unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Disable TLS version

[Marcus H. <ha...@ki...>]

Are you referring to the "B" from here:
https://www.ssllabs.com/ssltest/analyze.html?d=login.helmholtz-data-federation.de

M.

On 04/01/20 09:57, Sander Apweiler wrote:
> Hi Krzysztof,
> 
> is it possible to disable specific TLS versions (1.0 and 1.1)? I found
> only the unityServer.core.httpServer.disabledCipherSuites parameter we
> already use for a list of outdated cipher suits.
> 
> Cheers,
> Sander
> -- 
> Federated Systems and Data
> Juelich Supercomputing Centre
> 
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
> 
> ----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------




> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss


-- 
Marcus.

[Unity-idm-discuss] Disable TLS version

[Sander A. <sa....@fz...>]

Hi Krzysztof,

is it possible to disable specific TLS versions (1.0 and 1.1)? I found
only the unityServer.core.httpServer.disabledCipherSuites parameter we
already use for a list of outdated cipher suits.

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] prohibiting login in home endpoint with oauth client credentials

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 14.03.2020 o 10:30, Krzysztof Benedyczak pisze:
> Hi Sander,
>
> W dniu 11.03.2020 o 12:05, Sander Apweiler pisze:
>> Hi Krzysztof,
>>
>> this is still an issue for us and users asked for some updates. How is
>> your plan with the RO-user?


Good news, I was completely wrong here. When I tried to check how 
difficult it is to implement, I've discovered that... this feature is 
available. Just set the "Anonymous user" role to your oauth client. It 
is exactly what you need: a fully read only user, who can not modify 
even its own credential.

We should change the name of this role to "Read only user" eventually...

Cheers,
Krzysztof

Re: [Unity-idm-discuss] Setting multivalue attribute using rest API

[Sander A. <sa....@fz...>]

Hi Krzysztof,
the issue is solved. After a hint from Tim I found the problem. Python
entered the values as string and not as an array. Now it works.

Cheers,
Sander

On Wed, 2020-03-25 at 17:39 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> 
> I try to set a multivalue attribute using the rest API, but every
> time
> the content is stored in one value. The attribute is configured as
> multivalue attribute.
> 
> First I tried to add the value element multiple times within the
> values
> array. This was my payload:
> {\'values\': [\'{"value":"
> http://localhost:4242","tags":[]},{"value":"http://localhost:8080","tags":[]},{"value":"http://localhost:43985","tags":[]}\'
> ], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
> which lead to the value: {"value":"
> http://localhost:4242","tags":[]},{"value":"http://localhost:8080","tags":[]},{"value":"http://localhost:43985","tags":[]
> }
> 
> So I removed the parts from the request which are wrong in the
> attribute and I tried with this payload:
> {\'values\': [\'"
> http://localhost:4242","http://localhost:8080","http://localhost:43985"\'
> ], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
> which lead to the value "
> http://localhost:4242","http://localhost:8080","http://localhost:43985
> "
> 
> After having a look in the Get response, I tried with this payload:
> {\'values\': [\'"
> http://localhost:4242",\\n"http://localhost:8080",\\n"http://localhost:43985"\'
> ], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
> which lead to the value:
> "http://localhost:4242",
> "http://localhost:8080",
> "http://localhost:43985"
> 
> I tried calling the API multiple time, but this changes only the
> value.
> This is fine, because it should be possible to update the existing
> value.
> 
> Can you give me a hint how to set multivalues using the rest API?
> 
> Best regards,
> Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Setting multivalue attribute using rest API

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I try to set a multivalue attribute using the rest API, but every time
the content is stored in one value. The attribute is configured as
multivalue attribute.

First I tried to add the value element multiple times within the values
array. This was my payload:
{\'values\': [\'{"value":"http://localhost:4242","tags":[]},{"value":"http://localhost:8080","tags":[]},{"value":"http://localhost:43985","tags":[]}\'], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
which lead to the value: {"value":"http://localhost:4242","tags":[]},{"value":"http://localhost:8080","tags":[]},{"value":"http://localhost:43985","tags":[]}

So I removed the parts from the request which are wrong in the
attribute and I tried with this payload:
{\'values\': [\'"http://localhost:4242","http://localhost:8080","http://localhost:43985"\'], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
which lead to the value "http://localhost:4242","http://localhost:8080","http://localhost:43985"

After having a look in the Get response, I tried with this payload:
{\'values\': [\'"http://localhost:4242",\\n"http://localhost:8080",\\n"http://localhost:43985"\'], \'name\': \'sys:oauth:allowedReturnURI\', \'groupPath\': \'/\'}
which lead to the value:
"http://localhost:4242",
"http://localhost:8080",
"http://localhost:43985"

I tried calling the API multiple time, but this changes only the value.
This is fine, because it should be possible to update the existing
value.

Can you give me a hint how to set multivalues using the rest API?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Feature request: case-insensitive userNames

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 24.03.2020 o 17:08, D Baum pisze:
> Hi!
>
> just found that on my unity instance I can register as separate entities
> with userNames "dbaum", "DBaum", "DbAuM", etc.
>
> In itself, I find this a little confusing for the moderators/admins
> (remembering that DBaum and dbaum can be different people).
>
> However, my unity clients don't all take capitalisation into account
> when retrieving user data (see, e.g.
> https://stackoverflow.com/questions/44821863/spring-boot-security-consider-case-insensitive-username-check-for-login/)
>
> I realise that this could be exploited to hijack a user's account if you
> know the username, by registering the same username with different
> capitalisation in unity and then logging into the client.
>
> Now, I've fixed this on the client side for my setup (where it should be
> fixed). But can I ask that you consider adding a feature where users are
> prevented from registering entities with usernames that differ from
> existing ones only in capitalisation?

Yes, makes sense. We have this supported since quite a long time for 
email identities (I guess more popular nowadays) but such feature can be 
also added for usernames.

Cheers,
Krzysztof

Re: [Unity-idm-discuss] Feature request: case-insensitive userNames

[Krzysztof B. <kb...@un...>]

W dniu 24.03.2020 o 17:08, D Baum pisze:
> Hi!
>
> just found that on my unity instance I can register as separate entities
> with userNames "dbaum", "DBaum", "DbAuM", etc.
>
> In itself, I find this a little confusing for the moderators/admins
> (remembering that DBaum and dbaum can be different people).
>
> However, my unity clients don't all take capitalisation into account
> when retrieving user data (see, e.g.
> https://stackoverflow.com/questions/44821863/spring-boot-security-consider-case-insensitive-username-check-for-login/)
>
> I realise that this could be exploited to hijack a user's account if you
> know the username, by registering the same username with different
> capitalisation in unity and then logging into the client.
>
> Now, I've fixed this on the client side for my setup (where it should be
> fixed). But can I ask that you consider adding a feature where users are
> prevented from registering entities with usernames that differ from
> existing ones only in capitalisation?


Just to clarify: we won't be able to just change the matching, what is 
technically trivial but may break many things: PAM based authN for 
instance or existing databases where there are already multiple 
usernames differing only with case. So this will be either a new 
identity type or an config option for username identity type.

KB

[Unity-idm-discuss] Feature request: case-insensitive userNames

[D B. <ba...@aw...>]

Hi!

just found that on my unity instance I can register as separate entities
with userNames "dbaum", "DBaum", "DbAuM", etc.

In itself, I find this a little confusing for the moderators/admins
(remembering that DBaum and dbaum can be different people).

However, my unity clients don't all take capitalisation into account
when retrieving user data (see, e.g.
https://stackoverflow.com/questions/44821863/spring-boot-security-consider-case-insensitive-username-check-for-login/)

I realise that this could be exploited to hijack a user's account if you
know the username, by registering the same username with different
capitalisation in unity and then logging into the client.

Now, I've fixed this on the client side for my setup (where it should be
fixed). But can I ask that you consider adding a feature where users are
prevented from registering entities with usernames that differ from
existing ones only in capitalisation?

Cheers
D

Re: [Unity-idm-discuss] Different output translation profiles for different SAML SPs?

[D B. <ba...@aw...>]

Hi,

thanks again! A condition based on `requester` seems to be what I'm
looking for :-)

D

On 20/03/2020 19:20, Sander Apweiler wrote:
> Hi,
> 
> entityId seems not to be in the output profile, see [1]. We did it with
> requester and added the server manually with testing if it was the URL
> or the entityID. But we did not use entityID as special parameter.
> 
> Cheers,
> Sander
> 
> [1]: https://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#_output_translation
> 
> On Fri, 2020-03-20 at 15:51 +0100, D Baum wrote:
>> Hi,
>>
>> On 20/03/2020 07:13, Sander Apweiler wrote:
>>> 2. Same as above but change the condition from true to some
>>> expresion
>>> with something like "requester=serviceA". I can't remember if we
>>> had
>>> used only the server name or entityID in this place.
>>
>> Thanks, that's the sort of thing I was looking for!
>>
>> For testing, I tried creating a rule with a condition based on
>> entityId
>> and another one just adding the entityId as an attribute:
>>
>> createAttribute|attributeName: entityId|expression:
>> entityId|mandatory:
>> false|attributeDisplayName: |attributeDescription: |type:
>>
>> In the logs, I'm getting
>> org.mvel2.PropertyAccessException: [Error: could not access:
>> entityId;
>> in class: java.util.HashMap]
>> [Near : {... entityId ....}]
>>              ^
>> [Line: 1, Column: 1]
>>
>> According to
>> https://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#attributes
>> entityId should be available similar to attr.
>>
>> What am I doing wrong?
>>
>> Cheers,
>> D
>>
>>
>> _______________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] Different output translation profiles for different SAML SPs?

[Sander A. <sa....@fz...>]

Hi,

entityId seems not to be in the output profile, see [1]. We did it with
requester and added the server manually with testing if it was the URL
or the entityID. But we did not use entityID as special parameter.

Cheers,
Sander

[1]: https://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#_output_translation

On Fri, 2020-03-20 at 15:51 +0100, D Baum wrote:
> Hi,
> 
> On 20/03/2020 07:13, Sander Apweiler wrote:
> > 2. Same as above but change the condition from true to some
> > expresion
> > with something like "requester=serviceA". I can't remember if we
> > had
> > used only the server name or entityID in this place.
> 
> Thanks, that's the sort of thing I was looking for!
> 
> For testing, I tried creating a rule with a condition based on
> entityId
> and another one just adding the entityId as an attribute:
> 
> createAttribute|attributeName: entityId|expression:
> entityId|mandatory:
> false|attributeDisplayName: |attributeDescription: |type:
> 
> In the logs, I'm getting
> org.mvel2.PropertyAccessException: [Error: could not access:
> entityId;
> in class: java.util.HashMap]
> [Near : {... entityId ....}]
>              ^
> [Line: 1, Column: 1]
> 
> According to
> https://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#attributes
> entityId should be available similar to attr.
> 
> What am I doing wrong?
> 
> Cheers,
> D
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Different output translation profiles for different SAML SPs?

[D B. <ba...@aw...>]

Hi,

On 20/03/2020 07:13, Sander Apweiler wrote:
> 2. Same as above but change the condition from true to some expresion
> with something like "requester=serviceA". I can't remember if we had
> used only the server name or entityID in this place.

Thanks, that's the sort of thing I was looking for!

For testing, I tried creating a rule with a condition based on entityId
and another one just adding the entityId as an attribute:

createAttribute|attributeName: entityId|expression: entityId|mandatory:
false|attributeDisplayName: |attributeDescription: |type:

In the logs, I'm getting
org.mvel2.PropertyAccessException: [Error: could not access: entityId;
in class: java.util.HashMap]
[Near : {... entityId ....}]
             ^
[Line: 1, Column: 1]

According to
https://www.unity-idm.eu/documentation/unity-3.2.1/manual.html#attributes
entityId should be available similar to attr.

What am I doing wrong?

Cheers,
D

Re: [Unity-idm-discuss] Different output translation profiles for different SAML SPs?

[Sander A. <sa....@fz...>]

Hi,
you have different ways to do it.
1. Just create two rules one with attributeName=urn.... and one with
attributeName=username. In this case the attribute is released every
time in both formats.
2. Same as above but change the condition from true to some expresion
with something like "requester=serviceA". I can't remember if we had
used only the server name or entityID in this place.
3. Most complex and mostly not wanted: Create multiple endpoints to the
services. In this case you can create dedicated translation profiles
for the service.

Cheers,
Sander

On Thu, 2020-03-19 at 17:59 +0100, D Baum wrote:
> Hi,
> 
> is it possible to serve different entity attributes to different SPs
> with unity?
> Say I want to serve the username as
> "urn:mace:dir:attribute-def:cn" to one SP but as "username" to
> another.
> Is that feasible?
> 
> Cheers,
> D
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Different output translation profiles for different SAML SPs?

[D B. <ba...@aw...>]

Hi,

is it possible to serve different entity attributes to different SPs
with unity?
Say I want to serve the username as
"urn:mace:dir:attribute-def:cn" to one SP but as "username" to another.
Is that feasible?

Cheers,
D

Re: [Unity-idm-discuss] UI Bug registration forms (v3.2.1)

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 18.03.2020 o 13:32, Shiraz Memon pisze:
> Hi Krzysztof,
>
> I have found a non-crucial UI bug. So, as soon as I update any 
> registration form, unity moves to another position in the forms list.
>
> Image suffixed with ...13-16-34.png shows a list of registration forms 
> defined in my instance, please note the orcid form at the top. The 
> other image (...13-17-35.png) shows the orcid form which has moved to 
> the bottom as a result of small update. Is the behavior intended?


Well, by default the list is not sorted. But you can click on any column 
header and sort it :-)


>
> By the way, some meta-information about the forms, e.g. creation and 
> last-modified date would be helpful.


perhaps, but currently we don't have this metadata persisted for forms, 
so nothing to show.

Best
KB

Re: [Unity-idm-discuss] Best way to include page with terms and conditions in registration form?

[Krzysztof B. <kb...@un...>]

W dniu 18.03.2020 o 11:35, D Baum pisze:
> Ah, thanks, that solves my issue!
>
> Nonetheless, some suggestions for your backlog regarding UX:
> Having attributes listed as [0] through [4] is not very straightforward
> for editing, the attribute name would be more intuitive.
> Or you could add the "reorder" button that exists in the profile action
> page also to the page for editing the collected attributes.

Yes, we are aware of this. Simply put that's quite a bit of work on a 
rather rarely used functionality, so rather far in the queue.

[Unity-idm-discuss] UI Bug registration forms (v3.2.1)

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

I have found a non-crucial UI bug. So, as soon as I update any registration form, unity moves to another position in the forms list.

Image suffixed with ...13-16-34.png shows a list of registration forms defined in my instance, please note the orcid form at the top. The other image (...13-17-35.png) shows the orcid form which has moved to the bottom as a result of small update. Is the behavior intended?

By the way, some meta-information about the forms, e.g. creation and last-modified date would be helpful.

Thanks,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] SAML SP SLO path not announced in metadata?

[D B. <ba...@aw...>]

Huh, it started working now, metadata now contains SLO info. Maybe I
missed a restart? In any case, you can ignore the question :-)

On 17/03/2020 20:48, D Baum wrote:
> Hi,
> 
> I'm trying to configure a remote SAML authenticator.
> 
> In conf/modules/saml/samlAuthenticator.properties, I've set these options:
> 
> unity.saml.requester.metadataPath=metadata
> unity.saml.requester.sloPath=slo
> unity.saml.requester.sloRealm=default
> 
> When I access unity's SP metadata file at
> https://myunity/unitygw/saml-sp-metadata/metadata
> it contains the AssertionConsumerService but no SingleLogoutService
> description.
> 
> The SLO itself seems to be available OK at
> https://myunity/unitygw/SPSLO/WEB/slo
> 
> Can I make unity include the SLO URL in the autogenerated SP metadata?
> 
> Cheers,
> D
> 

Re: [Unity-idm-discuss] Best way to include page with terms and conditions in registration form?

[D B. <ba...@aw...>]

Ah, thanks, that solves my issue!

Nonetheless, some suggestions for your backlog regarding UX:
Having attributes listed as [0] through [4] is not very straightforward
for editing, the attribute name would be more intuitive.
Or you could add the "reorder" button that exists in the profile action
page also to the page for editing the collected attributes.

Cheers,
D

On 18/03/2020 10:36, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 17.03.2020 o 15:44, D Baum pisze:
>> Hi!
>>
>> On 14/03/2020 11:04, Krzysztof Benedyczak wrote:
>>> For the current unity:
>>>
>>> first of all you need to set
>>>
>>> unityServer.core.allowFullHtml=true
>>>
>>> in unityServer.conf. This turns off some of the XSS prevention measures,
>>> basically trusting admin-entered HTML.
>>>
>>> Then you can configure your registration form agreement with a link,
>>> like this:
>>>
>>> I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a>
>> Perfect, thanks!
>>
>> BTW: Is there a way to re-order the form elements?
> 
> Yes. Just enable custom layout
> 
> 
> HTH,
> KB
> 

Re: [Unity-idm-discuss] Best way to include page with terms and conditions in registration form?

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 17.03.2020 o 15:44, D Baum pisze:
> Hi!
>
> On 14/03/2020 11:04, Krzysztof Benedyczak wrote:
>> For the current unity:
>>
>> first of all you need to set
>>
>> unityServer.core.allowFullHtml=true
>>
>> in unityServer.conf. This turns off some of the XSS prevention measures,
>> basically trusting admin-entered HTML.
>>
>> Then you can configure your registration form agreement with a link,
>> like this:
>>
>> I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a>
> Perfect, thanks!
>
> BTW: Is there a way to re-order the form elements?

Yes. Just enable custom layout


HTH,
KB

Re: [Unity-idm-discuss] UI bug while creating/editing scopes (v3.2.1)

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 17.03.2020 o 17:02, Shiraz Memon pisze:
> Hi Krzysztof,
>
> If I'd want to define an attribute, which is not an existing one 
> (under the "Attributes" combobox), unity simply add two of the same 
> types instead of one. For instance, I have tried to add given_name 
> attribute, consequently two of the same types (following pic. shows 
> that behavior) of attributes are added. Ideally unity should not allow 
> adding two attributes of the same type within a scope definition 
> (regardless of existing or non-existing).

Reproduced, fix will go out in 3.2.2.

Thanks
KB

[Unity-idm-discuss] SAML SP SLO path not announced in metadata?

[D B. <ba...@aw...>]

Hi,

I'm trying to configure a remote SAML authenticator.

In conf/modules/saml/samlAuthenticator.properties, I've set these options:

unity.saml.requester.metadataPath=metadata
unity.saml.requester.sloPath=slo
unity.saml.requester.sloRealm=default

When I access unity's SP metadata file at
https://myunity/unitygw/saml-sp-metadata/metadata
it contains the AssertionConsumerService but no SingleLogoutService
description.

The SLO itself seems to be available OK at
https://myunity/unitygw/SPSLO/WEB/slo

Can I make unity include the SLO URL in the autogenerated SP metadata?

Cheers,
D

[Unity-idm-discuss] UI bug while creating/editing scopes (v3.2.1)

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

If I'd want to define an attribute, which is not an existing one (under the "Attributes" combobox), unity simply add two of the same types instead of one. For instance, I have tried to add given_name attribute, consequently two of the same types (following pic. shows that behavior) of attributes are added. Ideally unity should not allow adding two attributes of the same type within a scope definition (regardless of existing or non-existing).

[image.png]
Thanks,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Best way to include page with terms and conditions in registration form?

[D B. <ba...@aw...>]

Hi!

On 14/03/2020 11:04, Krzysztof Benedyczak wrote:
> For the current unity:
> 
> first of all you need to set
> 
> unityServer.core.allowFullHtml=true
> 
> in unityServer.conf. This turns off some of the XSS prevention measures,
> basically trusting admin-entered HTML.
> 
> Then you can configure your registration form agreement with a link,
> like this:
> 
> I agree to <a href="https://example.com/tou.html" target="_blank">ToU</a>

Perfect, thanks!

BTW: Is there a way to re-order the form elements?

> What is more, a proper handling of policy documents & agreements is
> under development and should be available in 3.3 or 3.4 latest. Unity
> will offer: central definition of policy documents, support for changing
> of document versions, tracking of who accepted what, common support for
> requiring acceptance across registration forms, enquiry forms and IdP
> endpoints.

Wow, sounds cool :-)

Thanks!
D

Re: [Unity-idm-discuss] View trust store directory or keystores

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.03.2020 o 15:30, Shiraz Memon pisze:
> Hi,
>
> Any clues how to view the trust store, which is configured as a 
> directory or jks? or it is not supported(?)
>

No, that's not supported in Console. You need to use keytool or ls on 
the server.

Implementing truststore in console is in our plans but not on a short 
list currently, and anyway what we paln to provide will be simplified 
version of what you can currently configure in Unity pki.properties.

K

Re: [Unity-idm-discuss] NPE on clicking user entries

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.03.2020 o 14:46, Shiraz Memon pisze:
> Hi,
>
> Unity v3.2.1 throws an NPE when I click any user under the directory 
> browser.

Hmm, nothing obvious... Let me take it to a private thread.

Best
KB