Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
(1) |
Nov
|
Dec
|
|
From: Sander A. <sa....@fz...> - 2021-04-28 06:52:55
|
Good morning Krzysztof, On Wed, 2021-04-28 at 08:45 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 27.04.2021 o 20:19, Sander Apweiler pisze: > > Hi Krzysztof, > > I expected that this is not an easy change because this is very > > generic. If we find a lightwight solution for this problem, it > > would be > > helpful, too. We are also working on a description of this problem > > and > > the workaround with the new invitation in our documentation. > > We had an internal brainstorming on that topic yesterday. One > question > the invitation which is clicked after user account was created)? Is > this > only the case that a prospective user receives multiple invitations > to > register, clicks one (in general a random one), and afterwards we > have a > problem with remaining invitations? Or the problem is wider and > includes > situations where user is for instance manually created by Unity > admin? No at least in our case user accounts are created automatically. > > If we are talking only about multiple invitations, then we may have > an > idea of a bit simpler solution. But please first confirm that this > scenario is covering your problem well. Sadly I think receiving multiple invitations is only the "problem" in few cases. We recognized that user got only one invitation and instead of following the link, the user go to the unity server and create an account. In our case the enquire forms are almost empty, only agreements and policies must be accepted, but I don't want to generalize this. There might be other use cases, where additional information are requested from users, too. Best regards, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-04-28 06:45:35
|
Hi Sander, W dniu 27.04.2021 o 20:19, Sander Apweiler pisze: > Hi Krzysztof, > I expected that this is not an easy change because this is very > generic. If we find a lightwight solution for this problem, it would be > helpful, too. We are also working on a description of this problem and > the workaround with the new invitation in our documentation. We had an internal brainstorming on that topic yesterday. One question arose: what are those other means to provision the user (i.e. not via the invitation which is clicked after user account was created)? Is this only the case that a prospective user receives multiple invitations to register, clicks one (in general a random one), and afterwards we have a problem with remaining invitations? Or the problem is wider and includes situations where user is for instance manually created by Unity admin? If we are talking only about multiple invitations, then we may have an idea of a bit simpler solution. But please first confirm that this scenario is covering your problem well. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-04-27 18:20:06
|
Hi Krzysztof, I expected that this is not an easy change because this is very generic. If we find a lightwight solution for this problem, it would be helpful, too. We are also working on a description of this problem and the workaround with the new invitation in our documentation. Cheers, Sander On Tue, 2021-04-27 at 17:31 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 26.04.2021 o 07:15, Sander Apweiler pisze: > > Good morning Krzysztof, > > in the last weeks we encountered a recurring "problem" with > > invitations. Let me describe the issue: A project administrator > > creates > > an invitation. At this time the invited user has no unity account, > > so > > it is linked to the registration form and the invitation is send to > > the > > user. In the meantime the user register at unity. After the user > > registered to unity, the user clicks on the invitation link, which > > is > > not working anymore, because the account is already registered. > > > > Of course sendig a new invitation solves the problem, because the > > new > > one is linked to the enquiry form, but this approach is not very > > user > > friendly. It would be nice, if unity switches automatically to the > > enquiry form, if the user already registered before the user > > follows > > the invitation? > > That doesn't sound easy. One aspect is that invitation needs to be > consistent with its form. I.e. if I send an invitation to register a > user that invitation is bound to some form, say form1. Now after > rewriting it to be an invitation to an enquiry, it would require a > form > which is 100% compatible with form1, but cut down to be enquiry. It > is > possible but would require to create automatically a read-only, > system > enquiry form for each registration form, with compatible contents. > > the meantime". In general this can happen in plenty of ways, and we > would need a generic mechanism: new entity was added; let's check if > it > has a confirmed email (hmm, identity or also an attribute?) which is > used in any registration invitation, and if yes rewrite those > invitations to enquiries. > > All in all that is doable, perhaps even generally useful, but it is > rather a major development to cover quite of an edge case. Maybe we > can > think about something more lightweight to support this scenario? > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-04-27 15:35:34
|
Hi again, W dniu 26.04.2021 o 14:40, Sander Apweiler pisze: > Hi Krzysztof, > in past we discussed the problems with the load of IdP images by the > user instead of unity. The problem has become more important because > apps of RocketChat and Mattermost displays the error within two > seconds. In this time it is nearly impossible to filter the list of > IdPs using the search box. > > Do you have an estimation when the update will be available. Recently we were focusing on the enhancements of the SAML signatures handling that went out recently. I guess 3.7 would be a safe estimate (June/July), 3.6 is rather unlikely looking at the current backlog of oss requests. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-04-27 15:32:20
|
Hi Sander, W dniu 26.04.2021 o 07:15, Sander Apweiler pisze: > Good morning Krzysztof, > in the last weeks we encountered a recurring "problem" with > invitations. Let me describe the issue: A project administrator creates > an invitation. At this time the invited user has no unity account, so > it is linked to the registration form and the invitation is send to the > user. In the meantime the user register at unity. After the user > registered to unity, the user clicks on the invitation link, which is > not working anymore, because the account is already registered. > > Of course sendig a new invitation solves the problem, because the new > one is linked to the enquiry form, but this approach is not very user > friendly. It would be nice, if unity switches automatically to the > enquiry form, if the user already registered before the user follows > the invitation? That doesn't sound easy. One aspect is that invitation needs to be consistent with its form. I.e. if I send an invitation to register a user that invitation is bound to some form, say form1. Now after rewriting it to be an invitation to an enquiry, it would require a form which is 100% compatible with form1, but cut down to be enquiry. It is possible but would require to create automatically a read-only, system enquiry form for each registration form, with compatible contents. Another concern is around detection of how the user is subscribed "in the meantime". In general this can happen in plenty of ways, and we would need a generic mechanism: new entity was added; let's check if it has a confirmed email (hmm, identity or also an attribute?) which is used in any registration invitation, and if yes rewrite those invitations to enquiries. All in all that is doable, perhaps even generally useful, but it is rather a major development to cover quite of an edge case. Maybe we can think about something more lightweight to support this scenario? Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-04-26 12:40:54
|
Hi Krzysztof, in past we discussed the problems with the load of IdP images by the user instead of unity. The problem has become more important because apps of RocketChat and Mattermost displays the error within two seconds. In this time it is nearly impossible to filter the list of IdPs using the search box. Do you have an estimation when the update will be available. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2021-04-26 05:15:17
|
Good morning Krzysztof, in the last weeks we encountered a recurring "problem" with invitations. Let me describe the issue: A project administrator creates an invitation. At this time the invited user has no unity account, so it is linked to the registration form and the invitation is send to the user. In the meantime the user register at unity. After the user registered to unity, the user clicks on the invitation link, which is not working anymore, because the account is already registered. Of course sendig a new invitation solves the problem, because the new one is linked to the enquiry form, but this approach is not very user friendly. It would be nice, if unity switches automatically to the enquiry form, if the user already registered before the user follows the invitation? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Roman K. <ro...@un...> - 2021-04-21 09:36:17
|
Hello Hubert, Thank you for contacting us, unfortunately the functionality you've described is currently not available. I've created a ticket to cover this request, and it has been put into the queue. Thank you, Roman śr., 21 kwi 2021 o 10:26 Roman Krysiński <rkr...@bi...> napisał(a): > Hello Hubert, > > Thank you for contacting us, unfortunately the functionality you've > described is currently not available. > I've created a ticket to cover this request, and it has been put into the > queue. > > Thank you, > Roman > > wt., 20 kwi 2021 o 12:44 Hubert Siejkowski <h.s...@cy...> > napisał(a): > >> Dear developers, >> >> is there any way to select the language for the end-user login page, >> e.g. via a parameter in the URL? In our web portal, we store information >> about language preference for an anonymous user, and we would like to >> pass it somehow to the Unity login page, so the user does not have to >> select the language twice. >> >> All the best, >> Hubert >> >> >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> > |
|
From: Hubert S. <h.s...@cy...> - 2021-04-20 11:03:33
|
Dear developers, is there any way to select the language for the end-user login page, e.g. via a parameter in the URL? In our web portal, we store information about language preference for an anonymous user, and we would like to pass it somehow to the Unity login page, so the user does not have to select the language twice. All the best, Hubert |
|
From: Tomasz G. <ymg...@cy...> - 2021-04-20 08:53:22
|
Hi Tomek, As this is English list let's use that locale. Oh, right, sorry OK, we will see. Just to clarify - the problem is related to the native chrome's pass manager, not some external one? yes, the native one (P.S. I have some problem with this mailing list, for some reason I didn't receive email with your reply, I just found your reply on the sourcefourge mailing list page) |
|
From: Krzysztof B. <kb...@un...> - 2021-04-19 16:19:59
|
Hi Tomek, As this is English list let's use that locale. W dniu 19.04.2021 o 09:12, Tomasz Grabarczyk pisze: > Cześć > > Chciałem zgłosić bug'a w Unity - nie działa podpowiadanie danych do > logowania na chromie, gdy jest włączona opcja do wyboru języka - > pokazują się podpowiedzi tylko do hasła, a do user name'a nie. Jak > sprawdzałem to na firefoxie to nie było tego problemu. To jest > prawdopodobnie jakoś związane z dropdown'em do wyboru języka - jak > zablokowałem sobie ten dropdown we wtyczce ublock (screen w > załączniku) to podpowiadanie użytkownika i hasła zaczęło dobrze > działać. Bylibyście w stanie to poprawić? > > Wersja Unity: 3.4.5 > Wersja Chrome'a, na której to sprawdzałem: 89.0.4389.128 (Official > Build) (64-bit) > System: Windows 10 64bit > OK, we will see. Just to clarify - the problem is related to the native chrome's pass manager, not some external one? Cheers, Krzysztof |
|
From: Tomasz G. <ymg...@cy...> - 2021-04-19 07:28:37
|
Cześć Chciałem zgłosić bug'a w Unity - nie działa podpowiadanie danych do logowania na chromie, gdy jest włączona opcja do wyboru języka - pokazują się podpowiedzi tylko do hasła, a do user name'a nie. Jak sprawdzałem to na firefoxie to nie było tego problemu. To jest prawdopodobnie jakoś związane z dropdown'em do wyboru języka - jak zablokowałem sobie ten dropdown we wtyczce ublock (screen w załączniku) to podpowiadanie użytkownika i hasła zaczęło dobrze działać. Bylibyście w stanie to poprawić? Wersja Unity: 3.4.5 Wersja Chrome'a, na której to sprawdzałem: 89.0.4389.128 (Official Build) (64-bit) System: Windows 10 64bit Pozdrawiam Tomek Grabarczyk |
|
From: Krzysztof B. <kb...@un...> - 2021-04-14 14:41:07
|
Dear Subscribers, Unity 3.5.0 is out, including: * Important SAML enhancements * Login-less authN in FIDO/WebAuthn * Much better logging * Improved directory browser in console and more. See https://www.unity-idm.eu/downloads/ for more details. Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-04-07 08:58:48
|
Good morning Krzysztof, the issue is indeed a internal firewall rule which only works for external traffic. We are almost there. The userName identity is now released on the new ednpoint: 2021-04-07T10:44:25,943 [qtp1337906940-39] DEBUG unity.server.externaltranslation.OutputTranslationEngine: Output translation result: TranslationResult: attributes=[username: [sapweiler] with meta [Username, Username, false]] identities=[[userName] sapweiler, [persistent] 89b91130-8a11-4cef-9f51-ff5308fd8261@adminRealm, [targetedPersistent] f80a74ed-61bb-4d99-8e7d-0675d671415f for helmholtz-dev-aai-monitoring@monitoringRealm, [transient] f745932c-8475-4992-b4b0-36809495fa3f for helmholtz-dev-aai-monitoring@monitoringRealm] attributesToPersist=[] identitiesToPersist=[] redirectURL=null The token is also received but the attribute is not received: 2021-04-07T10:44:26,440 [qtp1337906940-39] TRACE unity.server.oauth.OAuth2Verificator: Exchanging authorization code for access token with request to: https://login-dev.helmholtz.de:8443/monitoring-oauth2/token?code=K5yV2vwjUZtZgfajVDkcO9gkTABItHi4jkeW9qc9gX0&redirect_uri=https%3A%2F%2Flogin-dev.helmholtz.de%2Funitygw%2Foauth2ResponseConsumer&grant_type=authorization_code 2021-04-07T10:44:26,465 [qtp1337906940-31-acceptor-0@313585c4-SecuredServerConnector@61c42e54{SSL, (ssl, http/1.1)}{login-dev.helmholtz.de:8443}] DEBUG unicore.connections.SecuredServerConnector: Connection attempt from 134.94.33.55 2021-04-07T10:44:26,473 [qtp1337906940-36] TRACE unity.server.ClientIPSettingHandler: Will establish client's address. Peer's address: 134.94.33.55 forwarded-for: null 2021-04-07T10:44:26,473 [qtp1337906940-36] TRACE unity.server.ClientIPSettingHandler: Setting client's IP to 134.94.33.55, immediate client IP is 134.94.33.55 2021-04-07T10:44:26,473 [qtp1337906940-36] DEBUG unity.server.ClientIPSettingHandler: Handling client 134.94.33.55 request to URL /monitoring-oauth2/token 2021-04-07T10:44:26,475 [qtp1337906940-36] TRACE unity.server.rest.AuthenticationInterceptor: Processing authenticator pwd 2021-04-07T10:44:26,475 [qtp1337906940-36] TRACE unity.server.rest.HttpBasicRetrievalBase: HTTP BASIC auth header found 2021-04-07T10:44:26,624 [qtp1337906940-82] TRACE unity.server.ClientIPSettingHandler: Will establish client's address. Peer's address: 134.94.63.206 forwarded-for: null 2021-04-07T10:44:26,624 [qtp1337906940-82] TRACE unity.server.ClientIPSettingHandler: Setting client's IP to 134.94.63.206, immediate client IP is 134.94.63.206 2021-04-07T10:44:26,624 [qtp1337906940-82] DEBUG unity.server.ClientIPSettingHandler: Handling client 134.94.63.206 request to URL /home/VAADIN/themes/common/img/favicon/favicon-16.png 2021-04-07T10:44:26,634 [qtp1337906940-82] TRACE unity.server.web.AuthenticationFilter: Request to not protected address: /home/VAADIN/themes/common/img/favicon/favicon-16.png 2021-04-07T10:44:26,634 [qtp1337906940-82] TRACE unity.server.web.InvocationContextSetupFilter: A new invocation context was set 2021-04-07T10:44:26,634 [qtp1337906940-82] TRACE unity.server.web.InvocationContextSetupFilter: Default locale was set for the invocation context 2021-04-07T10:44:27,224 [qtp1337906940-36] TRACE unity.server.rest.AuthenticationInterceptor: Authenticator pwd returned success 2021-04-07T10:44:27,224 [qtp1337906940-36] DEBUG unity.server.rest.AuthenticationInterceptor: Client was successfully authenticated: [334] [helmholtz-dev-aai-monitoring] 2021-04-07T10:44:27,224 [qtp1337906940-36] TRACE unity.server.UnsuccessfulAuthenticationCounter: Cleaning unsuccessful attempts for 134.94.33.55 2021-04-07T10:44:27,226 [qtp1337906940-36] DEBUG unity.server.SessionManagementImpl: Using existing session 10d047d9-c876-4c9e-8c2f-b0d4cbf014c7 for logged entity 334 in realm monitoringRealm 2021-04-07T10:44:27,227 [qtp1337906940-36] TRACE unity.server.oauth.AccessTokenResource: Handle new token request with authorization_code grant 2021-04-07T10:44:27,232 [qtp1337906940-36] DEBUG unity.server.oauth.AuthzCodeHandler: Authz code grant: issuing new access token ...HrgALyd2e-9Syycvbsx_ZPIfiMoj8RDMYxYFg, valid until 2021-04-07T11:44:27.229+0200 2021-04-07T10:44:27,235 [qtp1337906940-39] DEBUG unity.server.oauth.OAuth2Verificator: Received answer: 200 2021-04-07T10:44:27,235 [qtp1337906940-39] TRACE unity.server.oauth.OAuth2Verificator: Received token: {"access_token":"0BikGaHrgALyd2e-9Syycvbsx_ZPIfiMoj8RDMYxYFg","refresh_token":"0yV2f87cG3ygjwb4l4pXb5gtOZ7gzTQAfBm3TcPd0-8","scope":"monitoring","token_type":"Bearer","expires_in":3600} 2021-04-07T10:44:27,235 [qtp1337906940-39] DEBUG unity.server.oauth.OAuth2Verificator: Received the following attributes from the OAuth provider: {} 2021-04-07T10:44:27,235 [qtp1337906940-39] DEBUG unity.server.externaltranslation.InputTranslationProfile: [TrProfile Embedded]Input received from IdP https://login-dev.helmholtz.de:8443/monitoring-oauth2/token: 2021-04-07T10:44:27,235 [qtp1337906940-39] DEBUG unity.server.externaltranslation.InputTranslationRule: [TrProfile Embedded, r: 1]Condition fulfilled 2021-04-07T10:44:27,235 [qtp1337906940-39] DEBUG unity.server.externaltranslation.IncludeInputProfileAction: [TrProfile Embedded, r: 1, https://login-dev.helmholtz.de:8443/monitoring-oauth2/token]Include translation profile 'tr-input-monitoring' 2021-04-07T10:44:27,237 [qtp1337906940-39] DEBUG unity.server.externaltranslation.InputTranslationProfile: [TrProfile Embedded, r: 1, TrProfile tr-input-monitoring]Input received from IdP https://login-dev.helmholtz.de:8443/monitoring-oauth2/token: We checked input and output profiles and the expressions match each other. Also the requested scopes match. Do you have any idea why the attribute is not received. Best regards, Sander On Mon, 2021-04-05 at 11:31 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 23.03.2021 o 09:06, Sander Apweiler pisze: > > The error appears directly when I selected the endpoint in the list > > of > > IdPs. I also attached the log of this try. > > > The log clearly says where the problem is: your client (i.e. the > Unity's > authenticator) can not download the OIDC metadata from the > .well-known/openid-configuration endpoint of the server. Connection > refused doesn't tell much, but can you double check if the URL you > entered is correct and whether you can access it on your own, e.g. with > curl from the same machine where unity lives? Also checking if TLS > trust > is OK would be good. I'd also check the config of the authenticator > from > console (maybe there is some whitespace at the end of you OIDC metadata > URL?) > > Also please reload your endpoints (not restart the server) - you can do > it from console (undeploy and then deploy again), both the OAuth IDP > endpoint and the client endpoint, where the authenticator is installed. > > HTH, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-04-05 09:31:58
|
Hi Sander, W dniu 23.03.2021 o 09:06, Sander Apweiler pisze: > The error appears directly when I selected the endpoint in the list of > IdPs. I also attached the log of this try. > The log clearly says where the problem is: your client (i.e. the Unity's authenticator) can not download the OIDC metadata from the .well-known/openid-configuration endpoint of the server. Connection refused doesn't tell much, but can you double check if the URL you entered is correct and whether you can access it on your own, e.g. with curl from the same machine where unity lives? Also checking if TLS trust is OK would be good. I'd also check the config of the authenticator from console (maybe there is some whitespace at the end of you OIDC metadata URL?) Also please reload your endpoints (not restart the server) - you can do it from console (undeploy and then deploy again), both the OAuth IDP endpoint and the client endpoint, where the authenticator is installed. HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-03-23 08:06:45
|
Hi Krzysztof, sorry for the delay. I was working on more important topics. On Thu, 2021-03-11 at 13:31 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 09.03.2021 o 09:54, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > I had some time to go deeper into this. I created a second OAuth > > endpoint (monitoring-oauth2) with dedicated realm. This endpoint > > has > > only password authenticator enabled. > > > > I registered an oauth client in unity, using the following response > > consumer URL: > > https://login-dev.helmholtz.de/unitygw/oauth2ResponseConsumer > > > > As third part I added the unity, using the monitoring-oauth2 > > endpoint, > > as OAuth identity provider to the authenticator where I have > > google, > > etc., using the config below: > > > > unity.oauth2.client.providers.HelmholtzDevAAI.type=unity > > unity.oauth2.client.providers.HelmholtzDevAAI.clientId=USERNAME > > unity.oauth2.client.providers.HelmholtzDevAAI.clientSecret=PASSWORD > > unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnectDiscover > > yEndpoint= > > https://login-dev.helmholtz.de/monitoring-oauth2/.well-known/openid-configuration > > unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnect=true > > unity.oauth2.client.providers.HelmholtzDevAAI.name=Helmholtz dev > > AAI Monitoring > > unity.oauth2.client.providers.HelmholtzDevAAI.scopes=openid email > > profile single-logout > > > > The new identity provider appears in the list of identity > > providers, > > but when I select this I got an pop up error "connection refused". > > Sadly the logs do not provider further information. > > > > Did I made something wrong/do I need to use another setup? Do you > > know > > when the connection refused error is triggered. > > Couple of questions: > > - All those elements are on the same machine? Yes all is on the same machine. > > - Have you enabled trace logging on oauth facility? I run now with trace overall but do not see further information. Unity can't create the OAuth2 request, because connection was refused. > > - Reloaded all affected endpoints (to be sure sth old is not cached)? I restarted unity completely and used a clear browser cache. > > - the new oauth client is in the group of clients selected in the > monitoring-oauth2 endpoint? username and pass matches the > authenticator > entries? Yes, the client is in the group of clients and credentials are fine. We use the same group of clients like in the "default" endpoint. Does this cause any problems? > > - can you check at which stage the error occurs? (if very early > before > metadata can't be fetched by the authenticator; otherwise please > specify > when this error is presented and how). The error appears directly when I selected the endpoint in the list of IdPs. I also attached the log of this try. Best regards, Sander > > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-03-22 12:17:31
|
W dniu 22.03.2021 o 11:20, Sander Apweiler pisze: > ReST API Link in 3.4.3 got it, thx, will fix that with the next release |
|
From: Sander A. <sa....@fz...> - 2021-03-22 10:20:44
|
Hi Krzysztof, Thanks for the swift reply. It works and with API I can use it in scripts too. I saw that the ReST API Link in 3.4.3 documentation is broken. Cheers, Sander On Mon, 2021-03-22 at 10:56 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 22.03.2021 o 09:52, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > I have two (heopfully) short and easy questions. > right > > > > 1. Do you log the last login date somewhere? > yes > > 2. How can I read them from UI/from DB? > > It is stored in entity's attribute sys:LastAuthentication in the '/' > group. Note - this is an internal attribute, not shown by default in > console (you have to turn it on from the hamburger menu) > > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-03-22 09:56:56
|
Hi Sander, W dniu 22.03.2021 o 09:52, Sander Apweiler pisze: > Good morning Krzysztof, > > I have two (heopfully) short and easy questions. right > > 1. Do you log the last login date somewhere? yes > 2. How can I read them from UI/from DB? It is stored in entity's attribute sys:LastAuthentication in the '/' group. Note - this is an internal attribute, not shown by default in console (you have to turn it on from the hamburger menu) Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-03-22 08:52:50
|
Good morning Krzysztof, I have two (heopfully) short and easy questions. 1. Do you log the last login date somewhere? 2. How can I read them from UI/from DB? Cheer, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-03-18 15:21:46
|
Hi Sander, W dniu 17.03.2021 o 07:34, Sander Apweiler pisze: > Good morning Krzxysztof, > > We have the following error in log, when a user from Fermi Labs tries > to log in: > > Issuer certificate is not set and the issuer > 'https://idp.fnal.gov/idp/shibboleth' > <https://idp.fnal.gov/idp/shibboleth'> has several trusted public keys > - it is undefined which was used for signing. > > The metadata contains two certificates, marked for signing (see > attachment). Is this intended or a bug? > Can you please clearify which SAML binding was used here? Do you have log file perhaps? Would help me to nail down the root cause, as there are few options. Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-03-17 06:34:49
|
Good morning Krzxysztof, We have the following error in log, when a user from Fermi Labs tries to log in: Issuer certificate is not set and the issuer 'https://idp.fnal.gov/idp/shibboleth' has several trusted public keys - it is undefined which was used for signing. The metadata contains two certificates, marked for signing (see attachment). Is this intended or a bug? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-03-11 12:32:13
|
Hi Sander, W dniu 09.03.2021 o 09:54, Sander Apweiler pisze: > Good morning Krzysztof, > > I had some time to go deeper into this. I created a second OAuth > endpoint (monitoring-oauth2) with dedicated realm. This endpoint has > only password authenticator enabled. > > I registered an oauth client in unity, using the following response > consumer URL: > https://login-dev.helmholtz.de/unitygw/oauth2ResponseConsumer > > As third part I added the unity, using the monitoring-oauth2 endpoint, > as OAuth identity provider to the authenticator where I have google, > etc., using the config below: > > unity.oauth2.client.providers.HelmholtzDevAAI.type=unity > unity.oauth2.client.providers.HelmholtzDevAAI.clientId=USERNAME > unity.oauth2.client.providers.HelmholtzDevAAI.clientSecret=PASSWORD > unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnectDiscoveryEndpoint=https://login-dev.helmholtz.de/monitoring-oauth2/.well-known/openid-configuration > unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnect=true > unity.oauth2.client.providers.HelmholtzDevAAI.name=Helmholtz dev AAI Monitoring > unity.oauth2.client.providers.HelmholtzDevAAI.scopes=openid email profile single-logout > > The new identity provider appears in the list of identity providers, > but when I select this I got an pop up error "connection refused". > Sadly the logs do not provider further information. > > Did I made something wrong/do I need to use another setup? Do you know > when the connection refused error is triggered. Couple of questions: - All those elements are on the same machine? - Have you enabled trace logging on oauth facility? - Reloaded all affected endpoints (to be sure sth old is not cached)? - the new oauth client is in the group of clients selected in the monitoring-oauth2 endpoint? username and pass matches the authenticator entries? - can you check at which stage the error occurs? (if very early before even redirecting user agent to IdP, then most likely openid discovery metadata can't be fetched by the authenticator; otherwise please specify when this error is presented and how). Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-03-09 08:54:40
|
Good morning Krzysztof, I had some time to go deeper into this. I created a second OAuth endpoint (monitoring-oauth2) with dedicated realm. This endpoint has only password authenticator enabled. I registered an oauth client in unity, using the following response consumer URL: https://login-dev.helmholtz.de/unitygw/oauth2ResponseConsumer As third part I added the unity, using the monitoring-oauth2 endpoint, as OAuth identity provider to the authenticator where I have google, etc., using the config below: unity.oauth2.client.providers.HelmholtzDevAAI.type=unity unity.oauth2.client.providers.HelmholtzDevAAI.clientId=USERNAME unity.oauth2.client.providers.HelmholtzDevAAI.clientSecret=PASSWORD unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnectDiscoveryEndpoint=https://login-dev.helmholtz.de/monitoring-oauth2/.well-known/openid-configuration unity.oauth2.client.providers.HelmholtzDevAAI.openIdConnect=true unity.oauth2.client.providers.HelmholtzDevAAI.name=Helmholtz dev AAI Monitoring unity.oauth2.client.providers.HelmholtzDevAAI.scopes=openid email profile single-logout The new identity provider appears in the list of identity providers, but when I select this I got an pop up error "connection refused". Sadly the logs do not provider further information. Did I made something wrong/do I need to use another setup? Do you know when the connection refused error is triggered. Cheers, Sander On Thu, 2020-12-17 at 13:37 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 16.12.2020 o 11:00, Sander Apweiler pisze: > > Hi Krzysztof, > > > > the discussions are going on to this topic. Would it possible to add > > unity with a dedicated password login endpoint in the list of > > available > > identity providers in the common saml and oauth endpoints, which are > > used by the services? So unity would act as its own identity > > provider. > > Yes, of course. You need to have 2 IdP in Unity (I understand that > configured with local pass authN only) - one oauth another saml. > > authenticators. We do use this setup for testing very often. > > One important hint: make sure to put your unity-idsp-using-local-passwd > in a separate authentication realm - perhaps created for them. > Otherwise > unity may use SSO in ways which are hard to understand (i.e. it will > work fine in a common realm, but you may be puzzled quite often as some > steps are skipped). > > HTH, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: David P. <d....@hz...> - 2021-03-04 14:00:49
|
Dear Krzysztof,
it turned out the problem was a miscommunication on our side. Bind as user
works just as expected, there was just an error in the DN template that I
used. No need for any trickery to access the LDAP.
Thanks again for the quick response and sorry for the inconveniences!
Best regards,
David
Am Mittwoch, 3. März 2021, 09:44:46 CET schrieb Krzysztof Benedyczak:
> Dear David,
>
> W dniu 02.03.2021 o 14:31, David Pape pisze:
> > P.S.:
> >
> > I tried using template based resolving like this:
> >
> > uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
> >
> > where Unity does in fact not ask for a system password. But since in this
> > case the test fails with "invalid credentials", it seems like normal
> > users are not allowed to access the system.
>
> Ah, ok - so yes - there are two places where unity credential can be
> set. If you use 'bindAs=system' then system credential is used for every
> query except of password verification (done with bind). So this needs to
> be a credential of highly privileged user.
>
> If you use bindAs=user then this is in general not needed as the user's
> credential is used to query LDAP. But this means we need to have a
> template to build user's DN out of username - only then we can start
> using this DN as part of the authN. Otherwise another 'mini-system'
> credential needs to be provided to just find the user's DN. This, in
> contrast to the previous one, needs not to have wide permissions.
>
> > Using the ldapsearch command with the options -D "" -b
> > "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
>
> If I read the above correctly your LDAP is configured so that you can
> run queries without authentication whatsoever? If so then I'd suggest
> adding a user to you test ldap instance with some credentials and use
> this as a 'system' user in unity.
>
> Best,
> Krzysztof
--
David Pape
Researcher
Computational Science Department (FWCC)
Department of Information Services and Computing (FWC)
Building 312, Room 7
Helmholtz-Zentrum Dresden-Rossendorf e.V.
Bautzner Landstr. 400 | 01328 Dresden | Germany
http://www.hzdr.de
Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller
Company Registration Number VR 1693, Amtsgericht Dresden
|
