Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
(1) |
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2021-03-03 08:45:02
|
Dear David,
W dniu 02.03.2021 o 14:31, David Pape pisze:
> P.S.:
>
> I tried using template based resolving like this:
>
> uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
>
> where Unity does in fact not ask for a system password. But since in this case
> the test fails with "invalid credentials", it seems like normal users are not
> allowed to access the system.
Ah, ok - so yes - there are two places where unity credential can be
set. If you use 'bindAs=system' then system credential is used for every
query except of password verification (done with bind). So this needs to
be a credential of highly privileged user.
If you use bindAs=user then this is in general not needed as the user's
credential is used to query LDAP. But this means we need to have a
template to build user's DN out of username - only then we can start
using this DN as part of the authN. Otherwise another 'mini-system'
credential needs to be provided to just find the user's DN. This, in
contrast to the previous one, needs not to have wide permissions.
> Using the ldapsearch command with the options -D "" -b
> "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
If I read the above correctly your LDAP is configured so that you can
run queries without authentication whatsoever? If so then I'd suggest
adding a user to you test ldap instance with some credentials and use
this as a 'system' user in unity.
Best,
Krzysztof
|
|
From: David P. <d....@hz...> - 2021-03-02 13:31:41
|
P.S.:
I tried using template based resolving like this:
uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
where Unity does in fact not ask for a system password. But since in this case
the test fails with "invalid credentials", it seems like normal users are not
allowed to access the system.
Using the ldapsearch command with the options -D "" -b
"ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
Am Dienstag, 2. März 2021, 14:14:31 CET schrieb David Pape:
> Dear Krzysztof,
>
> thanks for the quick reply. We are trying to use the LDAP authenticator.
> Setting "Bind as" to "user" still requires system DN and system password
> (see screenshot attached).
>
> David
>
> Am Dienstag, 2. März 2021, 13:37:41 CET schrieb Krzysztof Benedyczak:
> > Dear David,
> >
> > W dniu 02.03.2021 o 09:32, David Pape pisze:
> > > Dear developers,
> > >
> > > at our research centre, we are currently evaluating the usage of Unicore
> > > with Unity as an identity manager. More precisely, we are looking to
> > > integrate it with our LDAP server.
> > >
> > > The problem we are facing at the moment, is that our LDAP test instance
> > > which is used by multiple parties, has both an empty system DN as well
> > > as
> > > empty system password set. This seems to be an issue when trying to
> > > connect from Unity, as it is not possible to leave these fields empty.
> > >
> > > I would like to know whether there is a workaround or backdoor that
> > > would
> > > allow us to connect to our test instance.
> >
> > In what context you use ldap in your setup? Is it users store with
> > credentials (and so in unity ldap authenticator is used) or you have
> > users with credential stored in unity and ldap is used to enrich user
> > records with additional attributes?
> >
> > In the first case it should be possible to change "binding as" option to
> > user - then user's credential is used to authorize all operations to
> > LDAP, and "system" credentials should not be required. Also the "system"
> > user can be any LDAP user that can run queries about other users in LDAP.
> >
> >
> > HTH,
> > Krzysztof
--
David Pape
Researcher
Computational Science Department (FWCC)
Department of Information Services and Computing (FWC)
Building 312, Room 7
Helmholtz-Zentrum Dresden-Rossendorf e.V.
Bautzner Landstr. 400 | 01328 Dresden | Germany
http://www.hzdr.de
Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller
Company Registration Number VR 1693, Amtsgericht Dresden
|
|
From: David P. <d....@hz...> - 2021-03-02 13:14:47
|
Dear Krzysztof, thanks for the quick reply. We are trying to use the LDAP authenticator. Setting "Bind as" to "user" still requires system DN and system password (see screenshot attached). David Am Dienstag, 2. März 2021, 13:37:41 CET schrieb Krzysztof Benedyczak: > Dear David, > > W dniu 02.03.2021 o 09:32, David Pape pisze: > > Dear developers, > > > > at our research centre, we are currently evaluating the usage of Unicore > > with Unity as an identity manager. More precisely, we are looking to > > integrate it with our LDAP server. > > > > The problem we are facing at the moment, is that our LDAP test instance > > which is used by multiple parties, has both an empty system DN as well as > > empty system password set. This seems to be an issue when trying to > > connect from Unity, as it is not possible to leave these fields empty. > > > > I would like to know whether there is a workaround or backdoor that would > > allow us to connect to our test instance. > > In what context you use ldap in your setup? Is it users store with > credentials (and so in unity ldap authenticator is used) or you have > users with credential stored in unity and ldap is used to enrich user > records with additional attributes? > > In the first case it should be possible to change "binding as" option to > user - then user's credential is used to authorize all operations to > LDAP, and "system" credentials should not be required. Also the "system" > user can be any LDAP user that can run queries about other users in LDAP. > > > HTH, > Krzysztof -- David Pape Researcher Computational Science Department (FWCC) Department of Information Services and Computing (FWC) Building 312, Room 7 Helmholtz-Zentrum Dresden-Rossendorf e.V. Bautzner Landstr. 400 | 01328 Dresden | Germany http://www.hzdr.de Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller Company Registration Number VR 1693, Amtsgericht Dresden |
|
From: Krzysztof B. <kb...@un...> - 2021-03-02 12:37:59
|
Dear David, W dniu 02.03.2021 o 09:32, David Pape pisze: > Dear developers, > > at our research centre, we are currently evaluating the usage of Unicore with > Unity as an identity manager. More precisely, we are looking to integrate it > with our LDAP server. > > The problem we are facing at the moment, is that our LDAP test instance which > is used by multiple parties, has both an empty system DN as well as empty > system password set. This seems to be an issue when trying to connect from > Unity, as it is not possible to leave these fields empty. > > I would like to know whether there is a workaround or backdoor that would > allow us to connect to our test instance. In what context you use ldap in your setup? Is it users store with credentials (and so in unity ldap authenticator is used) or you have users with credential stored in unity and ldap is used to enrich user records with additional attributes? In the first case it should be possible to change "binding as" option to user - then user's credential is used to authorize all operations to LDAP, and "system" credentials should not be required. Also the "system" user can be any LDAP user that can run queries about other users in LDAP. HTH, Krzysztof |
|
From: David P. <d....@hz...> - 2021-03-02 08:49:48
|
Dear developers, at our research centre, we are currently evaluating the usage of Unicore with Unity as an identity manager. More precisely, we are looking to integrate it with our LDAP server. The problem we are facing at the moment, is that our LDAP test instance which is used by multiple parties, has both an empty system DN as well as empty system password set. This seems to be an issue when trying to connect from Unity, as it is not possible to leave these fields empty. I would like to know whether there is a workaround or backdoor that would allow us to connect to our test instance. Kind regards -- David Pape Researcher Computational Science Department (FWCC) Department of Information Services and Computing (FWC) Building 312, Room 7 Helmholtz-Zentrum Dresden-Rossendorf e.V. Bautzner Landstr. 400 | 01328 Dresden | Germany http://www.hzdr.de Board of Directors: Prof. Dr. Sebastian M. Schmidt, Dr. Diana Stiller Company Registration Number VR 1693, Amtsgericht Dresden |
|
From: Sander A. <sa....@fz...> - 2021-02-18 06:46:06
|
Good morning Krzysztof, On Tue, 2021-02-16 at 13:33 +0100, Krzysztof Benedyczak wrote: > OK, the situation is clear now. > > Let me answer: > > > I got some userfeedback about invitation and the mentioned problem > > occurred for multiple users. The user had multiple accounts in > > unity > > and wishes to select which account is used to accept this > > invitation. I > > think the problem here is that the invitation is bind to the first > > account which has the entered email address. > > True, it behaves like this, and I also think it is incorrect. > > However I don't think the proposed solution works. In my opinion in > such > situation the person who is inviting should make the decision who is > the > recipient. After all inviting party is the party which should control > who is added additional grants/memberships. > > What do you think? Also valid. And in this case you could avoid inviting an "outdated" account which was not deleted before the email was reused. > > Anyway fixing that will be bit more involving. I understand totally. Cheers, Sander > > > > The bug I found is that the check if an users exists with the > > entered > > email address is case sensitive. We had an user with capital > > letters in > > the email address, while the project manager entered only in lower > > cases. I think the check should be case-insensitive. I found this > > on > > unity version 3.3.4. I don't now if this is fixed in meanwhile. > True, it is confirmed. Should be fixed in the next patch release. > > Thanks > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-02-17 20:03:07
|
Dear Subscribers, Recently minor releases were published: In 3.4.4 one important security fix is found. Please see https://www.unity-idm.eu/2021/02/17/security-fix-in-3-4-4/ for more details. In the released today versio 3.4.5 there are two bugfixes related to: * using multiple autoProcessInvitation actions in form automation * proper finding of existing users invited from UpMan What is more we have exposed more database access configuration options, allowing for fine tuning the number of concurrent connections and several other advanced options. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-02-16 12:33:59
|
OK, the situation is clear now. Let me answer: > I got some userfeedback about invitation and the mentioned problem > occurred for multiple users. The user had multiple accounts in unity > and wishes to select which account is used to accept this invitation. I > think the problem here is that the invitation is bind to the first > account which has the entered email address. True, it behaves like this, and I also think it is incorrect. However I don't think the proposed solution works. In my opinion in such situation the person who is inviting should make the decision who is the recipient. After all inviting party is the party which should control who is added additional grants/memberships. What do you think? Anyway fixing that will be bit more involving. > The bug I found is that the check if an users exists with the entered > email address is case sensitive. We had an user with capital letters in > the email address, while the project manager entered only in lower > cases. I think the check should be case-insensitive. I found this on > unity version 3.3.4. I don't now if this is fixed in meanwhile. True, it is confirmed. Should be fixed in the next patch release. Thanks Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-02-16 12:03:49
|
Hi Krzysztof, On Tue, 2021-02-16 at 12:54 +0100, Krzysztof Benedyczak wrote: > Sander, > > W dniu 16.02.2021 o 11:58, Sander Apweiler pisze: > > The user created two accounts with same email address but not equal > > in > > case sensithiv: > > - 1st account email: Sa....@fz... > > - 2nd account email: sa....@fz... > > Almost clear. One more question here: above you mean that you had two > entities in Unity, which had email *attributes* as shown above and > those > entities had no email *identities*. Is it correct? Yes, both entities do not have email identity. Only username. Cheers, Sander > > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-02-16 11:54:33
|
Sander, W dniu 16.02.2021 o 11:58, Sander Apweiler pisze: > The user created two accounts with same email address but not equal in > case sensithiv: > - 1st account email: Sa....@fz... > - 2nd account email: sa....@fz... Almost clear. One more question here: above you mean that you had two entities in Unity, which had email *attributes* as shown above and those entities had no email *identities*. Is it correct? Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-02-16 10:59:03
|
Hi Krzysztof, On Tue, 2021-02-16 at 10:30 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 12.02.2021 o 09:34, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > I got some userfeedback about invitation and the mentioned problem > > occurred for multiple users. The user had multiple accounts in > > unity > > and wishes to select which account is used to accept this > > invitation. I > > think the problem here is that the invitation is bind to the first > > account which has the entered email address. > > Can you please explain this in more detail? I'll try it. > > What sort of invitations are discussed here? Invitation to enquiries > or > to registration forms? The invitations are going to enquiries. The user had already two or more accounts in unity using the same email address. > > Can you describe the context here? Who/to what is inviting, from what > app, etc. We created a group and enabled upman on this group but only using invitations to users who have an account in unity, so using enquiries. The user got the invitation and click on the link. The account is added to the group. Some investigation of the accounts of the users, who have multiple accounts with same email address, I encountered that the first account (lowest entity ID) which uses the email address is added to group. In the case where users reported a problem, they did not use their first account in unity but another one. So they want to decide which account is going to be added to the group. Of course this is in some way a wrong usage of the service by the users, but they will always blame the service and the software. > > > The bug I found is that the check if an users exists with the > > entered > > email address is case sensitive. We had an user with capital > > letters in > > the email address, while the project manager entered only in lower > > cases. I think the check should be case-insensitive. I found this > > on > > unity version 3.3.4. I don't now if this is fixed in meanwhile. > > Hmm, that certainly should not be the case. Email identity is > compared > case insensitive. But perhaps there is some other mechanism in > question. > > Perhaps answer to the above questions will help. But anyway: can you > provide a reproduction steps? Yes I'll explain it using my email address. The user created two accounts with same email address but not equal in case sensithiv: - 1st account email: Sa....@fz... - 2nd account email: sa....@fz... The project manager send an invitation to sa....@fz... and the user accepted it. In this case the 2nd account was added to the group, but the user still uses the 1st account. In the other cases, described above, the first account with the email address is added to the group. For this reason it seems to me that the check is not handled case sensitive. At least the behaviour is different. Cheers, Sander > > Thank you > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-02-16 09:30:59
|
Hi Sander, W dniu 12.02.2021 o 09:34, Sander Apweiler pisze: > Good morning Krzysztof, > > I got some userfeedback about invitation and the mentioned problem > occurred for multiple users. The user had multiple accounts in unity > and wishes to select which account is used to accept this invitation. I > think the problem here is that the invitation is bind to the first > account which has the entered email address. Can you please explain this in more detail? What sort of invitations are discussed here? Invitation to enquiries or to registration forms? Can you describe the context here? Who/to what is inviting, from what app, etc. > The bug I found is that the check if an users exists with the entered > email address is case sensitive. We had an user with capital letters in > the email address, while the project manager entered only in lower > cases. I think the check should be case-insensitive. I found this on > unity version 3.3.4. I don't now if this is fixed in meanwhile. Hmm, that certainly should not be the case. Email identity is compared case insensitive. But perhaps there is some other mechanism in question. Perhaps answer to the above questions will help. But anyway: can you provide a reproduction steps? Thank you Krzysztof |
|
From: Sander A. <sa....@fz...> - 2021-02-12 08:35:05
|
Good morning Krzysztof, I got some userfeedback about invitation and the mentioned problem occurred for multiple users. The user had multiple accounts in unity and wishes to select which account is used to accept this invitation. I think the problem here is that the invitation is bind to the first account which has the entered email address. The bug I found is that the check if an users exists with the entered email address is case sensitive. We had an user with capital letters in the email address, while the project manager entered only in lower cases. I think the check should be case-insensitive. I found this on unity version 3.3.4. I don't now if this is fixed in meanwhile. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2021-01-17 16:48:58
|
Dear Subscribers, Unfortunately the series of authentication stability fixes from the previous 3.4.2 release missed handling of one case - automatic proxy authentication could in rare cases still hang. This release brings a fix for that issue. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2021-01-14 09:46:16
|
Dear Subscribers,
We are pleased to announce availability of a new patch release. This
version includes fixes for several long lasting and important issues –
all related to web-sign in flows:
* The last used login option was not always properly activated.
* Auto-proxy login with remote IdP was not always auto-forwarding.
* On very rare occasions an error message could be shown on login UI
for a short moment. In even more rare situation this was fatal error
breaking the login flow.
* In some cases response from the remote IdP was not caught up and
processed by Unity.
As always download details are available here:
https://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2020-12-23 11:13:41
|
Dear Subscribers, Actually yesterday a new patch release (v3.4.1) was published. It includes two bugfixes around sub-projects handling in UpMan as well as few enhancements of the REST API. See Downloads <https://www.unity-idm.eu/downloads/> for more details. For those who celebrate: merry Christmas! For All: Happy New Year! Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-12-17 12:46:15
|
Marcus, Sander, OK, we have a ticket opened, I've moved it bit up in the backlog. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-12-17 12:37:44
|
Hi Sander, W dniu 16.12.2020 o 11:00, Sander Apweiler pisze: > Hi Krzysztof, > > the discussions are going on to this topic. Would it possible to add > unity with a dedicated password login endpoint in the list of available > identity providers in the common saml and oauth endpoints, which are > used by the services? So unity would act as its own identity provider. Yes, of course. You need to have 2 IdP in Unity (I understand that configured with local pass authN only) - one oauth another saml. And then just configure them as additional Idps in you OAuth and SAML authenticators. We do use this setup for testing very often. One important hint: make sure to put your unity-idsp-using-local-passwd in a separate authentication realm - perhaps created for them. Otherwise unity may use SSO in ways which are hard to understand (i.e. it will work fine in a common realm, but you may be puzzled quite often as some steps are skipped). HTH, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2020-12-17 07:07:05
|
And, to reinforce this, some users complained that they're asked for their certificate, that they have in the browser, just because of some malconfigured IdP, that requested the certificate for sending the logo. This all creates pain to the user -- unnecessarily M. On 12/17/20 07:20, Sander Apweiler wrote: > Good morning Krzysztof, > > We have another reason for providing the logos through unity, instead > of users browser. While normal browser do not load the content if a > certificate is not trusted or a hostname mismatch appears, some apps, > e.g. RocketChat throws errors and the user think we have an issue on > our site and open tickets. To explain users without IT, especially AAI > background, is hard to explain that on our site everything is fine and > the problem is out of our control. > > Cheers, > Sander > > On Tue, 2020-10-06 at 11:32 +0200, Krzysztof Benedyczak wrote: > > W dniu 06.10.2020 o 09:32, Marcus Hardt pisze: > > > On 10/06/20 09:24, Krzysztof Benedyczak wrote: > > > > Marcus, > > > > > > > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: > > > > > > The fact that the user gets a cookie > > > > > > from a site which was not visited is just few bytes on her > > > > > > hard drive, > > > > > > nothing more. So I can ask: what is the real problem here? > > > > > By requesting the picture, the user informs _all_ IdPs that he > > > > > is about to > > > > > log in to unity. That does not seem right, does it? > > > > No, that's not true. The IdPs can only know that some *anonymous* > > > > one is > > > > trying to enter unity instance (and only after if and after they > > > > check that > > > > referer URL is of some unity instance). Nothing more. > > > The anonymous is the goal here. For this unity needs to proxy the > > > requests. At the moments it's my browser requesting those images. > > > This is > > > by no means anonymous. > > > > Are you browsing the web? Entering _any_ page opens a huge risk that > > this webpage has an asset embedded and your browser will download it. > > What's more in the age of CDNs you are sharing your "data" with them > > almost always. Not to mention cloudflare and other similar services. > > > > > > What privacy concern is there? > > > I am unneccessarily forced to releasing information to third > > > parties, > > > potentially outside europe, that I've never wanted to authorise. > > > > Well, what information? That some unknown person using say Firefox > > entered a webpage Y from IP Z. > > > > If you are very concerned about Z use one of public VPN services (I > > do - > > solves the problem for all cases). Still Z is mostly useless > > information > > in age of NAT and dynamic IPs. > > > > You can also fake client agent (pretend that you are curl) if this > > matters for you - but why? > > > > If your concern is about tracking for advertising/marketing - disable > > 3rd party cookies in your browser. But seriously: are edugain IdPs > > providing contextual ads around the globe? :-) > > > > Best, > > Krzysztof > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ---------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- -- Marcus. |
|
From: Sander A. <sa....@fz...> - 2020-12-17 06:20:57
|
Good morning Krzysztof, We have another reason for providing the logos through unity, instead of users browser. While normal browser do not load the content if a certificate is not trusted or a hostname mismatch appears, some apps, e.g. RocketChat throws errors and the user think we have an issue on our site and open tickets. To explain users without IT, especially AAI background, is hard to explain that on our site everything is fine and the problem is out of our control. Cheers, Sander On Tue, 2020-10-06 at 11:32 +0200, Krzysztof Benedyczak wrote: > W dniu 06.10.2020 o 09:32, Marcus Hardt pisze: > > On 10/06/20 09:24, Krzysztof Benedyczak wrote: > > > Marcus, > > > > > > W dniu 05.10.2020 o 10:47, Marcus Hardt pisze: > > > > > The fact that the user gets a cookie > > > > > from a site which was not visited is just few bytes on her > > > > > hard drive, > > > > > nothing more. So I can ask: what is the real problem here? > > > > By requesting the picture, the user informs _all_ IdPs that he > > > > is about to > > > > log in to unity. That does not seem right, does it? > > > No, that's not true. The IdPs can only know that some *anonymous* > > > one is > > > trying to enter unity instance (and only after if and after they > > > check that > > > referer URL is of some unity instance). Nothing more. > > The anonymous is the goal here. For this unity needs to proxy the > > requests. At the moments it's my browser requesting those images. > > This is > > by no means anonymous. > > Are you browsing the web? Entering _any_ page opens a huge risk that > this webpage has an asset embedded and your browser will download it. > What's more in the age of CDNs you are sharing your "data" with them > almost always. Not to mention cloudflare and other similar services. > > > > What privacy concern is there? > > I am unneccessarily forced to releasing information to third > > parties, > > potentially outside europe, that I've never wanted to authorise. > > Well, what information? That some unknown person using say Firefox > entered a webpage Y from IP Z. > > If you are very concerned about Z use one of public VPN services (I > do - > solves the problem for all cases). Still Z is mostly useless > information > in age of NAT and dynamic IPs. > > You can also fake client agent (pretend that you are curl) if this > matters for you - but why? > > If your concern is about tracking for advertising/marketing - disable > 3rd party cookies in your browser. But seriously: are edugain IdPs > providing contextual ads around the globe? :-) > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-12-16 10:00:51
|
Hi Krzysztof, the discussions are going on to this topic. Would it possible to add unity with a dedicated password login endpoint in the list of available identity providers in the common saml and oauth endpoints, which are used by the services? So unity would act as its own identity provider. Cheers, Sander On Fri, 2020-12-11 at 11:35 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > In one of our federation we decided to allow user login only by > > external IdPs. For this reason we removed the password fields from > > all > > authentication screens beside of home and console endpoints. Some > > services asked for a "monitoring" user to test the login to the > > services periodically. Their organisations prohibit storing > > credentials > > in files, which would be necessary for the monitoring flow. They > > asked > > if we could create accounts in unity to test the login flow > > periodically. Of corse this is possible, but we do not want to show > > password fields in the auth screens and adding additional endpoints > > for > > the monitoring might create wrong check results. So my question is, > > is > > it possible to trigger password login via the idp hint, even the > > password authenticator is not enabled in auth screens? If not do > > you > > know some other possibilities to this problem? > > Huh, a requirement from the category "I wan to have a cake and eat > the > cake" :-) > > No, I don't think I know any good solution assuming you are not > willing > to create a separate endpoint for monitoring. I'd argue that this > monitoring will anyway test a fake authentication flow (since it will > be > the only user signing-in with password...)/ > > Maybe... if those 'monitoring" users are automated agents (e.g. using > selenium) you could re-enable password login on your endpoint, place > it > at the bottom and add bit of custom CSS to make it invisible and very > small. But obviously that's a very miserable idea :-) > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-12-11 11:33:40
|
Hi Krzysztof, thanks for the swift reply. On Fri, 2020-12-11 at 11:35 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > In one of our federation we decided to allow user login only by > > external IdPs. For this reason we removed the password fields from > > all > > authentication screens beside of home and console endpoints. Some > > services asked for a "monitoring" user to test the login to the > > services periodically. Their organisations prohibit storing > > credentials > > in files, which would be necessary for the monitoring flow. They > > asked > > if we could create accounts in unity to test the login flow > > periodically. Of corse this is possible, but we do not want to show > > password fields in the auth screens and adding additional endpoints > > for > > the monitoring might create wrong check results. So my question is, > > is > > it possible to trigger password login via the idp hint, even the > > password authenticator is not enabled in auth screens? If not do > > you > > know some other possibilities to this problem? > > Huh, a requirement from the category "I wan to have a cake and eat > the > cake" :-) > > No, I don't think I know any good solution assuming you are not > willing > to create a separate endpoint for monitoring. I'd argue that this > monitoring will anyway test a fake authentication flow (since it will > be > the only user signing-in with password...)/ This was also my thoughts. At least I would check against the monitoring endpoint, but there could still be an issue on the endpoints which are used by normal users. We will see how we can do it. Cheers, Sander > > Maybe... if those 'monitoring" users are automated agents (e.g. using > selenium) you could re-enable password login on your endpoint, place > it > at the bottom and add bit of custom CSS to make it invisible and very > small. But obviously that's a very miserable idea :-) > > Cheers, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-11 10:35:42
|
Hi Sander, W dniu 11.12.2020 o 09:34, Sander Apweiler pisze: > Good morning Krzysztof, > > In one of our federation we decided to allow user login only by > external IdPs. For this reason we removed the password fields from all > authentication screens beside of home and console endpoints. Some > services asked for a "monitoring" user to test the login to the > services periodically. Their organisations prohibit storing credentials > in files, which would be necessary for the monitoring flow. They asked > if we could create accounts in unity to test the login flow > periodically. Of corse this is possible, but we do not want to show > password fields in the auth screens and adding additional endpoints for > the monitoring might create wrong check results. So my question is, is > it possible to trigger password login via the idp hint, even the > password authenticator is not enabled in auth screens? If not do you > know some other possibilities to this problem? Huh, a requirement from the category "I wan to have a cake and eat the cake" :-) No, I don't think I know any good solution assuming you are not willing to create a separate endpoint for monitoring. I'd argue that this monitoring will anyway test a fake authentication flow (since it will be the only user signing-in with password...)/ Maybe... if those 'monitoring" users are automated agents (e.g. using selenium) you could re-enable password login on your endpoint, place it at the bottom and add bit of custom CSS to make it invisible and very small. But obviously that's a very miserable idea :-) Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-12-11 08:35:27
|
Good morning Krzysztof, In one of our federation we decided to allow user login only by external IdPs. For this reason we removed the password fields from all authentication screens beside of home and console endpoints. Some services asked for a "monitoring" user to test the login to the services periodically. Their organisations prohibit storing credentials in files, which would be necessary for the monitoring flow. They asked if we could create accounts in unity to test the login flow periodically. Of corse this is possible, but we do not want to show password fields in the auth screens and adding additional endpoints for the monitoring might create wrong check results. So my question is, is it possible to trigger password login via the idp hint, even the password authenticator is not enabled in auth screens? If not do you know some other possibilities to this problem? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-12-09 11:30:53
|
Hi Sander, W dniu 08.12.2020 o 12:47, Sander Apweiler pisze: > Hi Krzysztof, > > we get DB Exceptions about > > Error updating database. Cause: java.sql.SQLSyntaxErrorException: (conn=296180) Data too long for column 'NAME' at row 1 > ### The error may exist in pl/edu/icm/unity/store/rdbms/mapper/Tokens.xml > > Sadly Maria log is empty. Is there a possibility to increase the log > level on unity site? Yes. You have two options: unity.server.db -> setting this to TRACE will provide you quite a lot of information pl.edu.icm.unity.store -> this at TRACE (or DEBUG too AFAIR) will dump you all the SQL/JDBC traffic > We are using 2048 bit certificate key to sign tokens. Hmm strange. In case of JWT oauth tokens we put token id (jit) as token NAME, so that shouldn't be that big. But maybe the assumption is wrong? HTH, Krzysztof |
