Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2021-02-16 09:30:59
|
Hi Sander, W dniu 12.02.2021 o 09:34, Sander Apweiler pisze: > Good morning Krzysztof, > > I got some userfeedback about invitation and the mentioned problem > occurred for multiple users. The user had multiple accounts in unity > and wishes to select which account is used to accept this invitation. I > think the problem here is that the invitation is bind to the first > account which has the entered email address. Can you please explain this in more detail? What sort of invitations are discussed here? Invitation to enquiries or to registration forms? Can you describe the context here? Who/to what is inviting, from what app, etc. > The bug I found is that the check if an users exists with the entered > email address is case sensitive. We had an user with capital letters in > the email address, while the project manager entered only in lower > cases. I think the check should be case-insensitive. I found this on > unity version 3.3.4. I don't now if this is fixed in meanwhile. Hmm, that certainly should not be the case. Email identity is compared case insensitive. But perhaps there is some other mechanism in question. Perhaps answer to the above questions will help. But anyway: can you provide a reproduction steps? Thank you Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-02-12 08:35:05
|
Good morning Krzysztof, I got some userfeedback about invitation and the mentioned problem occurred for multiple users. The user had multiple accounts in unity and wishes to select which account is used to accept this invitation. I think the problem here is that the invitation is bind to the first account which has the entered email address. The bug I found is that the check if an users exists with the entered email address is case sensitive. We had an user with capital letters in the email address, while the project manager entered only in lower cases. I think the check should be case-insensitive. I found this on unity version 3.3.4. I don't now if this is fixed in meanwhile. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-01-17 16:48:58
|
Dear Subscribers, Unfortunately the series of authentication stability fixes from the previous 3.4.2 release missed handling of one case - automatic proxy authentication could in rare cases still hang. This release brings a fix for that issue. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-01-14 09:46:16
|
Dear Subscribers,
We are pleased to announce availability of a new patch release. This
version includes fixes for several long lasting and important issues –
all related to web-sign in flows:
* The last used login option was not always properly activated.
* Auto-proxy login with remote IdP was not always auto-forwarding.
* On very rare occasions an error message could be shown on login UI
for a short moment. In even more rare situation this was fatal error
breaking the login flow.
* In some cases response from the remote IdP was not caught up and
processed by Unity.
As always download details are available here:
https://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2020-12-23 11:13:41
|
Dear Subscribers, Actually yesterday a new patch release (v3.4.1) was published. It includes two bugfixes around sub-projects handling in UpMan as well as few enhancements of the REST API. See Downloads <https://www.unity-idm.eu/downloads/> for more details. For those who celebrate: merry Christmas! For All: Happy New Year! Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-12-17 12:46:15
|
Marcus, Sander, OK, we have a ticket opened, I've moved it bit up in the backlog. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-12-17 12:37:44
|
Hi Sander, W dniu 16.12.2020 o 11:00, Sander Apweiler pisze: > Hi Krzysztof, > > the discussions are going on to this topic. Would it possible to add > unity with a dedicated password login endpoint in the list of available > identity providers in the common saml and oauth endpoints, which are > used by the services? So unity would act as its own identity provider. Yes, of course. You need to have 2 IdP in Unity (I understand that configured with local pass authN only) - one oauth another saml. And then just configure them as additional Idps in you OAuth and SAML authenticators. We do use this setup for testing very often. One important hint: make sure to put your unity-idsp-using-local-passwd in a separate authentication realm - perhaps created for them. Otherwise unity may use SSO in ways which are hard to understand (i.e. it will work fine in a common realm, but you may be puzzled quite often as some steps are skipped). HTH, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2020-12-17 07:07:05
|
And, to reinforce this, some users complained that they're asked for their certificate, that they have in the browser, just because of some malconfigured IdP, that requested the certificate for sending the logo. This all creates pain to the user -- unnecessarily M. On 12/17/20 07:20, Sander Apweiler wrote: > Good morning Krzysztof, > > We have another reason for providing the logos through unity, instead > of users browser. While normal browser do not load the content if a > certificate is not trusted or a hostname mismatch appears, some apps, > e.g. RocketChat throws errors and the user think we have an issue on > our site and open tickets. To explain users without IT, especially AAI > background, is hard to explain that on our site everything is fine and > the problem is out of our control. > > Cheers, > Sander > > On Tue, 2020-10-06 at 11:32 +0200, Krzysztof Benedyczak wrote: > > W dniu 06.10.2020 o 09:32, Marcus Hardt pisze: > > > On 10/06/20 09:24, Krzysztof Benedyczak wrote: > > > > Marcus, > > > > > > > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: > > > > > > The fact that the user gets a cookie > > > > > > from a site which was not visited is just few bytes on her > > > > > > hard drive, > > > > > > nothing more. So I can ask: what is the real problem here? > > > > > By requesting the picture, the user informs _all_ IdPs that he > > > > > is about to > > > > > log in to unity. That does not seem right, does it? > > > > No, that's not true. The IdPs can only know that some *anonymous* > > > > one is > > > > trying to enter unity instance (and only after if and after they > > > > check that > > > > referer URL is of some unity instance). Nothing more. > > > The anonymous is the goal here. For this unity needs to proxy the > > > requests. At the moments it's my browser requesting those images. > > > This is > > > by no means anonymous. > > > > Are you browsing the web? Entering _any_ page opens a huge risk that > > this webpage has an asset embedded and your browser will download it. > > What's more in the age of CDNs you are sharing your "data" with them > > almost always. Not to mention cloudflare and other similar services. > > > > > > What privacy concern is there? > > > I am unneccessarily forced to releasing information to third > > > parties, > > > potentially outside europe, that I've never wanted to authorise. > > > > Well, what information? That some unknown person using say Firefox > > entered a webpage Y from IP Z. > > > > If you are very concerned about Z use one of public VPN services (I > > do - > > solves the problem for all cases). Still Z is mostly useless > > information > > in age of NAT and dynamic IPs. > > > > You can also fake client agent (pretend that you are curl) if this > > matters for you - but why? > > > > If your concern is about tracking for advertising/marketing - disable > > 3rd party cookies in your browser. But seriously: are edugain IdPs > > providing contextual ads around the globe? :-) > > > > Best, > > Krzysztof > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ---------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- -- Marcus. |
|
From: Sander A. <sa....@fz...> - 2020-12-17 06:20:57
|
Good morning Krzysztof, We have another reason for providing the logos through unity, instead of users browser. While normal browser do not load the content if a certificate is not trusted or a hostname mismatch appears, some apps, e.g. RocketChat throws errors and the user think we have an issue on our site and open tickets. To explain users without IT, especially AAI background, is hard to explain that on our site everything is fine and the problem is out of our control. Cheers, Sander On Tue, 2020-10-06 at 11:32 +0200, Krzysztof Benedyczak wrote: > W dniu 06.10.2020 o 09:32, Marcus Hardt pisze: > > On 10/06/20 09:24, Krzysztof Benedyczak wrote: > > > Marcus, > > > > > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: > > > > > The fact that the user gets a cookie > > > > > from a site which was not visited is just few bytes on her > > > > > hard drive, > > > > > nothing more. So I can ask: what is the real problem here? > > > > By requesting the picture, the user informs _all_ IdPs that he > > > > is about to > > > > log in to unity. That does not seem right, does it? > > > No, that's not true. The IdPs can only know that some *anonymous* > > > one is > > > trying to enter unity instance (and only after if and after they > > > check that > > > referer URL is of some unity instance). Nothing more. > > The anonymous is the goal here. For this unity needs to proxy the > > requests. At the moments it's my browser requesting those images. > > This is > > by no means anonymous. > > Are you browsing the web? Entering _any_ page opens a huge risk that > this webpage has an asset embedded and your browser will download it. > What's more in the age of CDNs you are sharing your "data" with them > almost always. Not to mention cloudflare and other similar services. > > > > What privacy concern is there? > > I am unneccessarily forced to releasing information to third > > parties, > > potentially outside europe, that I've never wanted to authorise. > > Well, what information? That some unknown person using say Firefox > entered a webpage Y from IP Z. > > If you are very concerned about Z use one of public VPN services (I > do - > solves the problem for all cases). Still Z is mostly useless > information > in age of NAT and dynamic IPs. > > You can also fake client agent (pretend that you are curl) if this > matters for you - but why? > > If your concern is about tracking for advertising/marketing - disable > 3rd party cookies in your browser. But seriously: are edugain IdPs > providing contextual ads around the globe? :-) > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-12-16 10:00:51
|
Hi Krzysztof, the discussions are going on to this topic. Would it possible to add unity with a dedicated password login endpoint in the list of available identity providers in the common saml and oauth endpoints, which are used by the services? So unity would act as its own identity provider. Cheers, Sander On Fri, 2020-12-11 at 11:35 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > In one of our federation we decided to allow user login only by > > external IdPs. For this reason we removed the password fields from > > all > > authentication screens beside of home and console endpoints. Some > > services asked for a "monitoring" user to test the login to the > > services periodically. Their organisations prohibit storing > > credentials > > in files, which would be necessary for the monitoring flow. They > > asked > > if we could create accounts in unity to test the login flow > > periodically. Of corse this is possible, but we do not want to show > > password fields in the auth screens and adding additional endpoints > > for > > the monitoring might create wrong check results. So my question is, > > is > > it possible to trigger password login via the idp hint, even the > > password authenticator is not enabled in auth screens? If not do > > you > > know some other possibilities to this problem? > > Huh, a requirement from the category "I wan to have a cake and eat > the > cake" :-) > > No, I don't think I know any good solution assuming you are not > willing > to create a separate endpoint for monitoring. I'd argue that this > monitoring will anyway test a fake authentication flow (since it will > be > the only user signing-in with password...)/ > > Maybe... if those 'monitoring" users are automated agents (e.g. using > selenium) you could re-enable password login on your endpoint, place > it > at the bottom and add bit of custom CSS to make it invisible and very > small. But obviously that's a very miserable idea :-) > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-12-11 11:33:40
|
Hi Krzysztof, thanks for the swift reply. On Fri, 2020-12-11 at 11:35 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > In one of our federation we decided to allow user login only by > > external IdPs. For this reason we removed the password fields from > > all > > authentication screens beside of home and console endpoints. Some > > services asked for a "monitoring" user to test the login to the > > services periodically. Their organisations prohibit storing > > credentials > > in files, which would be necessary for the monitoring flow. They > > asked > > if we could create accounts in unity to test the login flow > > periodically. Of corse this is possible, but we do not want to show > > password fields in the auth screens and adding additional endpoints > > for > > the monitoring might create wrong check results. So my question is, > > is > > it possible to trigger password login via the idp hint, even the > > password authenticator is not enabled in auth screens? If not do > > you > > know some other possibilities to this problem? > > Huh, a requirement from the category "I wan to have a cake and eat > the > cake" :-) > > No, I don't think I know any good solution assuming you are not > willing > to create a separate endpoint for monitoring. I'd argue that this > monitoring will anyway test a fake authentication flow (since it will > be > the only user signing-in with password...)/ This was also my thoughts. At least I would check against the monitoring endpoint, but there could still be an issue on the endpoints which are used by normal users. We will see how we can do it. Cheers, Sander > > Maybe... if those 'monitoring" users are automated agents (e.g. using > selenium) you could re-enable password login on your endpoint, place > it > at the bottom and add bit of custom CSS to make it invisible and very > small. But obviously that's a very miserable idea :-) > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-11 10:35:42
|
Hi Sander, W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > Good morning Krzysztof, > > In one of our federation we decided to allow user login only by > external IdPs. For this reason we removed the password fields from all > authentication screens beside of home and console endpoints. Some > services asked for a "monitoring" user to test the login to the > services periodically. Their organisations prohibit storing credentials > in files, which would be necessary for the monitoring flow. They asked > if we could create accounts in unity to test the login flow > periodically. Of corse this is possible, but we do not want to show > password fields in the auth screens and adding additional endpoints for > the monitoring might create wrong check results. So my question is, is > it possible to trigger password login via the idp hint, even the > password authenticator is not enabled in auth screens? If not do you > know some other possibilities to this problem? Huh, a requirement from the category "I wan to have a cake and eat the cake" :-) No, I don't think I know any good solution assuming you are not willing to create a separate endpoint for monitoring. I'd argue that this monitoring will anyway test a fake authentication flow (since it will be the only user signing-in with password...)/ Maybe... if those 'monitoring" users are automated agents (e.g. using selenium) you could re-enable password login on your endpoint, place it at the bottom and add bit of custom CSS to make it invisible and very small. But obviously that's a very miserable idea :-) Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-12-11 08:35:27
|
Good morning Krzysztof, In one of our federation we decided to allow user login only by external IdPs. For this reason we removed the password fields from all authentication screens beside of home and console endpoints. Some services asked for a "monitoring" user to test the login to the services periodically. Their organisations prohibit storing credentials in files, which would be necessary for the monitoring flow. They asked if we could create accounts in unity to test the login flow periodically. Of corse this is possible, but we do not want to show password fields in the auth screens and adding additional endpoints for the monitoring might create wrong check results. So my question is, is it possible to trigger password login via the idp hint, even the password authenticator is not enabled in auth screens? If not do you know some other possibilities to this problem? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-09 11:30:53
|
Hi Sander, W dniu 08.12.2020 o 12:47, Sander Apweiler pisze: > Hi Krzysztof, > > we get DB Exceptions about > > Error updating database. Cause: java.sql.SQLSyntaxErrorException: (conn=296180) Data too long for column 'NAME' at row 1 > ### The error may exist in pl/edu/icm/unity/store/rdbms/mapper/Tokens.xml > > Sadly Maria log is empty. Is there a possibility to increase the log > level on unity site? Yes. You have two options: unity.server.db -> setting this to TRACE will provide you quite a lot of information pl.edu.icm.unity.store -> this at TRACE (or DEBUG too AFAIR) will dump you all the SQL/JDBC traffic > We are using 2048 bit certificate key to sign tokens. Hmm strange. In case of JWT oauth tokens we put token id (jit) as token NAME, so that shouldn't be that big. But maybe the assumption is wrong? HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-12-08 11:47:57
|
Hi Krzysztof, we get DB Exceptions about Error updating database. Cause: java.sql.SQLSyntaxErrorException: (conn=296180) Data too long for column 'NAME' at row 1 ### The error may exist in pl/edu/icm/unity/store/rdbms/mapper/Tokens.xml Sadly Maria log is empty. Is there a possibility to increase the log level on unity site? We are using 2048 bit certificate key to sign tokens. Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-07 10:49:19
|
Dear Sander,
W dniu 02.12.2020 o 08:24, Sander Apweiler pisze:
> Dear Krzysztof,
>
> We have a small improvement for invitation templates. We as unity
> administrators, not as group administrators got a lot of replies, to
> which group the users was invited. Of course we can modify the template
> but we don't have access to the group name. Could you create a variable
> containing the group displayname, like it already exists for the
> registration form or expiration date?
Well, perhaps yes, but that's not that obvious feature. The thing is
that invitation (as well as its form) can include more then a single
group. Actually there may be multiple group parameters in form AND some
of them may be multivalued. Consider the attached screenshot.
So we would need to add at a minimum the following variables to the
invitation message template:
${prefilledAttribute['attrName']}
${prefilledIdentity['idName']}
${prefilledGroup['groupsSpec']}
One problem is that we don't have yet any support for parametrized
variables in message templates - we would need to introduce sth like this.
Other problem is that the above may still not work in your case (?) - if
invitation contains multiple groups then you most likely want to show
only a specific one (e.g. in the screenshot it would be /A/B/C (or its
name))?
Cheers,
Krzysztof
|
|
From: Sander A. <sa....@fz...> - 2020-12-02 07:25:01
|
Dear Krzysztof, We have a small improvement for invitation templates. We as unity administrators, not as group administrators got a lot of replies, to which group the users was invited. Of course we can modify the template but we don't have access to the group name. Could you create a variable containing the group displayname, like it already exists for the registration form or expiration date? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-12-01 13:17:07
|
Hi Krzysztof, thank you very much! Cheers, Sander On Tue, 2020-12-01 at 13:37 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 01.12.2020 o 08:26, Sander Apweiler pisze: > > Dear Krzysztof, > > > > we have connected our instance to an OIDC IdP. This IdP releases > > email > > and email_verified attributes. Currently we map only the email: > > > > Condition: true > > Action: mapAttribute > > Action parameters: > > unityAttribute = email > > group = / > > expression = attr['email'] > > effect = CREATE_OR_UPDATE > > > > Can we "map" the email_verified information too? We want to skip > > the > > verification in case this is already done by the IdP. The condition > > part is no problem, but how can we set the information to email > > attribute? > > Sure, you can. See > https://www.unity-idm.eu/documentation/unity-3.4.0/manual.html#_e_mail_confirmations > , > section 7.4.4 precisely. You would need to add the "[CONFIRMED]" > suffix > basing on the email_verified attribute, sth. like > > attr['email'] + (attr['email_verified'] == 'true' ? '[CONFIRMED]' : > '') > > - you should be able to fine tune that depending on types, whether > this > email_verified is always present or optional etc. > > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-01 12:37:53
|
Hi Sander, W dniu 01.12.2020 o 08:26, Sander Apweiler pisze: > Dear Krzysztof, > > we have connected our instance to an OIDC IdP. This IdP releases email > and email_verified attributes. Currently we map only the email: > > Condition: true > Action: mapAttribute > Action parameters: > unityAttribute = email > group = / > expression = attr['email'] > effect = CREATE_OR_UPDATE > > Can we "map" the email_verified information too? We want to skip the > verification in case this is already done by the IdP. The condition > part is no problem, but how can we set the information to email > attribute? Sure, you can. See https://www.unity-idm.eu/documentation/unity-3.4.0/manual.html#_e_mail_confirmations, section 7.4.4 precisely. You would need to add the "[CONFIRMED]" suffix basing on the email_verified attribute, sth. like attr['email'] + (attr['email_verified'] == 'true' ? '[CONFIRMED]' : '') - you should be able to fine tune that depending on types, whether this email_verified is always present or optional etc. Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-12-01 07:27:04
|
Dear Krzysztof, we have connected our instance to an OIDC IdP. This IdP releases email and email_verified attributes. Currently we map only the email: Condition: true Action: mapAttribute Action parameters: unityAttribute = email group = / expression = attr['email'] effect = CREATE_OR_UPDATE Can we "map" the email_verified information too? We want to skip the verification in case this is already done by the IdP. The condition part is no problem, but how can we set the information to email attribute? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-11-26 10:07:16
|
Dear Subscribers,
Unity 3.4.0 was just released and brings couple of significant new features.
FIDO/WebAuthn support
Finally Unity offers support for hardware tokens based authentication.
And more, as the support is based on the FIDO standard, so all
compatible devices and even software like Android OS or Windows Hello
can be used for authentication.
Refreshed consent screen
Consent screen was significantly reworked. Technical language was
removed, information is end-user oriented, unnecessary data was dropped
to have cleaner presentation.
To take full advantage of the new look and feel make sure to properly
describe your OAuth scopes and set logos for the clients (note that
OAuth clients logo now uses image attribute type, supporting variety of
formats).
Sub-projects support in UpMan
UpMan UI was generally refreshed and aligned with theme of Console.
Besides of that a new feature was added: Unity admin can allow selected
project managers to create sub-projects on their own. This feature must
be enabled on each project and additionally Unity offers new
authorization role which needs to be assigned to authorized managers.
Sub-projects can be managed with UpMan in the very same way as root
projects created from Consloe. Also in Console all groups which are
managed via UpMan are marked and can be easily identified in the group
browser.
Admin UI dropped
As previously announced the legacy AdminUI was dropped in this release.
Make sure to enable console before the update.
jpegImage attribute syntax replaced by image syntax
The deprecated jpegImage attribute syntax was dropped. All instances
will be migrated during update to the image attribute syntax. This
change allows for using PNG images (and GIFs) everywhere, as well as
improves JPG images quality which was noticeably impacted by the jpegImage.
More details and download links: https://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2020-11-11 11:19:20
|
Dear Sander, W dniu 10.11.2020 o 13:40, Sander Apweiler pisze: > Dear Krzysztof, > > in previous ecxhange with Marcus you said that the token length is > depending on the key length, used for signing. We do not want to change > our primary certificate/key because of the connection to federations. > We want to add a dedicated key for signing the OAuth tokens. As far as > I understood the PKI documentation unity can only handle credentials > with certificate and key. Is this correct or is there a possibility to > add only the key? I think there are two questions here. 1. "We do not want to change our primary certificate/key because of the connection to federations. We want to add a dedicated key for signing the OAuth tokens." -> this is of course possible. You can define as many PKI credentials (cert + private key) in Unity and use them for different purposes. E.g. you can add one extra and configure it just for OAuth JWT. 2. "I understood the PKI documentation unity can only handle credentials with certificate and key. Is this correct or is there a possibility to add only the key?" -> PKI is public key infrastructure. By definition keys in PKI are certificate+private key, there is no other option (assuming that we do use X.509 PKI, which we do; but also in other trust systems as GPG you also have public key + private key, only difference is that public key is not wrapped as a certificate). But, for OAuth JWT you still have two options. Either you can use PKI-based signature (i.e. based on public/private keys) or pre-shared-key based signatures. You control this in Oauth IdP config. Compare: vs: HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-11-10 12:41:39
|
Dear Krzysztof, in previous ecxhange with Marcus you said that the token length is depending on the key length, used for signing. We do not want to change our primary certificate/key because of the connection to federations. We want to add a dedicated key for signing the OAuth tokens. As far as I understood the PKI documentation unity can only handle credentials with certificate and key. Is this correct or is there a possibility to add only the key? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-11-02 08:58:57
|
Hi Krzysztof, we encountered on all our instances sometimes "issues" with the login screens on all endpoints. The spinning wheel is displayed for 20 seconds +. I guess the grid is build/updated in this time. Of course having eduGain federation with 3000+ identity providers is a long list., but do you have a hint how we could improve this? Do you know if this issue is on unity (e.g. performance issue while rebuilding) or on the client site? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-10-12 11:32:30
|
Dear Subscribers, Release 3.3.4 was published today. It brings couple of small improvements and bug fixes. Detailed list of changes is available on the Downloads <https://www.unity-idm.eu/downloads/> page. Important note for H2 DB users: we have found a problem introduced in the release 3.3.0 related to the upgraded H2 DB v1.4.200. It is not working in a stable way under a heavy load. In this revision we downgraded H2 to 1.4.199. Up to our tests this should not cause any issues, but making a text backup is strongly advised. Best regards, Krzysztof |
