Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2020-03-18 09:36:55
|
Hi, W dniu 17.03.2020 o 15:44, D Baum pisze: > Hi! > > On 14/03/2020 11:04, Krzysztof Benedyczak wrote: >> For the current unity: >> >> first of all you need to set >> >> unityServer.core.allowFullHtml=true >> >> in unityServer.conf. This turns off some of the XSS prevention measures, >> basically trusting admin-entered HTML. >> >> Then you can configure your registration form agreement with a link, >> like this: >> >> I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a> > Perfect, thanks! > > BTW: Is there a way to re-order the form elements? Yes. Just enable custom layout HTH, KB |
|
From: Krzysztof B. <kb...@un...> - 2020-03-18 09:33:44
|
Hi Shiraz, W dniu 17.03.2020 o 17:02, Shiraz Memon pisze: > Hi Krzysztof, > > If I'd want to define an attribute, which is not an existing one > (under the "Attributes" combobox), unity simply add two of the same > types instead of one. For instance, I have tried to add given_name > attribute, consequently two of the same types (following pic. shows > that behavior) of attributes are added. Ideally unity should not allow > adding two attributes of the same type within a scope definition > (regardless of existing or non-existing). Reproduced, fix will go out in 3.2.2. Thanks KB |
|
From: D B. <ba...@aw...> - 2020-03-17 19:48:48
|
Hi, I'm trying to configure a remote SAML authenticator. In conf/modules/saml/samlAuthenticator.properties, I've set these options: unity.saml.requester.metadataPath=metadata unity.saml.requester.sloPath=slo unity.saml.requester.sloRealm=default When I access unity's SP metadata file at https://myunity/unitygw/saml-sp-metadata/metadata it contains the AssertionConsumerService but no SingleLogoutService description. The SLO itself seems to be available OK at https://myunity/unitygw/SPSLO/WEB/slo Can I make unity include the SLO URL in the autogenerated SP metadata? Cheers, D |
|
From: Shiraz M. <a....@fz...> - 2020-03-17 16:03:32
|
Hi Krzysztof, If I'd want to define an attribute, which is not an existing one (under the "Attributes" combobox), unity simply add two of the same types instead of one. For instance, I have tried to add given_name attribute, consequently two of the same types (following pic. shows that behavior) of attributes are added. Ideally unity should not allow adding two attributes of the same type within a scope definition (regardless of existing or non-existing). [image.png] Thanks, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: D B. <ba...@aw...> - 2020-03-17 14:45:06
|
Hi! On 14/03/2020 11:04, Krzysztof Benedyczak wrote: > For the current unity: > > first of all you need to set > > unityServer.core.allowFullHtml=true > > in unityServer.conf. This turns off some of the XSS prevention measures, > basically trusting admin-entered HTML. > > Then you can configure your registration form agreement with a link, > like this: > > I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a> Perfect, thanks! BTW: Is there a way to re-order the form elements? > What is more, a proper handling of policy documents & agreements is > under development and should be available in 3.3 or 3.4 latest. Unity > will offer: central definition of policy documents, support for changing > of document versions, tracking of who accepted what, common support for > requiring acceptance across registration forms, enquiry forms and IdP > endpoints. Wow, sounds cool :-) Thanks! D |
|
From: Krzysztof B. <kb...@un...> - 2020-03-17 08:54:58
|
Hi, W dniu 16.03.2020 o 15:30, Shiraz Memon pisze: > Hi, > > Any clues how to view the trust store, which is configured as a > directory or jks? or it is not supported(?) > No, that's not supported in Console. You need to use keytool or ls on the server. Implementing truststore in console is in our plans but not on a short list currently, and anyway what we paln to provide will be simplified version of what you can currently configure in Unity pki.properties. K |
|
From: Krzysztof B. <kb...@un...> - 2020-03-17 08:49:05
|
Hi, W dniu 16.03.2020 o 14:46, Shiraz Memon pisze: > Hi, > > Unity v3.2.1 throws an NPE when I click any user under the directory > browser. Hmm, nothing obvious... Let me take it to a private thread. Best KB |
|
From: D B. <ba...@aw...> - 2020-03-16 17:49:34
|
Hi, thanks for the hints! For posterity: I had mismatching entityIDs in my Shibboleth config: "https://mydomain/shibboleth" in shibboleth2.xml and "https://mydomain/shibboleth/" in the sp-metadata.xml Yes, of course, that last slash makes a difference %-) It seems that Shibboleth will send to the IDP the entityID set in shibboleth2.xml - or at least it did in my case. Cheers, D On 14/03/2020 10:41, Krzysztof Benedyczak wrote: > Hi, > > W dniu 12.03.2020 o 19:59, D Baum pisze: >> Hi! >> >> I feel I've asked about this before but could not find the message any >> more - sorry! >> >> I'm trying to configure two SAML SPs in parallel in >> conf/modules/saml/saml-webidp.properties: >> >> unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml >> >> unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml >> >> unity.saml.spAcceptPolicy=validRequester >> >> SP A works fine, but I've got issues with SP B, which is a >> Shibboleth/Apache setup. When I try to access a protected resource, I >> get forwarded to unity and it tells me: >> >> SAML IdP got an invalid request. > > So certainly the B's metadata is a problem. You can enable more detailed > logging on the saml facility (DEBUG should be enough, but try TRACE to > get all insights) and check what SPs were extracted from the config. > Especially the logger 'unity.server.saml.MetaToSPConfigConverter' should > be helpful. > > HTH, > Krzysztof > > > |
|
From: Shiraz M. <a....@fz...> - 2020-03-16 14:31:28
|
Hi, Any clues how to view the trust store, which is configured as a directory or jks? or it is not supported(?) [image.png] Thanks, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Shiraz M. <a....@fz...> - 2020-03-16 13:47:26
|
Hi,
Unity v3.2.1 throws an NPE when I click any user under the directory browser.
[image.png]
The server log file shows the following:
2020-03-16T14:35:00,707 [qtp235322527-41] ERROR unity.server.web.UnityUIBase: UI code got an unchecked and not handled properly exception: java.lang.NullPointerExceptionjava.lang.NullPointerException: null
at io.imunity.webconsole.directoryBrowser.attributes.AttributesGrid.lambda$new$d4038911$3(AttributesGrid.java:96) ~[unity-server-web-console-3.2.1.jar:?]
at com.vaadin.ui.Grid$Column.generateRendererValue(Grid.java:1111) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.ui.Grid$Column.access$1100(Grid.java:849) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.ui.Grid$Column$1.generateData(Grid.java:898) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.data.provider.DataCommunicator.getDataObject(DataCommunicator.java:481) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.data.provider.DataCommunicator.pushData(DataCommunicator.java:461) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.data.provider.DataCommunicator.sendDataToClient(DataCommunicator.java:383) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.data.provider.DataCommunicator.beforeClientResponse(DataCommunicator.java:339) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.communication.UidlWriter.write(UidlWriter.java:126) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.communication.UidlRequestHandler.writeUidl(UidlRequestHandler.java:124) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:92) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1602) ~[vaadin-server-8.9.2.jar:8.9.2]
at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:445) ~[vaadin-server-8.9.2.jar:8.9.2]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar:3.1.0]
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at pl.edu.icm.unity.webui.authn.InvocationContextSetupFilter.doFilter(InvocationContextSetupFilter.java:74) ~[unity-server-web-common-3.2.1.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.gotoProtectedResource(AuthenticationFilter.java:256) ~[unity-server-web-common-3.2.1.jar:?]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.handleBoundSession(AuthenticationFilter.java:141) ~[unity-server-web-common-3.2.1.jar:?]
at pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(AuthenticationFilter.java:82) ~[unity-server-web-common-3.2.1.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at pl.edu.icm.unity.engine.api.utils.HiddenResourcesFilter.doFilter(HiddenResourcesFilter.java:49) ~[unity-server-engine-api-3.2.1.jar:?]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1592) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1296) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1562) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1211) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at pl.edu.icm.unity.engine.server.ClientIPSettingHandler.handle(ClientIPSettingHandler.java:58) ~[unity-server-engine-3.2.1.jar:?]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322) ~[jetty-rewrite-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at pl.edu.icm.unity.engine.server.JettyServer$1.handle(JettyServer.java:216) ~[unity-server-engine-3.2.1.jar:?]
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:386) ~[jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:562) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:378) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.22.v20191022.jar:9.4.22.v20191022]
any ideas?
Thanks,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)
Phone: +49 2461 61 6899
Fax: +49 2461 61 6656
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2020-03-15 20:05:00
|
Dear Subscribers,
A bugfix-only release 3.2.1 is ready to download. Among others:
* RPM package was fixed in numerous ways, should work fine again.
* Couple of console stability improvements.
* Fixed editing of all optional image-related attribute types.
* ... and more, details can be found in Downloads
<https://www.unity-idm.eu/downloads/>
Best,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2020-03-14 10:05:17
|
Hi, W dniu 13.03.2020 o 19:34, D Baum pisze: > Hi! > > I've configured a registration form in unity for my users and I'd like > to collect their agreement to our terms and conditions. The terms can be > seen at a publicly available URL. How can I link to that URL in the > agreement text (instead of pasting two pages of legalese into the > agreement box)? For the current unity: first of all you need to set unityServer.core.allowFullHtml=true in unityServer.conf. This turns off some of the XSS prevention measures, basically trusting admin-entered HTML. Then you can configure your registration form agreement with a link, like this: I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a> What is more, a proper handling of policy documents & agreements is under development and should be available in 3.3 or 3.4 latest. Unity will offer: central definition of policy documents, support for changing of document versions, tracking of who accepted what, common support for requiring acceptance across registration forms, enquiry forms and IdP endpoints. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-03-14 09:42:05
|
Hi, W dniu 12.03.2020 o 19:59, D Baum pisze: > Hi! > > I feel I've asked about this before but could not find the message any > more - sorry! > > I'm trying to configure two SAML SPs in parallel in > conf/modules/saml/saml-webidp.properties: > > unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml > unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml > unity.saml.spAcceptPolicy=validRequester > > SP A works fine, but I've got issues with SP B, which is a > Shibboleth/Apache setup. When I try to access a protected resource, I > get forwarded to unity and it tells me: > > SAML IdP got an invalid request. So certainly the B's metadata is a problem. You can enable more detailed logging on the saml facility (DEBUG should be enough, but try TRACE to get all insights) and check what SPs were extracted from the config. Especially the logger 'unity.server.saml.MetaToSPConfigConverter' should be helpful. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-03-14 09:30:58
|
Hi Sander, W dniu 11.03.2020 o 12:05, Sander Apweiler pisze: > Hi Krzysztof, > > this is still an issue for us and users asked for some updates. How is > your plan with the RO-user? Request is accepted and waits in line. If this turns out to be simple, what I hope, then should be in 3.3. If not, then we will see 3.4 likely. That's is a cross-cutting feature, and hard to assess without actual work. Best, Krzysztof |
|
From: D B. <ba...@aw...> - 2020-03-13 18:34:32
|
Hi! I've configured a registration form in unity for my users and I'd like to collect their agreement to our terms and conditions. The terms can be seen at a publicly available URL. How can I link to that URL in the agreement text (instead of pasting two pages of legalese into the agreement box)? Cheers, D |
|
From: D B. <ba...@aw...> - 2020-03-12 18:59:25
|
Hi!
I feel I've asked about this before but could not find the message any
more - sorry!
I'm trying to configure two SAML SPs in parallel in
conf/modules/saml/saml-webidp.properties:
unity.saml.acceptedSPMetadataSource.a.url=file:///conf/saml/a-metadata.xml
unity.saml.acceptedSPMetadataSource.b.url=file:///conf/saml/b-metadata.xml
unity.saml.spAcceptPolicy=validRequester
SP A works fine, but I've got issues with SP B, which is a
Shibboleth/Apache setup. When I try to access a protected resource, I
get forwarded to unity and it tells me:
SAML IdP got an invalid request.
eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: https://mydomain/shibboleth
In unity the logs, I find this
eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: https://mydomain/shibboleth
at
eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87)
~[samly2-2.4.0.jar:2.4.0]
at
pl.edu.icm.unity.saml.validator.WebAuthRequestValidator.validate(WebAuthRequestValidator.java:33)
~[unity-server-saml-3.2.0.jar:?]
at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.validate(SamlParseServlet.java:213)
~[unity-server-saml-3.2.0.jar:?]
at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.processSamlRequestInterruptible(SamlParseServlet.java:140)
~[unity-server-saml-3.2.0.jar:?]
at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.processSamlRequest(SamlParseServlet.java:93)
~[unity-server-saml-3.2.0.jar:?]
at
pl.edu.icm.unity.saml.idp.web.filter.SamlParseServlet.doGet(SamlParseServlet.java:73)
~[unity-server-saml-3.2.0.jar:?]
Caused by: eu.unicore.samly2.exceptions.SAMLValidationException: Issuer
is not among trusted: https://mydomain/shibboleth
at
eu.unicore.samly2.trust.EnumeratedTrustChecker.checkTrust(EnumeratedTrustChecker.java:95)
~[samly2-2.4.0.jar:2.4.0]
at
eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:83)
~[samly2-2.4.0.jar:2.4.0]
The problem goes away if I set
unity.saml.spAcceptPolicy=all
Is this error about the crypto certificate being untrusted or about the
SAML SP being untrusted?
I tried dumping the SP's certificate in conf/pki/trusted-ca but to no avail.
Cheers,
D
|
|
From: D B. <ba...@aw...> - 2020-03-11 16:02:19
|
Hi Krzysztof, On 10/03/2020 20:25, Krzysztof Benedyczak wrote: > We have a ticket to bring also translation profiles view, for the shared > ones (mostly sys:*). Cool - since it's defining shared profiles I'm after. > In translation profile editor you have the "include" statement. Include > a system profile you want to inspect. Then in the rule's menu (hamburger > on top right) there is expand action. It will replace the include rule > with all the statements of the included profile. Thanks for the hint - good to know. Though I'm more interested in defining shared profiles so that e.g. I can reuse the same profile for SOAP SAML and web SAML. Cheers, D |
|
From: Sander A. <sa....@fz...> - 2020-03-11 11:05:18
|
Hi Krzysztof,
this is still an issue for us and users asked for some updates. How is
your plan with the RO-user?
Cheers,
Sander
On Wed, 2020-02-19 at 08:17 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
>
> W dniu 18.02.2020 o 12:07, Sander Apweiler pisze:
> > Hi Krzysztof,
> > we plan to create some public OAauth client which can be used for
> > OIDC
> > agents. We do not want to have changes in the credential or return
> > URL
> > by users of this client and prohibit the login in userhome. We
> > tested
> > it with status login disabled but we got the following error:
> >
> > '{"message":"Invalid user name, credential or external
> > authentication
> > failed. ","error":"AuthenticationException"}'
> >
> > With enabled status the client is working.
> >
> > Do you have some idea or hint how we could reach our target?
>
> Yeah, login can't be disabled for oauth client entity, as this
> client
> does log into unity in the oauth process (unless you use implicit
> grant
> only).
>
> I don't think I have a good solution at hand. The situation is that
> blocking of homeUI access for certain users can be easily implemented
> in
> various ways. But the real problem is authZ of operations - you can
> change attribute using REST if you are permitted, homeUI is not
> needed.
>
> Now, I guess that in your case the big picture is that you want a
> mixture: you have on the same system clients for which you do want
> to
> allow for changing the returnURL attribute and client(s) for whom
> this
> should be blocked? So far this can be only controlled globally in
> Unity
> - attribute type can be set to modifiable by owner or not. What's
> more
> blocking password change by entity holding it is not supported.
>
> Implementation wise we have couple of options. I think the simplest
> is
> to add a new authZ role: limited(RO)-user. I.e. same rights as
> regular
> user, but with all writes prohibited. This would cover all except
> authZ
> of HomeUI access, which would need to be covered separately, but
> also
> would be of minimal priority: ro-regular-user would be able to log
> into
> homeUI, but would not be able to change anything. How does it sound?
>
> Best,
> Krzysztof
>
>
>
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2020-03-10 19:41:35
|
Hi Sander, W dniu 10.03.2020 o 15:47, Sander Apweiler pisze: > Hi Krzysztof, > > where do I need to enter the JWT management endpoint config? Is it > placed in the unityServer.conf? In 3.x: in console -> services, add new and select type "JWT" In 2.x (and 3.x if basing on config files): you need to put them in separate file, and use this file as configuration for the endpoint. I.e. JWT is configured as any other endpoint, endpoint definition goes to unityServer.conf (or included module) and it is referencing endpoint's config file. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-03-10 19:38:29
|
W dniu 06.03.2020 o 10:43, D Baum pisze: > Hi, > > if I remember correctly the 2.5 installation was rpm, the 3.2 is tar.gz > (now). So I think this is root of confusion. There was not change between 2.5 and 3.2 up to my knowledge. But the root for RPM/deb is '/', for tar.gz it is install dir. Most of the time this is irrelevant as base config files have variables with root dir/conf dir etc., but this not used by subsystems-defined configs (like saml endpoint) which are processed by those subsystems. K |
|
From: Krzysztof B. <kb...@un...> - 2020-03-10 19:33:55
|
Hi, W dniu 09.03.2020 o 18:13, D Baum pisze: > Hi, > > I'm trying to configure a registration form so that our users can sign > up on unity. I need confirmed emails for the users and an approval > process where every user is checked by an admin and enabled. > > This seems to work well in unity so far - but I'd like to notify the > admins of a new registration only when the user has verified their email > address (and not immediately on registration). This is to prevent admins > from accidentally enabling accounts with unverified (possibly fake) > email addresses. > > Is that possible somehow? I'm afraid not. It is only possible to auto-process request after email confirmation. Having notification would need to be implemented. I think, this should be possible using groovy events handler, but that would be a very involving work. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2020-03-10 19:25:52
|
Hi, W dniu 06.03.2020 o 13:31, D Baum pisze: > Hi, > > I'd like to define a saml (output) translation profile and understand > the handling of translation profiles better. > > Where is sys:saml defined? I can't find the translation profile > definition screen in the console, only the example json files in the > samples folder. But there's not json file for sys:saml that I could find. We have a ticket to bring also translation profiles view, for the shared ones (mostly sys:*). Besides watching it in AdminUI (as you discovered in other email) there is also one more trick you can use in console. In translation profile editor you have the "include" statement. Include a system profile you want to inspect. Then in the rule's menu (hamburger on top right) there is expand action. It will replace the include rule with all the statements of the included profile. > I assume json is now the preferred way of defining profiles? How can I > load them? Or, if defining profiles in the UI is still possible: where > is that located? No, JSON is not the preferred way. Defining profiles in UI was moved where it belongs: to the places where the profiles are used. That is input profiles are part of (remote) authenticator configuration, and output profiles can be defined and edited in IdP configurations. HTH, Krzysztof |
|
From: D B. <ba...@aw...> - 2020-03-10 15:36:44
|
Answering my own question - the simplest method I could find was
enabling the old admin console in conf/modules/core.module and using
that (Server management -> Translation profiles).
JSON file profiles can be used like this:
unityServer.core.translationProfiles.samlOutput=${CONF}/modules/saml/samlOutput.json
unity.saml.translationProfile=samlOutput
On 06/03/2020 13:31, D Baum wrote:
> Hi,
>
> I'd like to define a saml (output) translation profile and understand
> the handling of translation profiles better.
>
> Where is sys:saml defined? I can't find the translation profile
> definition screen in the console, only the example json files in the
> samples folder. But there's not json file for sys:saml that I could find.
>
> I assume json is now the preferred way of defining profiles? How can I
> load them? Or, if defining profiles in the UI is still possible: where
> is that located?
>
> Cheers,
> D
>
|
|
From: Sander A. <sa....@fz...> - 2020-03-10 14:48:13
|
Hi Krzysztof, where do I need to enter the JWT management endpoint config? Is it placed in the unityServer.conf? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: D B. <ba...@aw...> - 2020-03-09 17:13:41
|
Hi, I'm trying to configure a registration form so that our users can sign up on unity. I need confirmed emails for the users and an approval process where every user is checked by an admin and enabled. This seems to work well in unity so far - but I'd like to notify the admins of a new registration only when the user has verified their email address (and not immediately on registration). This is to prevent admins from accidentally enabling accounts with unverified (possibly fake) email addresses. Is that possible somehow? Cheers, D |
