't you logout from the IdP. But maybe this is > also not working because we did not enable SLO. > > Best regards, > Sander > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Marcus. |
|
From: Sander A. <sa....@fz...> - 2021-12-01 10:08:13
|
Hi Krzysztof, in past we did not support/use SLO due most user did not want to logged out on all services if the logout from one. This opinion is changing especially on the user who are the managers. We did not change any attributes from the default unity config. Can you give us a hint which attributes must be configured to perform SLO? Of course we must configure the SLO endpoints of the accepted SPs. The SLO endpoints from the upstream IdPs should be fetched from the metadata file, if they are provided within. Is this assumption correct? Beside of this, do we only need to configure - unity.saml.requester.sloPath=/SLO-WEB - unity.saml.requester.sloRealm=defaultRealm I guess unityServer.core.logoutMode is only for clicking on the logout button on unity. But also here we recognized using the default value internalAndSyncPeers doesn't you logout from the IdP. But maybe this is also not working because we did not enable SLO. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-11-19 20:22:43
|
Dear Subscribers, Release 3.7.0 is out bringing numerous improvements. Among others: * Enhanced group attribute statements * Group properties * New MVEL editor * Easier configuration of registration with remote IdP * IdP endpoint usage statistics * OAuth token revocation fully compliant with RFC 7009 * Endpoint configuration reload from file * Account selection for enquiry forms accessed by invitation In this release we have also couple of important bug fixes. See https://www.unity-idm.eu/downloads/ for more details. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-18 14:16:18
|
Hi Sander, W dniu 18.11.2021 o 10:09, Sander Apweiler pisze: > Good morning Krzysztof, > we got tickets from two users which stock in a login loop with > username/password. After some investigation we found that credentials > were outdated. Both confirmed that the outdate credentials form was not > shown to them. Maybe here is a bug. > Got it, indeed a bug. Fix already on the way will be in released soon. Thank you, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-11-18 09:10:02
|
Good morning Krzysztof, we got tickets from two users which stock in a login loop with username/password. After some investigation we found that credentials were outdated. Both confirmed that the outdate credentials form was not shown to them. Maybe here is a bug. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2021-11-03 10:32:01
|
Hi Krzysztof, I fully understand your thoughts. And yes you are right the browser certificates are used to perform the handshake. We can just avoid this by disabling client authentication. But if we disable it, users are not able to authenticate to unity using the certificate. Sadly the self-signed certificate from MS is stored in the browser. And Apple uses the keychain and they stored their seld-signed certificate within it too. I guess we should make some more thoughts about the problem before you start to implement something. And of course the browsers are part of this problem too. The wording in the pop-up is just default ok or cancel which is not understandable for users without certificate knowledge. Best regards, Sander On Wed, 2021-11-03 at 10:54 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 02.11.2021 o 13:39, Sander Apweiler pisze: > > Hello Krzysztof, > > We are using certificate login as one option for user > > authentication. > > The positiv aspect of certificate authentication is users are > > checked > > before they get a certificate from a trustful CA. > > > > Sadly after apple deals since several years with self-sigend > > certificates, which are offered to the users, Microsoft starts with > > the > > same bullshit in the last year. Of course self-sigend certificates > > are > > not trustful and we do not support them for authentication. But > > because > > unity uses the client authentication mechanism in SSL handshake, > > the > > user certificates are rejected before user reach the service and > > the > > user just see a certificate error in their browser which they do > > not > > understand. And those users do not use certificate authentication. > > They > > use normally the account at their home organisation or their social > > ID > > for authentication. > > > > Is there another way for certificate authentication without using > > the > > client authentication from SSL handshake? > > [I may be wrong here.] Up to my knowledge, browser certificates are > used > *by the browser* to setup TLS layer connection, dot. So Unity can't > do > much about it. > > I can think about a solution here, though: Unity on TLS level would > be > configured to trust all client certificates (that's easily doable of > course). So TLS connection would be setup without any problem. > > However, the certificate chain would be separately validated against > the > truststore by the Unity authentication module (that is currently not > implemented) and assumed to be present only if trusted. We would need > to > conduct a security analysis here first, to make sure we won't > introduce > any vulnerability by such change. But I think that could work. > > For sure this would NOT prevent any web-browser side popups like > "please > select your certificate" or "do you want to use this certificate for > authentication?". > > > One more option is to use hardware tokens and FIDO2 - also > certificates, > also supported by unity and browsers, no user headache. > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 10:22:23
|
Hi Sander, W dniu 02.11.2021 o 10:20, Sander Apweiler pisze: > Good morning Krzysztof, > we are testing 3.6.1 release and have some additional test we did not > perform previously. When we submit a user updated without selecting a > subgroup and the update is accepted, the use is not added to the group > where group management was delegated. The user is only added if a > subgroup is selected. Is this behaviour intended? Or do we need to add > an add to group rule in automation section? I assume we are talking here about "project joining forms" which are unity enquires, used to enroll existing unity users into an upman project. In those cases, yes, the enquiry form should contain an add to project's group action in its automation. The default (auto generated) forms do have this configured, so at least in the default case it works out of the box. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 09:55:03
|
Hi Sander, W dniu 02.11.2021 o 13:39, Sander Apweiler pisze: > Hello Krzysztof, > We are using certificate login as one option for user authentication. > The positiv aspect of certificate authentication is users are checked > before they get a certificate from a trustful CA. > > Sadly after apple deals since several years with self-sigend > certificates, which are offered to the users, Microsoft starts with the > same bullshit in the last year. Of course self-sigend certificates are > not trustful and we do not support them for authentication. But because > unity uses the client authentication mechanism in SSL handshake, the > user certificates are rejected before user reach the service and the > user just see a certificate error in their browser which they do not > understand. And those users do not use certificate authentication. They > use normally the account at their home organisation or their social ID > for authentication. > > Is there another way for certificate authentication without using the > client authentication from SSL handshake? [I may be wrong here.] Up to my knowledge, browser certificates are used *by the browser* to setup TLS layer connection, dot. So Unity can't do much about it. I can think about a solution here, though: Unity on TLS level would be configured to trust all client certificates (that's easily doable of course). So TLS connection would be setup without any problem. However, the certificate chain would be separately validated against the truststore by the Unity authentication module (that is currently not implemented) and assumed to be present only if trusted. We would need to conduct a security analysis here first, to make sure we won't introduce any vulnerability by such change. But I think that could work. For sure this would NOT prevent any web-browser side popups like "please select your certificate" or "do you want to use this certificate for authentication?". One more option is to use hardware tokens and FIDO2 - also certificates, also supported by unity and browsers, no user headache. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-11-03 09:42:27
|
Hi Sander, W dniu 03.11.2021 o 09:48, Sander Apweiler pisze: > Good morning Krzysztof, > we have an SP which operates a single page application (SPA) and want > to use PKCE. The browser expect HTTP header "access-control-allow- > origin" to CORS requests, but it seems that unity does not send them: Yes, PKCS is supported, but CORS needs to be properly configured separately (it may be also needed in other than PKCE scenarios). See http://www.unity-idm.eu/documentation/unity-3.6.0/manual.html#_http_server_settings (section on "CORS settings"). For sure you have to enable it, likely set origins properly and maybe more, depending on security requirements. HTH, Krzysztof |
