Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2018-11-13 11:24:23
|
W dniu 13.11.2018 o 09:17, Sander Apweiler pisze: > Hi Krzysztof, > > With unity 2.7.2 (.1 was not tested) the sort of IdPs in the grid is > much better. But it can still improved. For the tiles unity switch in > past from ASCII sort (AMOLF before Aalto) to alphabetical sort (Aalto > before AMOLF). It would be greate if this could be done for the grid > too. OK, I'll open a ticket to improve it. Thanks for the notice KB |
|
From: Sander A. <sa....@fz...> - 2018-11-13 08:19:33
|
Hi Krzysztof, With unity 2.7.2 (.1 was not tested) the sort of IdPs in the grid is much better. But it can still improved. For the tiles unity switch in past from ASCII sort (AMOLF before Aalto) to alphabetical sort (Aalto before AMOLF). It would be greate if this could be done for the grid too. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-11-12 09:33:02
|
Dear Subscribers, Unity bugfix release 2.7.2 was published, eliminating problem with DB cache. The RDBMS cache implementation turned out to suffer from a race condition. It is not happening often but consequences might be severe, as Unity may answer with stale information. For installations of 2.6.x and 2.7.x versions which can not be updated immediately, we advise to turn off the DB cache (assuming you use relational database store): |unityServer.storage.engine.rdbms.cacheMaxEntries=0| As the fixing the cache would be by far not trivial and would make the caching layer even more complex, we decided to fully remove the DB-level cache. Instead a series of smaller optimizations were applied as well as a simple cache of authorization layer was added. Together performance should be pretty comparable as with DB cache layer while stability is greatly improved. Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-11-06 07:24:56
|
Hi Krzysztof, It works. Thank you very much. I just moved the rule from registration form to translation profile. So existing users got this attribute at next login too. Cheers, Sander Am Montag, den 05.11.2018, 20:27 +0100 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 05.11.2018 o 11:53, Sander Apweiler pisze: > > Hi Krzysztof, > > > > we want to add some attributes, if not provided by the IdP, based > > on > > the IdP itself. Is it possible to compare the IdP in the condition > > of > > automatically assigned settings? > > > > To give an example. I login with the Juelich IdP and the IdP does > > not > > provide some assurance information. I want to set them during the > > account creation. The condition would look like !(eattr contains > > 'eduPersonAssurance') && IdP=='fz-juelich.de' > > > > Do I get the IdP in some variables? > > Out of the box not - registration quite often done locally without > any > remote information. > > But it is possible to set this up: > > 1. the remote IDP id is available in input translation profile (the > 'idp' variable) used by your authenticator, that is authenticating a > user to be registered. So first of all save this information into an > attribute in input profile, e.g. in an attribute IDP. > > 2. in the registration form add a collected attribute - IDP. Set > this > attribute as collected from remote IdP and hidden. Then you can use > it > in your registration form automation (e.g. rattr['idp']) > > See respective chapters in manual for more details. > > HTH, > > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-11-05 19:27:58
|
Hi Sander, W dniu 05.11.2018 o 11:53, Sander Apweiler pisze: > Hi Krzysztof, > > we want to add some attributes, if not provided by the IdP, based on > the IdP itself. Is it possible to compare the IdP in the condition of > automatically assigned settings? > > To give an example. I login with the Juelich IdP and the IdP does not > provide some assurance information. I want to set them during the > account creation. The condition would look like !(eattr contains > 'eduPersonAssurance') && IdP=='fz-juelich.de' > > Do I get the IdP in some variables? Out of the box not - registration quite often done locally without any remote information. But it is possible to set this up: 1. the remote IDP id is available in input translation profile (the 'idp' variable) used by your authenticator, that is authenticating a user to be registered. So first of all save this information into an attribute in input profile, e.g. in an attribute IDP. 2. in the registration form add a collected attribute - IDP. Set this attribute as collected from remote IdP and hidden. Then you can use it in your registration form automation (e.g. rattr['idp']) See respective chapters in manual for more details. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-11-05 19:21:01
|
Dear Subscribers, Two updates this time: 1. *Unity 2.7.1 was released* The main focus was on improvements in speed of loading users list and groups tree in AdminUI (significant if you have thousands of users/groups or just a slow DB). AdminUI scales now nicely up to tens of thousands of users and similar number of groups - what was a problem so far, especially with slower RDBMS storage backends. We have future plans for scaling AdminUI even more - to support millions of users - but this will require some compromises in functionality. There is also a performance bugfix for admins who were members of many groups (100+): using AdminUI by such users is not extremely slow anymore, there is no difference on amount of group memberships. Other improvements include enhanced message templates loading: Unity can be configured to load configured templates on startup overwriting the templates stored in DB and AdminUI allows for reloading templates from configuration at runtime. There are also several other minor enhancements: * UY-812 <https://dev.unity-idm.eu/jira/browse/UY-812> Fix sorting and searching on authN screen * UY-793 <https://dev.unity-idm.eu/jira/browse/UY-793> More flexible OAuth trusted URL matching * UY-795 <https://dev.unity-idm.eu/jira/browse/UY-795> Subject text field in template editor should be 100% wide * UY-813 <https://dev.unity-idm.eu/jira/browse/UY-813> Allow to configure a custom link for signup on authentication screen * UY-814 <https://dev.unity-idm.eu/jira/browse/UY-814> Enable Norwegian locale 2. *Unity is now hosted at Weblate* Weblate is an open source web translation management system. If you want to contribute with translating Unity it should be very easy starting now. Everybody can join and start fixing localized strings right away. What is more the platform keeps track of what has changed in the base translations making translation maintenance simpler. See: https://hosted.weblate.org/projects/unity-idm/ The system is integrated with Unity repository and we accept pull requests directly to Unity's Github repository. Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-11-05 10:53:52
|
Hi Krzysztof, we want to add some attributes, if not provided by the IdP, based on the IdP itself. Is it possible to compare the IdP in the condition of automatically assigned settings? To give an example. I login with the Juelich IdP and the IdP does not provide some assurance information. I want to set them during the account creation. The condition would look like !(eattr contains 'eduPersonAssurance') && IdP=='fz-juelich.de' Do I get the IdP in some variables? Cheers, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-10-17 14:30:12
|
Hi Sander, W dniu 17.10.2018 o 14:28, Sander Apweiler pisze: > Hi Krzysztof, > > is it possible to create some kind of audit log or something else where > I can see who increases access roles or adds privileged users outside > of the regular unity log? Unfortunately not. This is a missing feature, we even have a ticket open for this (since 2013, the oldest ones not done) but as there was no push for this from community it was postponed many times... Best, KB |
|
From: Sander A. <sa....@fz...> - 2018-10-17 12:29:10
|
Hi Krzysztof, is it possible to create some kind of audit log or something else where I can see who increases access roles or adds privileged users outside of the regular unity log? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-10-16 13:12:11
|
Dear Subscribers,
On behalf of the Unity Team, I'm happy to announce that release 2.7.0 is
out.
Release *2.7.0* is a subsequent important Unity milestone completing
huge change around end-user facing UI improvements. The main focus of
this release was on registration: both in terms of UI, UX and core
features.
/When installing this release as an update a migration will be performed
and some configuration changes may be necessary. Make sure to make
backup and read update instructions in the documentation!
/
The highlights are:
* There is a completely new registration path possible: a
*registration form *may *allow for selecting a remote signup*, with
any of enabled external authentication options (like Google, FB,
other OAuth providers, or SAML Idps). So far this was only possible
in effect of failed authentication try, what was not working well
with typical use cases.
o User may be given a choice to use remote credential for
registered account or a local one, stored in Unity.
o Local registration form may be embedded on a starting
registration screen (with external options), or presented only
after selecting the local registration path.
o After external registration, a registration form may be still
rendered: if some of the required information was not provided
by the external IdP.
* *Enrolment to groups is* now way more flexible: instead of setting a
static list of available groups for the form, admin may configure a
wildcard: the actual groups to be offered are established at
runtime. This feature supports enrolment to
projects/tenant/organization unit groups which are changing over time.
o What is more, form attributes may be configured to be set in the
group selected by the user on the same form.
* A new *finalization* feature was added *in registration* subsystem.
Finalization allows for specifying details of behavior in effect of
all final states of registration process: from successful
submission, to all kinds of errors.
o Note: this feature deprecates the former partial support for
controlling some of such behaviors in registration form profile.
Please update your form if you used such, the actions will be
preserved after upgrade for your reference.
* *Rendering of the registration form* and UX of individual elements
was greatly improved and refactored to be streamlined with how
authentication UI works. Password setup offers nice hints, fields
are validated during typing, layout was improved.
* *Credential reset flow UI* as well as *UI of outdated credential*
change was improved and simplified.
* Custom and *invitation message templates* allow for using arbitrary,
*custom parameters*. Those parameters can be filled when preparing a
personalized invitation or sending an email with a REST API.
Other, smaller changes:
* Invitation can preset identity for remote OAuth registration. This
preset identity may be also mandatory, so that user can not register
with different one.
* Registration form configuration UI was refactored. Forms may be only
inspected after opening.
* AdminUI -> Contents management is not showing group attribute
classes (still can be inspected from the group’s context menu).
Instead basic group stats are shown.
* New registration profile action allows to process all pending
invitations for the same user, when the user registers. This may
work regardless if the registration is made by invitation or not.
* Plus many smaller improvements and bugfixes, see detailed changelog
below.
As always for more details see: http://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
**
|
|
From: Krzysztof B. <kb...@un...> - 2018-10-04 08:51:15
|
Hi Sander, W dniu 04.10.2018 o 08:02, Sander Apweiler pisze: > Hi Krzysztof, > > we are redesigning our attribute set, collected from IdP/users and we > want to replace CN by givenName and sn. The CN will be build by ourself > from givenName and SN for the services who needs it. > > Some users will have the CN but no givenName and sn for some time and > vice versa. How can I create the CN by givenName and sn if CN does not > exists? > > If I create both statements in output translation profile, the first > will be overwritten by the second one and send some null values. Hmm either I miss something or this can be achieved with proper rule condition? Like : condition: !(attr contains 'cn') && (attr contains 'sn') && (attr contains 'givenName') action: create cn from sn and given name HTH, KB |
|
From: Sander A. <sa....@fz...> - 2018-10-04 06:03:12
|
Hi Krzysztof, we are redesigning our attribute set, collected from IdP/users and we want to replace CN by givenName and sn. The CN will be build by ourself from givenName and SN for the services who needs it. Some users will have the CN but no givenName and sn for some time and vice versa. How can I create the CN by givenName and sn if CN does not exists? If I create both statements in output translation profile, the first will be overwritten by the second one and send some null values. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-10-02 14:59:00
|
Hi, W dniu 26.09.2018 o 12:44, Krzysztof Benedyczak pisze: > Dear Tim, > > W dniu 26.09.2018 o 11:46, Tim Kreuzer pisze: >> >> Dear Krzysztof, >> >> in version 2.5.0 of Unity-IdM Enquiry Forms are only shown if >> skipConsent is set to false. Is this an intended behavior? Is there a >> way to show Enquiry Forms even if the consent page should be skipped? >> > Yeah, this will behave like this. This is related to an important > optimization (requested by many parties): if possible the UI should > not be loaded upon authN. And having consent screen off is the main > requisite for this to kick in. > > I can check whether it is easy to still trigger UI loading if there is > an enquiry for the user, hard to say out of the top of my head. Fixed, will be delivered in 2.7.0 Best KB |
|
From: Krzysztof B. <kb...@un...> - 2018-09-26 10:45:09
|
Dear Tim, W dniu 26.09.2018 o 11:46, Tim Kreuzer pisze: > > Dear Krzysztof, > > in version 2.5.0 of Unity-IdM Enquiry Forms are only shown if > skipConsent is set to false. Is this an intended behavior? Is there a > way to show Enquiry Forms even if the consent page should be skipped? > Yeah, this will behave like this. This is related to an important optimization (requested by many parties): if possible the UI should not be loaded upon authN. And having consent screen off is the main requisite for this to kick in. I can check whether it is easy to still trigger UI loading if there is an enquiry for the user, hard to say out of the top of my head. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-09-26 10:41:46
|
Hi Sander, W dniu 26.09.2018 o 10:43, Sander Apweiler pisze: > Hi Krzysztof, > > I'm preparing the update to unity 2.6. and try to convert the tiles > into columns. As first step I started with password authenticator and > tried to extend it to the example from manual. When Grid is loaded an > Out of Memory error occures. samlWeb and pwdWeb authenticators are > copied from previous installations. The log is attached. Do you have > any idea about the problem? There are two possibilities. Either you should increase Unity memory limit and this will go away (startup.properties). Or there is a bug. To check this option, please create and send me a memory dump (with jmap -dump ...), when the error occurs. Log file in case of OOM is not of much help. Thanks, KB |
|
From: Tim K. <t.k...@fz...> - 2018-09-26 09:47:04
|
Dear Krzysztof,
in version 2.5.0 of Unity-IdM Enquiry Forms are only shown if
skipConsent is set to false. Is this an intended behavior? Is there a
way to show Enquiry Forms even if the consent page should be skipped?
I'm sorry that I couldn't test version 2.6.x yet. The used endpoint is
"OAuth2Authz" , the authenticator is "ldap with web-password". My
authenticator retrieval configuration file is:
{
"i18nName" : {
"Map": {
"en": "LDAP-Password"
}
},
"registrationFormForUnknown": "regForm"
}
Best regards,
Tim Kreuzer
--
M.Sc. Tim Kreuzer
Federated Systems and Data
Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 2461 61-1583
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Sander A. <sa....@fz...> - 2018-09-26 08:43:53
|
Hi Krzysztof, I'm preparing the update to unity 2.6. and try to convert the tiles into columns. As first step I started with password authenticator and tried to extend it to the example from manual. When Grid is loaded an Out of Memory error occures. samlWeb and pwdWeb authenticators are copied from previous installations. The log is attached. Do you have any idea about the problem? The config for columns is: unity.endpoint.web.authnScreenTitle=Login to your profile unity.endpoint.web.authnScreenShowSearch=true unity.endpoint.web.authnScreenShowAllOptions=false unity.endpoint.web.authnScreenOptionsLabel.OR.text=OR unity.endpoint.web.authnGrid.G1.gridContents=samlWeb unity.endpoint.web.authnGrid.G1.gridRows=10 unity.endpoint.web.authnScreenColumn.1.columnSeparator=OR unity.endpoint.web.authnScreenColumn.1.columnWidth=17 unity.endpoint.web.authnScreenColumn.1.columnContents=pwdWeb unity.endpoint.web.authnScreenColumn.2.columnSeparator= unity.endpoint.web.authnScreenColumn.2.columnWidth=34 unity.endpoint.web.authnScreenColumn.2.columnContents=_GRID_G1 Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-09-26 07:10:42
|
Hi, W dniu 25.09.2018 o 14:32, Fabian Mangels pisze: > > Hi Krzysztof, > > is there a way to execute a script / code when attributes of a local > user have changed? I'm looking for an event-driven way to trigger a > synchronization of the respective local entity. > Maybe the Java class that writes to the database would be the right > entry point? Or are the customizations in the source code too complex? > > Thank you in advance! > It is possible, although very low level (== will require attention when Unity is upgraded). Check chapter http://www.unity-idm.eu/documentation/unity-2.6.0/manual.html#_enhancement_scripts You get event when attributes are set, so you can add your custom Groovy handler to this. HTH, Krzysztof |
|
From: Fabian M. <fab...@aw...> - 2018-09-25 12:47:58
|
Hi Krzysztof, is there a way to execute a script / code when attributes of a local user have changed? I'm looking for an event-driven way to trigger a synchronization of the respective local entity. Maybe the Java class that writes to the database would be the right entry point? Or are the customizations in the source code too complex? Thank you in advance! Mit freundlichem Gruß, yours sincerely Fabian Mangels ------------------------------------------------------------------------ Alfred-Wegener-Institut, Helmholtz-Zentrum für Polar- und Meeresforschung *Fabian Mangels* Infrastructure/Administration | Computing and Data Centre Am Handelshafen 12 27570 Bremerhaven Web: https://www.awi.de Social Media: https://de-de.facebook.com/AlfredWegenerInstitute/ Helmholtz-Gemeinschaft |
|
From: Krzysztof B. <kb...@un...> - 2018-09-24 06:22:15
|
Hi Nick,
W dniu 19.09.2018 o 08:31, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> After a long time I tried to enable auto login again and I managed to resolve my issue and I’m posting the solution.
>
> The use case is: Site —> OAuth authorization request —> Unity AS with autoLogin & authenticator with one IdP —> SAML login —> SAML IdP on Unity
> As I posted earlier I copied the current ${CONF}/modules/oauth/oauth2-as.properties for the new endpoint ${CONF}/modules/oauth/oauth2-sdc.properties.
>
> The oauth2-as.properties has the following properties:
> unity.endpoint.web.authenticationTiles.1.tileContents=pwd cert
> unity.endpoint.web.authenticationTiles.2.tileContents=oauth
> unity.endpoint.web.authenticationTiles.3.tileContents=saml
>
> And oauth2-sdc.properties has:
> unity.endpoint.web.authenticationTiles.1.tileContents=saml
>
> With these properties the flow wasn’t working and when the user returned to Unity was stack in a loop where he/she was asked to login again.
>
> Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11
> unity.endpoint.web.authenticationTiles.11.tileContents=saml
>
> And then everything worked smoothly.
>
> I guess it was a conflict on authenticationTiles number id because both belong to the same endpoint type (OAuth2Authz/OAuth2Token)
I'm glad it is working. In the meantime there were some changes in that
feature, related to the major refactoring of how authN screen works.
Tiles are gone, the current way of configuring and presenting authN
options is much better. This triggered also an update of the auto-proxy
feature, which since 2.6.2 release should work in more reliable way
(triggering and return handling was changed to different, more stable
approach).
Thanks for the info,
KB
|
|
From: Nikolaos E. <ni...@ad...> - 2018-09-19 07:26:46
|
Little fix, to correct property is: unity.endpoint.web.authenticationTiles.11.tileContents=sdc Also the tileContents value should be unique On 19 Sep 2018, at 09:31, Nikolaos Evangelou <ni...@ad...<mailto:ni...@ad...>> wrote: Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11 unity.endpoint.web.authenticationTiles.11.tileContents=saml |
|
From: Nikolaos E. <ni...@ad...> - 2018-09-19 06:47:45
|
Hello Krzysztof,
After a long time I tried to enable auto login again and I managed to resolve my issue and I’m posting the solution.
The use case is: Site —> OAuth authorization request —> Unity AS with autoLogin & authenticator with one IdP —> SAML login —> SAML IdP on Unity
As I posted earlier I copied the current ${CONF}/modules/oauth/oauth2-as.properties for the new endpoint ${CONF}/modules/oauth/oauth2-sdc.properties.
The oauth2-as.properties has the following properties:
unity.endpoint.web.authenticationTiles.1.tileContents=pwd cert
unity.endpoint.web.authenticationTiles.2.tileContents=oauth
unity.endpoint.web.authenticationTiles.3.tileContents=saml
And oauth2-sdc.properties has:
unity.endpoint.web.authenticationTiles.1.tileContents=saml
With these properties the flow wasn’t working and when the user returned to Unity was stack in a loop where he/she was asked to login again.
Then I changed oauth2-sdc.properties authenticationTiles number from 1 to 11
unity.endpoint.web.authenticationTiles.11.tileContents=saml
And then everything worked smoothly.
I guess it was a conflict on authenticationTiles number id because both belong to the same endpoint type (OAuth2Authz/OAuth2Token)
Regards,
Nick
> On 9 Jul 2018, at 22:19, Krzysztof Benedyczak <kb...@un...> wrote:
>
> Hi Nikolaos,
>
> I'm answering here for both recent emails. With this information I can understand what you want to perform now.
> Should work - at least the similar setup worked fine for me without a problem a moment ago:
>
> Site ---OAuth login-->Unity AS with autoLogin --SAML login-->SAML IdP on Unity
>
> More or less configured as below but there are still tons of places where problems may happen.
>
> First of all read the logs. Looking for warns/errors is not always helpful. You should enable debug (or for this purpose even TRACE) logging of SAML, OAuth and web subsystems. You will have information (search for "Proxy") on auto login fact (or that it is skipped).
> 2nd thing to do is to compare this with browser log (Developer tools -> Network tab, important: turn off persistent logs, otherwise each redirect will clean the log).
>
> With this information you should be able to precisely identify in which moment your flow is not behaving as expected and perhaps what is the reason.
>
> HTH,
> Krzysztof
>
> W dniu 04.07.2018 o 13:47, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
>> I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
>>
>> Here are all the changes I made:
>> 1. Modified conf/unityServer.conf
>> unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
>> unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
>> unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
>> unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
>>
>> And
>>
>> # Enables MarineID AS functionality
>> $include.marineAS=${CONF}/modules/marineAS.module
>>
>> Both are copies of samlWeb and $include.oauthAS correspondingly.
>>
>> 2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
>> unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
>> unity.saml.requester.metadataPath=metadata1
>> unity.saml.requester.requesterCredential=MAIN
>> unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
>> unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
>> unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>>
>> unity.saml.requester.sloPath=slo1
>> unity.saml.requester.sloRealm=defaultRealm
>>
>> unity.saml.requester.remoteIdp.marine.name=MarineID IdP
>> unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
>> unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
>> unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
>> unity.saml.requester.remoteIdp.marine.certificate=MARINEID
>> unity.saml.requester.remoteIdp.marine.translationProfile=marineID
>> unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
>> unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
>> unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
>>
>> 3. Created modules/oauthAS.module copy of oauthAS.module
>> unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
>> unityServer.core.script.909.trigger=pre-init
>>
>> unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
>> unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
>> unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
>> unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
>>
>> unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
>> unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
>> unityServer.core.endpoints.marineToken.contextPath=/marine
>> unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
>> unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
>> unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
>>
>> 4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
>> unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
>>
>> unity.oauth2.as.signingCredential=MAIN
>>
>> unity.oauth2.as.clientsGroup=/oauth-clients
>> unity.oauth2.as.usersGroup=/
>>
>> unity.oauth2.as.translationProfile=marineIDout
>> unity.oauth2.as.accessTokenValidity=600
>> unity.oauth2.as.extendAccessTokenValidityUpTo=86400
>> unity.oauth2.as.refreshTokenValidity=0
>> # Definition of scopes
>>
>> unity.oauth2.as.scopes.1.name=openid
>> unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
>>
>> unity.oauth2.as.scopes.4.name=email
>> unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
>> unity.oauth2.as.scopes.4.attributes.1=email
>>
>> unity.oauth2.as.scopes.5.name=profile
>> unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
>> unity.oauth2.as.scopes.5.attributes.1=name
>>
>> unity.oauth2.as.scopes.2.name=USER_PROFILE
>> unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
>> unity.oauth2.as.scopes.2.attributes.1=userName
>> unity.oauth2.as.scopes.2.attributes.2=email
>> unity.oauth2.as.scopes.2.attributes.3=groups
>> unity.oauth2.as.scopes.2.attributes.4=unity:persistent
>> unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
>> unity.oauth2.as.scopes.2.attributes.6=name
>> unity.oauth2.as.scopes.2.attributes.7=cn
>>
>>
>> unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
>> unity.oauth2.as.scopes.3.description=Generate User Certificate
>> unity.oauth2.as.scopes.3.attributes.1=userName
>> unity.oauth2.as.scopes.3.attributes.2=email
>> unity.oauth2.as.scopes.3.attributes.3=name
>> unity.oauth2.as.scopes.3.attributes.4=groups
>>
>>
>> #UI specific properties
>> unity.endpoint.web.enableRegistration=false
>> unity.endpoint.web.autoLogin=true
>>
>> unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
>> unity.endpoint.web.authenticationTiles.4.tileMode=table
>> unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
>>
>> ———————
>> Best regards,
>> Nick
>>
>>> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>>>
>>> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>>>> Hello Krzysztof,
>>>>
>>>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>>> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>>>
>>> Best,
>>> Krzysztof
>
>
|
|
From: Krzysztof B. <kb...@un...> - 2018-08-31 08:44:50
|
Dear Subscribers,
A second update in 2.6 release train is available for download. This
release contains one important bugfix related to cache flushing. Caching
of RDBMS data was introduced in version 2.6.1 so if you are on it,
updating is highly recommended.
There is also a number of other updates:
1. Thanks to community contribution by MatMaul the MITRE token
verification code has been improved to have better interoperability.
Thank you!
2. In AdminUI one can now confirm email identities
3. AdminUI allows for an alternative way of adding users to a group,
without using drag'n'drop. It is convenient with very long groups list.
4. User notification message template was enriched with custom
parameters, which can be provided by REST interface. Therefore
mailing Unity users is now much more practical.
5. In certain situations when a slow redirect is triggered after Unity
login, user had chance to click on authN screen another widget,
leading to errors. Now it is blocked.
There are also some other bugfixes. See Downloads
<http://www.unity-idm.eu/downloads/> for more details.
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2018-08-27 18:10:41
|
Hi Sander, W dniu 20.08.2018 o 14:27, Sander Apweiler pisze: > Hi Krzysztof, > > In the section about bearer token you refer to RFC 6750. In this > document the expiration information are transferred with the key > "expires_in", see [1]. Unity uses "exp" as keyword wich is not > recognised by some clients. Is it possible to change the keyword? I assume you are referring here to the /tokeninfo proprietary Unity token introspection endpoint. The RFC is mentioned there, however only to say how the introspected token should be passed. True, the exp is returned by this endpoint and not expires_in. It is hard for me to say what is better, exp is used in JWT & OpenId Connect specs family, and what is more relevant here the RFC 7662 (token introspection) is using exp. expires_in is used in the spec you mentioned and in core Oauth. That said, I'm unsure about breaking backwards compability, and as a general direction I think Unity should rather go for implementing RFC 7662 and the current implementation is very close to it (may be even compliant, would need to check details) --> this suggest sticking to exp. Can you provide more information on clients that would expect expires_in while supporting the Unity introspection endpoint? Perhaps we can find some solution (e.g. alternative introspection endpoint) Thanks, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-08-20 12:28:42
|
Hi Krzysztof, In the section about bearer token you refer to RFC 6750. In this document the expiration information are transferred with the key "expires_in", see [1]. Unity uses "exp" as keyword wich is not recognised by some clients. Is it possible to change the keyword? Best regards, Sander [1]: https://tools.ietf.org/html/rfc6750#section-4 -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
