Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sander A. <sa....@fz...> - 2020-08-03 06:39:55
|
Good morning Krzysztof,
I agree that identifiers are needed. But is there a possibility to grab
the displayname of a group, e.g. in output translation profile? In this
case we could release the group membership information like the group
administrators and service providers would expect them.
I'll give you an example. We have a group m-team which is managed by a
group administrator. He created a subgroup feudal-developers and asked
specific service providers to support his group /m-team/feudal-
developers but the service provider only see /m-team/NNE09.
Having the possibility to access the displayname, we could create a new
attribute containing the expected information.
Cheers,
Sander
On Sun, 2020-08-02 at 00:05 +0200, Krzysztof Benedyczak wrote:
> Dear Sander,
>
> W dniu 31.07.2020 o 07:49, Sander Apweiler pisze:
> > Dear Krzysztof,
> >
> > We encountered a problem with the names of groups, which was
> > created by
> > groupadministrators in upman endpoint. The name of the group which
> > is
> > released in groups attribute differs from the name which entered
> > the
> > user. It seems that unity creates a name randomly and the entered
> > name
> > is only used as display name.
> >
> > I agree that the group administrators should only enter one name
> > and
> > not two like the unity administrators can do. But the information
> > is
> > used for group based access management on service provider level.
> > If
> > the groupname differs from the name which was entered by the group
> > administrators, this is not possible.
> >
> > What is the reason for the randomly generated grounames? Can this
> > behaviour changed?
>
> The group "internal" name, or its identifier, is set in stone. On
> the
> other hand the displayed name can be changed at will.
>
> If admin can define the internal name, then it will have a semantic
> name
> typically. And this leads to troubles ("err I named it /cookies, but
> should be /chockolate-bars really"). Also group names when used
> externally should not relay on displayed name but on some stable id
> -
> what is the internal name.
>
> BTW in the full unity this should be the same, and is not only
> because
> of the legacy of in-file configurations, where software can not
> assign
> ids on its own.
>
> All in all I would advise to simply use the identifiers externally,
> especially in policies. If this is hard let me know why precisely;
> chances are I'll be able to help as we use this approach in many
> non-upman scenarios too. Or if not, we can think about an improvement
> then.
>
> Best
> Krzysztof
>
>
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2020-08-01 22:05:40
|
Dear Sander,
W dniu 31.07.2020 o 07:49, Sander Apweiler pisze:
> Dear Krzysztof,
>
> We encountered a problem with the names of groups, which was created by
> groupadministrators in upman endpoint. The name of the group which is
> released in groups attribute differs from the name which entered the
> user. It seems that unity creates a name randomly and the entered name
> is only used as display name.
>
> I agree that the group administrators should only enter one name and
> not two like the unity administrators can do. But the information is
> used for group based access management on service provider level. If
> the groupname differs from the name which was entered by the group
> administrators, this is not possible.
>
> What is the reason for the randomly generated grounames? Can this
> behaviour changed?
The group "internal" name, or its identifier, is set in stone. On the
other hand the displayed name can be changed at will.
If admin can define the internal name, then it will have a semantic name
typically. And this leads to troubles ("err I named it /cookies, but
should be /chockolate-bars really"). Also group names when used
externally should not relay on displayed name but on some stable id -
what is the internal name.
BTW in the full unity this should be the same, and is not only because
of the legacy of in-file configurations, where software can not assign
ids on its own.
All in all I would advise to simply use the identifiers externally,
especially in policies. If this is hard let me know why precisely;
chances are I'll be able to help as we use this approach in many
non-upman scenarios too. Or if not, we can think about an improvement then.
Best
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2020-08-01 21:58:00
|
Sander, W dniu 27.07.2020 o 07:36, Sander Apweiler pisze: > Good morning Krzysztof, > > On Sat, 2020-07-25 at 16:03 +0200, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 20.07.2020 o 12:34, Sander Apweiler pisze: >>> Yes it is stored. See attachment. >>>> 2. what are the settings in authentication UI configuration? Do >>>> you >>>> have >>>> "show last used option..." selected on the endpoint in question? >>> Do you mean this one: unity.endpoint.web.authnLastOptionOnlyLayout? >>> We use the default value. >> No I meant this: >> >> unity.endpoint.web .authnShowLastOptionOnly >> >> do you have it set to true? Can you check up your endpoint config in >> Console? > The option is not set in config files, so I guess it uses the default > value true. Within the configuration in console endpoint, it indicates > that it is true. See attachments. >> Anyway this works for me. I can only suspect some problem with authN >> options autogenerated from saml metadata. >> >>>> 3. it doesn't work for saml only or for arbitrary authentication >>>> options? >>> It does not work for all endpoints. >>> >> I meant: whether this problem occurs only with SAML sign-in using >> some federation, or it also doesn't work with other authN options >> (e.g. password)? > It is working for no authN. Not for SAML federation and also not for > password, where password authentication is possible. > Well, I've tried this in several variants and all were working on my end flawlessly. I can't give you any better hint, then to try to minimize the problem area. Perhaps you can try to setup a simple test endpoint (e.g. homeUI) add to it 2 authN options (e.g. password and one oauth) and try on it? If it works (by far it should) then I'd try to add more setting from an endpoint which is not working. If it doesn't work, let me know the precise config of the endpoint. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-08-01 21:54:36
|
Hi Sander, W dniu 20.07.2020 o 14:34, Sander Apweiler pisze: > Hi Krzysztof, > we discussed it internally and having the possibility to configure an > return/forward URL would be the best in our opinion. We could send the > users to a specific page where they get further information or could > request access to the service. > OK, I've opened a ticket. However this is bit messy (touches many places: SAML and OAuth flows, handling not in the profile really) so no strong promises that this will fit into the next version. Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-07-31 05:49:36
|
Dear Krzysztof, We encountered a problem with the names of groups, which was created by groupadministrators in upman endpoint. The name of the group which is released in groups attribute differs from the name which entered the user. It seems that unity creates a name randomly and the entered name is only used as display name. I agree that the group administrators should only enter one name and not two like the unity administrators can do. But the information is used for group based access management on service provider level. If the groupname differs from the name which was entered by the group administrators, this is not possible. What is the reason for the randomly generated grounames? Can this behaviour changed? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-07-27 08:11:30
|
Dear Subscribers, We have released 3.3.1 revision, fixing and improving 3.3.0 in several cases. While none of the issues were critical, there are several improvements that you may find useful, as improved email validation or fix in editor of certain group attribute statements. What is more, this release enables use of SMS and OTP credential as a 2nd factor credential for users who posses neither email nor username identity. More details are available in Downloads <https://www.unity-idm.eu/downloads/> Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-07-27 05:36:56
|
Good morning Krzysztof, On Sat, 2020-07-25 at 16:03 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 20.07.2020 o 12:34, Sander Apweiler pisze: > > Yes it is stored. See attachment. > > > 2. what are the settings in authentication UI configuration? Do > > > you > > > have > > > "show last used option..." selected on the endpoint in question? > > > > Do you mean this one: unity.endpoint.web.authnLastOptionOnlyLayout? > > We use the default value. > > No I meant this: > > unity.endpoint.web .authnShowLastOptionOnly > > do you have it set to true? Can you check up your endpoint config in > Console? The option is not set in config files, so I guess it uses the default value true. Within the configuration in console endpoint, it indicates that it is true. See attachments. > > Anyway this works for me. I can only suspect some problem with authN > options autogenerated from saml metadata. > > > > 3. it doesn't work for saml only or for arbitrary authentication > > > options? > > > > It does not work for all endpoints. > > > > I meant: whether this problem occurs only with SAML sign-in using > some federation, or it also doesn't work with other authN options > (e.g. password)? It is working for no authN. Not for SAML federation and also not for password, where password authentication is possible. Best regards, Sander > > > > Best > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-07-25 14:03:45
|
Hi Sander, W dniu 20.07.2020 o 12:34, Sander Apweiler pisze: > Yes it is stored. See attachment. >> 2. what are the settings in authentication UI configuration? Do you >> have >> "show last used option..." selected on the endpoint in question? > Do you mean this one: unity.endpoint.web.authnLastOptionOnlyLayout? > We use the default value. No I meant this: |unity.endpoint.web| |.authnShowLastOptionOnly| do you have it set to true? Can you check up your endpoint config in Console? Anyway this works for me. I can only suspect some problem with authN options autogenerated from saml metadata. >> 3. it doesn't work for saml only or for arbitrary authentication >> options? > It does not work for all endpoints. > I meant: whether this problem occurs only with SAML sign-in using some federation, or it also doesn't work with other authN options (e.g. password)? Best Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-07-22 21:50:03
|
Hi Sander, W dniu 22.07.2020 o 07:23, Sander Apweiler pisze: > Good morning Krzysztof, > in the version 3.3.0 I got an error with attribute statements. I can > create them without errors but when I want to edit them, I got the > attached error. The log has a nullpointer exception. The statement > itself works. Thanks for the report - UI regression affecting fixed attribute statement editing (rarely used so was unnoticed). Fixed, will be in 3.3.1. Best KB |
|
From: Sander A. <sa....@fz...> - 2020-07-22 05:23:22
|
Good morning Krzysztof, in the version 3.3.0 I got an error with attribute statements. I can create them without errors but when I want to edit them, I got the attached error. The log has a nullpointer exception. The statement itself works. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-07-20 12:34:28
|
Hi Krzysztof, we discussed it internally and having the possibility to configure an return/forward URL would be the best in our opinion. We could send the users to a specific page where they get further information or could request access to the service. Best regards, Sander On Mon, 2020-07-20 at 12:25 +0200, Krzysztof Benedyczak wrote: > Hi, > > W dniu 17.07.2020 o 08:28, Sander Apweiler pisze: > > Good morning Krzysztof, > > we tested the fail Authentication action in the translation > > profiles to > > do a lightweight ABAC/authorisation within unity for service who > > can't > > do it by itself. > > We encountered some problems/not optimal behaviour in it. The error > > message is only send to service, but not to the users. The services > > can > > not handle such specific error messages and the user get a very > > strange > > error at the service. E.g. the error of Nextcloud is: > > "Account not provisioned. > > Your account is not provisioned, access to this service is thus not > > possible." > > > > The user do not really understand why the login fails. From our > > point > > of view it would be great if the failed authentication error is > > shown > > to the user, maybe with the possibility to login with another > > account. > > Do you see a possibility to extend the fail authentication > > behaviour? > > Yes, we can extend this action. Adding a checkbox: "show error > internally" + its implementation is easy. However, is it going to be > useful? Just to stop the user on unity error page? Shall we redirect > back to the service (so the error, perhaps wrong if the service > doesn't > implement error handling correctly, will be shown again)? Or redirect > to > other address (like article in help center)? > > Best, > KB > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-07-20 10:34:31
|
Hi Krzysztof, On Mon, 2020-07-20 at 12:18 +0200, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 17.07.2020 o 08:12, Sander Apweiler pisze: > > Good morning Krzysztof, > > > > we have an issue on one of our four unity (3.2.2) instances with > > the > > remember me function. It is not working. When I log out from a > > service > > and from unity, by passing the session lifetime or logging out in a > > second browser tab, and try to re-login, I see all connected IdPs > > but > > not the screen with my last one. This issue appears with all > > browsers > > and with different users. The log does not show any errors. The > > remember me configuration is the default configuration. Do you have > > seen this issue/behaviour before? > > It seems you are referring to screen showing last used > authentication > option, not the "remember me" setting which is skipping one or all > authN > factors on a trusted device? Yes I mean showing the last used authentication. Sorry for the misswording. > > > Assuming so: > > 1. can you check whether you have "last used" cookie stored for > unity > instance origin? What is the value? It should be stored immediately > after successful login. Yes it is stored. See attachment. > > 2. what are the settings in authentication UI configuration? Do you > have > "show last used option..." selected on the endpoint in question? Do you mean this one: unity.endpoint.web.authnLastOptionOnlyLayout? We use the default value. > > 3. it doesn't work for saml only or for arbitrary authentication > options? It does not work for all endpoints. Best regards, Sander > > > Cheers, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-07-20 10:26:08
|
Hi, W dniu 17.07.2020 o 08:28, Sander Apweiler pisze: > Good morning Krzysztof, > we tested the fail Authentication action in the translation profiles to > do a lightweight ABAC/authorisation within unity for service who can't > do it by itself. > We encountered some problems/not optimal behaviour in it. The error > message is only send to service, but not to the users. The services can > not handle such specific error messages and the user get a very strange > error at the service. E.g. the error of Nextcloud is: > "Account not provisioned. > Your account is not provisioned, access to this service is thus not > possible." > > The user do not really understand why the login fails. From our point > of view it would be great if the failed authentication error is shown > to the user, maybe with the possibility to login with another account. > Do you see a possibility to extend the fail authentication behaviour? Yes, we can extend this action. Adding a checkbox: "show error internally" + its implementation is easy. However, is it going to be useful? Just to stop the user on unity error page? Shall we redirect back to the service (so the error, perhaps wrong if the service doesn't implement error handling correctly, will be shown again)? Or redirect to other address (like article in help center)? Best, KB |
|
From: Krzysztof B. <kb...@un...> - 2020-07-20 10:18:32
|
Hi Sander, W dniu 17.07.2020 o 08:12, Sander Apweiler pisze: > Good morning Krzysztof, > > we have an issue on one of our four unity (3.2.2) instances with the > remember me function. It is not working. When I log out from a service > and from unity, by passing the session lifetime or logging out in a > second browser tab, and try to re-login, I see all connected IdPs but > not the screen with my last one. This issue appears with all browsers > and with different users. The log does not show any errors. The > remember me configuration is the default configuration. Do you have > seen this issue/behaviour before? It seems you are referring to screen showing last used authentication option, not the "remember me" setting which is skipping one or all authN factors on a trusted device? Assuming so: 1. can you check whether you have "last used" cookie stored for unity instance origin? What is the value? It should be stored immediately after successful login. 2. what are the settings in authentication UI configuration? Do you have "show last used option..." selected on the endpoint in question? 3. it doesn't work for saml only or for arbitrary authentication options? Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-07-17 06:28:46
|
Good morning Krzysztof, we tested the fail Authentication action in the translation profiles to do a lightweight ABAC/authorisation within unity for service who can't do it by itself. We encountered some problems/not optimal behaviour in it. The error message is only send to service, but not to the users. The services can not handle such specific error messages and the user get a very strange error at the service. E.g. the error of Nextcloud is: "Account not provisioned. Your account is not provisioned, access to this service is thus not possible." The user do not really understand why the login fails. From our point of view it would be great if the failed authentication error is shown to the user, maybe with the possibility to login with another account. Do you see a possibility to extend the fail authentication behaviour? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2020-07-17 06:13:03
|
Good morning Krzysztof, we have an issue on one of our four unity (3.2.2) instances with the remember me function. It is not working. When I log out from a service and from unity, by passing the session lifetime or logging out in a second browser tab, and try to re-login, I see all connected IdPs but not the screen with my last one. This issue appears with all browsers and with different users. The log does not show any errors. The remember me configuration is the default configuration. Do you have seen this issue/behaviour before? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-07-03 09:38:48
|
Dear Subscribers, Unity 3.3.0 release brings a large set of improvements and brand new features. Additionally couple of bugs were fixed, see in the detailed changelog at https://www.unity-idm.eu/downloads/ Policy documents Policy documents are a new global concept in Unity. Administrator can define documents covering ToU, SLA, marketing agreements and any other alike. Documents are versioned, can be provided in multiple forms and can be mandatory or optional. Defined policy documents can be configured as a part of registration, enquiry or sign-in over IdP endpoint flows. Unity will record (as a special user attribute) acceptance or refusal, allowing to re-prompt after document update. It is additionally possible to configure in what way acceptance should be requested. One time passwords A new credential type is available: one time codes, technically the popular TOTP variant. It is a credential useful typically as the 2nd factor in two step authentication. With this credential users can verify their identity with help of Google Authenticator, Microsoft Authenticator, RedHat’s FreeOTP or any other similar app. Other notable improvements * Shared translation profiles can be managed in Admin Console now. * Default appearance of the authentication screen (and all other views) was improved a lot, aligned and unified with general Unity style. * Authentication screen appearance on narrow mobile screens was improved in case of multiple columns with authentication options. * Registration form can be configured to deny request using an occupied identity at submission time. * Credentials editing in Admin Console and HomeUI was reworked and offers much better UX now. * MFA preference can be controlled with registration form action * We started to provide a more intuitive contextual help in Admin Console. Only few components use this feature so far, but we will expand it in the next revisions. For examples see Realms or OTP credential definition. Downloads and more detailed changelog available as usual at https://www.unity-idm.eu/downloads/ Note: we haven't yet published the RPM package due to problems with release server. It will be available in the next few days. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-06-28 10:58:42
|
Dear Subscribers, [This notice is relevant only for Unity users who are /developing against Unity //Java//APIs/] As you could noticed the delay between 3.2 and an upcoming 3.3 release was bigger than usual. It was caused partially by an undertaken effort to move Unity from the Maven repository hosted by courtesy of Forschungszentrum Jülich to the Maven Central. That was a complex process as many of Unity dependencies where also hosted there. With Bernd's support, we managed to migrate all Unity dependencies to GitHub from Sourceforge, and we have deployed them to Maven Central. Hopefully this means that from the next Unity release all Unity artefacts will be available from the most popular repository in JVM ecosystem. This brings many benefits: I'd like to express here my gratitude to FZJ for hosting Unity Maven repo, free of charge, for something around 7 years, and more personally pass big thanks to Bernd, who helped with the whole action of moving to GitHub and Maven Central. Technically the move to Maven Central Repository required us to change Maven's groupId of all Unity artifacts (as well as few dependencies that we maintain). From Unity version 3.3.0 all Maven artifacts will live in the group "io.imunity". Artifact ids were not modified, version numbers are continued. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-06-28 08:59:26
|
Dear Subscribers, We have couple of news to share, as we are getting close to the next feature release. First news was probably already noticed by some of you visiting unity website recently: Unity got a new logo. We have finished rebranding process, and it will be also a default product icon configured by default in distribution. We hope you will like it, as much as we do :-) New Unity logo Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-06-03 11:16:44
|
Hi Sander, W dniu 02.06.2020 o 06:53, Sander Apweiler pisze: > Good morning Krzysztof, > > I found an issue in Oauth client registration with non jpeg logos. > Unity accept them while uploading and displaying them in the > registration request. When I want to accept them, I get an error > because the logo is not an jpeg. I attached the log. Should unity only > handle jpegs? IMHO: In this case the check should be done while > uploading. > > We are using unity 3.2.2. Yeah, thanks for bringing it up. That is still small thing we need to align. Long time ago Unity supported only JPEG images as attribute value. More recently we added a much better attribute syntax which handles also other web-enabled picture formats and also fixes some of the original type problems like double compression. This new type is available for regular attribtues, but we haven't prepare a migration changing system-defined attribute types (like oauth client's logo) to the new format. I'll open a ticket to clean this up finally and also drop the old syntax. Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2020-06-02 04:53:55
|
Good morning Krzysztof, I found an issue in Oauth client registration with non jpeg logos. Unity accept them while uploading and displaying them in the registration request. When I want to accept them, I get an error because the logo is not an jpeg. I attached the log. Should unity only handle jpegs? IMHO: In this case the check should be done while uploading. We are using unity 3.2.2. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-05-28 19:32:35
|
Hi, W dniu 27.05.2020 o 12:44, Tim Kreuzer pisze: > Hi, > > I'm very interested in the (not yet available) local credential "One > time password" feature. Are you able to estimate when this feature will > find it's way into Unity? Do you already know which kind of OTP this > will be (support of the Google Authenticator app, for example?). Thank > you for any information. I have bit bad news here. While ago we intended to work on OTP as on the next Unity authenticator, but we changed our plans and current work is focusing on FIDO2 (aka webAuthn) authenticator. This is already pretty much working, sooner then later should be officially available. OTP work was therefore not yet started and I can't provide an ETA. We can cover it as a sponsored development faster, otherwise it is not on the near term horizon, though certainly still on the roadmap. Google Authenticator should work with the planned implementation (at least back when I was checking it, it was implementing the standard HOTP algorithm) as well all other typical apps like FreeOTP. Best Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-05-28 18:53:20
|
hi, W dniu 13.05.2020 o 09:47, Marcus Hardt pisze: > Sorry for chipping in on this late and with a totally different > background. > > Disclaimer: > I'm running only OIDC clients. > > We receive the username as "preferred_username". This preference is taken > into account, but modified according to requirements that we have. One of > these requirements is (of course) that the username is unique. > > In other words: It be nice, if unity could take care of this, but in the > end I would not blindly create users with names from an external > datasource. You mean that Unity is acting as OIDC client? If so then either: -> you auto create user account: covered already, just map this incoming username to any identity in Unity. -> you request user to register and registration request waits for approval: then it is exactly this case discussed here and the same feature will help Best, KB |
|
From: Tim K. <t.k...@fz...> - 2020-05-27 10:45:05
|
Hi, I'm very interested in the (not yet available) local credential "One time password" feature. Are you able to estimate when this feature will find it's way into Unity? Do you already know which kind of OTP this will be (support of the Google Authenticator app, for example?). Thank you for any information. Best regards, Tim -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 1583 email: t.k...@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2020-05-13 08:15:02
|
Hi Sander, W dniu 11.05.2020 o 12:40, Sander Apweiler pisze: > Dear Krzysztof, > > we updated last week from unity 2.8.2 to unity 3.2.2. After this update > we got an issue with one of our connected IdPs. > > We had, which was an error on our site, configured the authenticator to > used the translation profile "marineID" but created the translation > profile "MarineID" within unity GUI. This mismatch worked fine until > unity 2.8.2. and it seems that this configuration was case-insensitive. > > After the update we got an ticket that the login is not working and we > started to investigate. After the error about unknown translation > profile "marineID" we found the problem quite fast and changed the > configuration from "marineID" into "MarineID" and reloaded the > authenticator. Sadly the problem and error message kept the same and we > decided to restart unity (load config from files instead of database) > but the problem and error was still the same. > > Only changing the configuration and translation profile into "marineID" > solved the issue. Because renaming a translation profile in the GUI > (does not yes exists as file) and having two files with the same name > (one starting with a capital, one with a lower letter) is not possible > we had to copy the old one, remove it, and copy the copy to the old one > with lower name. > > Was it intended to make the translation profile matching between > configuration and existing profiles case sensitive? Was it intended > that the translation profiles need to start with a small letter? > > In case both was intended can you please update the documentation to > hint to that fact that translation profiles must start with lower > letters and can you highlight such changes where you switch from > (probably unwanted) case-insensitive to case-sensitiv configurations? > Well, in general all those identifiers always should be treated as case sensitive, both in 3.2 and 2.8 and before. It can happen, though, and we hit it multiple times here too, that case-insensitive DB collation setting may allow for using different cases, which are still working fine. Maybe this was a case? It is especially hard when collation changes between different DBs, e.g. after migration. Also I guess there was some additional issue with update of configuration, but I'm not able to decipher what exactly happened. Cheers, Krzysztof |
