unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Restricting oidc scopes

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 05.12.2018 o 12:01, Shiraz Memon pisze:
> Hi Krzysztof,
>
> Is it possible to somehow restrict which scopes the oidc clients can 
> request from unity (as the oidc authz server)?
>
No, every client can request any scopes, and it is up to user to decide 
whether he or she allows for them (with all or nothing).

Cheers,
KB

[Unity-idm-discuss] Restricting oidc scopes

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

Is it possible to somehow restrict which scopes the oidc clients can request from unity (as the oidc authz server)?

Thanks,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] 2.7.3 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

The next release – *2.7.3* – is out. It includes numerous small to 
medium improvements and one important bugfix.

The most significant changes are:

  * Registration form can be configured now to automatically login a
    user who submitted a registration request and the request was
    auto-accepted. (Won’t work if user has to confirm her email first).
  * Couple of password related improvements were added:
      o Password reset is not required anymore after changing password
        storage/hashing parameters. Instead a password is rehashed on
        the fly when user is being signed in for the first time after
        configuration change.
      o Identities grid in AdminUI allows now for showing a detailed
        information on all credential statuses.
      o When editing password quality settings, admin can verify with
        one click whether the setting is secure and how it will affect
        sign in time.
  * Forgotten password reset UI was refactored not to use popup dialogs.
    This the last step of aligning UX of the authN screen: all sign in,
    registration, outdated password and forgotten password UIs are using
    the same full screen, clean approach, which is simpler to use and
    easier to brand.
  * Session expiration handling was improved. The older method was not
    perfect, e.g. session inactivity timeouts were enforced with +/- 20s
    tolerance. Current implementation should be precise and more solid.
  * A bug which was causing some of the dynamic attributes not to be
    returned was fixed. This affected a single REST API resource
    (resolving of complete group contents) and custom attribute columns
    in Admin UI Identities grid.

Complete list of changes is available on the 
http://www.unity-idm.eu/downloads/ page.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Oauth Token revocation

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thanks a lot. Removing the logout:true has solved the issue.

Best regards,
Sander

On Sat, 2018-11-24 at 10:57 +0100, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 23.11.2018 o 14:04, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > We try to use the token revocation mechanism. If we user user_id,
> > we
> > get an error about missing client_id. "Invalid request; To access
> > the
> > token revocation endpoint a client_id must be provided". It seems
> > that
> > there is a mistake in the example from manual.
> > 
> > If we provide client_id, we get an error about missing token type:
> > "Invalid request; To access the token revocation endpoint a token
> > type
> > must be provided". Can you please add this necessary parameter in
> > the
> > manual?
> 
> Sure, thanks for info. This chapter was not updated after revocation
> of 
> refresh tokens was implemented. Updated version will be published
> soon 
> with 2.7.3, including the fix of the user_id mistake in example.
> 
> 
> > If we provide the token type, we end up in a invalid scope
> > error: " Retuning OAuth error response: invalid_scope: Invalid,
> > unknown
> > or
> > malformed scope; Insufficent scope to perform full logout." Do we
> > need
> > to enable the token revocation scope in unity explicit? How does
> > the
> > valid request looks like?
> > 
> > We request the scopes profile email and single-logout.
> > The parameters we send in revocation request:
> > 
> > r = requests.post(auth_server + "/oauth2/revoke",
> >          headers={ 'Content-Type': 'application/x-www-form-
> > urlencoded'},
> >          data={ 'token': auth_state['access_token'],
> >                 'client_id': CLIENT_ID,
> >                 'token_type_hint': 'access_token',
> >                 'token_type': 'Bearer',
> >                 'logout': 'true', }
> >      )
> > 
> > auth_state['access_token'] contains the bearer token and CLIENT_ID
> > the
> > client id.
> 
> Actually this part is covered in the manual correctly - but I
> understnd 
> that you gave up after coming over two mistakes :-)
> 
> Besides the standard token revocation, it is also possible to
> request 
> token's owner logout (disposal of the SSO session)together with
> token 
> revocation. To be able to perform this operation, the client must 
> request and obtain a special OAuth scope: +single-logout+. Having
> this 
> scope, token revocation can be used to logout the token owner
> by adding the following form parameter to the request: +logout=true+.
> 
> So either remove logout: true from your request or define and
> request 
> the single-logout OAuth scope - i.e. scope with exactly this name
> must 
> be bound to the access token.
> 
> Cheers,
> KB
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Oauth Token revocation

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 23.11.2018 o 14:04, Sander Apweiler pisze:
> Hi Krzysztof,
>
> We try to use the token revocation mechanism. If we user user_id, we
> get an error about missing client_id. "Invalid request; To access the
> token revocation endpoint a client_id must be provided". It seems that
> there is a mistake in the example from manual.
>
> If we provide client_id, we get an error about missing token type:
> "Invalid request; To access the token revocation endpoint a token type
> must be provided". Can you please add this necessary parameter in the
> manual?

Sure, thanks for info. This chapter was not updated after revocation of 
refresh tokens was implemented. Updated version will be published soon 
with 2.7.3, including the fix of the user_id mistake in example.


> If we provide the token type, we end up in a invalid scope
> error: " Retuning OAuth error response: invalid_scope: Invalid, unknown
> or
> malformed scope; Insufficent scope to perform full logout." Do we need
> to enable the token revocation scope in unity explicit? How does the
> valid request looks like?
>
> We request the scopes profile email and single-logout.
> The parameters we send in revocation request:
>
> r = requests.post(auth_server + "/oauth2/revoke",
>          headers={ 'Content-Type': 'application/x-www-form-urlencoded'},
>          data={ 'token': auth_state['access_token'],
>                 'client_id': CLIENT_ID,
>                 'token_type_hint': 'access_token',
>                 'token_type': 'Bearer',
>                 'logout': 'true', }
>      )
>
> auth_state['access_token'] contains the bearer token and CLIENT_ID the
> client id.

Actually this part is covered in the manual correctly - but I understnd 
that you gave up after coming over two mistakes :-)

Besides the standard token revocation, it is also possible to request 
token's owner logout (disposal of the SSO session)together with token 
revocation. To be able to perform this operation, the client must 
request and obtain a special OAuth scope: +single-logout+. Having this 
scope, token revocation can be used to logout the token owner
by adding the following form parameter to the request: +logout=true+.

So either remove logout: true from your request or define and request 
the single-logout OAuth scope - i.e. scope with exactly this name must 
be bound to the access token.

Cheers,
KB

[Unity-idm-discuss] Oauth Token revocation

[Sander A. <sa....@fz...>]

Hi Krzysztof,

We try to use the token revocation mechanism. If we user user_id, we
get an error about missing client_id. "Invalid request; To access the
token revocation endpoint a client_id must be provided". It seems that
there is a mistake in the example from manual.

If we provide client_id, we get an error about missing token type:
"Invalid request; To access the token revocation endpoint a token type
must be provided". Can you please add this necessary parameter in the
manual?

If we provide the token type, we end up in a invalid scope
error: " Retuning OAuth error response: invalid_scope: Invalid, unknown
or
malformed scope; Insufficent scope to perform full logout." Do we need
to enable the token revocation scope in unity explicit? How does the
valid request looks like?

We request the scopes profile email and single-logout.
The parameters we send in revocation request:

r = requests.post(auth_server + "/oauth2/revoke",
        headers={ 'Content-Type': 'application/x-www-form-urlencoded'},
        data={ 'token': auth_state['access_token'],
               'client_id': CLIENT_ID,
               'token_type_hint': 'access_token',
               'token_type': 'Bearer',
               'logout': 'true', }
    )

auth_state['access_token'] contains the bearer token and CLIENT_ID the
client id.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Registration link on userhome is missing

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.11.2018 o 13:39, Sander Apweiler pisze:
> Hi Krzysztof,
>
> On Fri, 2018-11-16 at 10:53 +0100, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 15.11.2018 o 14:31, Sander Apweiler pisze:
>>> Hi Krzysztof,
>>>
>>> at the moment I'm testing unity 2.7.2. I have enabled different
>>> kind of
>>> authenticators, one of the are local accounts with username
>>> password. I
>>> have enabled the user registration on userhome too (see
>>> userhome.properties config below), but the link "Register a new
>>> account" from previous versions is not available on the userhome.
>>> Is
>>> this behaviour intended?
>>>
>> And do you have a *public* registration form defined? Also it would
>> be a
>> good practice to enumerate on the home endpoint which of the public
>> forms should be enabled there.
> Yes I have three public registration forms (oauth client, username
> password and certificate). If I use the URL in the browser, I get the
> form. But the link "Register a new account" on endpoint is missing.

ah, sorry, forgot about one thing. Now there are two ways to show 
registration links: either in header as before or among sign-in options 
as button. To enable the former you need to set:

unity.endpoint.web.showRegistrationFormsInHeader=true

I'll change the default to true so it is less confusing.

Best,
Krzysztof

Re: [Unity-idm-discuss] Registration link on userhome is missing

[Sander A. <sa....@fz...>]

Hi Krzysztof,

On Fri, 2018-11-16 at 10:53 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 15.11.2018 o 14:31, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > at the moment I'm testing unity 2.7.2. I have enabled different
> > kind of
> > authenticators, one of the are local accounts with username
> > password. I
> > have enabled the user registration on userhome too (see
> > userhome.properties config below), but the link "Register a new
> > account" from previous versions is not available on the userhome.
> > Is
> > this behaviour intended?
> > 
> 
> And do you have a *public* registration form defined? Also it would
> be a 
> good practice to enumerate on the home endpoint which of the public 
> forms should be enabled there.
Yes I have three public registration forms (oauth client, username
password and certificate). If I use the URL in the browser, I get the
form. But the link "Register a new account" on endpoint is missing.

Cheers,
Sander
> 
> 
> Cheers,
> KB
> 
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Registration link on userhome is missing

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 15.11.2018 o 14:31, Sander Apweiler pisze:
> Hi Krzysztof,
>
> at the moment I'm testing unity 2.7.2. I have enabled different kind of
> authenticators, one of the are local accounts with username password. I
> have enabled the user registration on userhome too (see
> userhome.properties config below), but the link "Register a new
> account" from previous versions is not available on the userhome. Is
> this behaviour intended?
>
And do you have a *public* registration form defined? Also it would be a 
good practice to enumerate on the home endpoint which of the public 
forms should be enabled there.


Cheers,
KB

[Unity-idm-discuss] Registration link on userhome is missing

[Sander A. <sa....@fz...>]

Hi Krzysztof,

at the moment I'm testing unity 2.7.2. I have enabled different kind of
authenticators, one of the are local accounts with username password. I
have enabled the user registration on userhome too (see
userhome.properties config below), but the link "Register a new
account" from previous versions is not available on the userhome. Is
this behaviour intended?

unity.userhome.attributes.1.attribute=cn
unity.userhome.attributes.1.group=/
unity.userhome.attributes.1.showGroup=false
unity.userhome.attributes.1.editable=true

unity.userhome.attributes.2.attribute=mail
unity.userhome.attributes.2.group=/
unity.userhome.attributes.2.showGroup=false
unity.userhome.attributes.2.editable=true

unity.userhome.attributes.3.attribute=o
unity.userhome.attributes.3.group=/
unity.userhome.attributes.3.showGroup=false
unity.user10home.attributes.3.editable=true

unity.userhome.attributes.4.attribute=picture
unity.userhome.attributes.4.group=/
unity.userhome.attributes.4.showGroup=false
unity.userhome.attributes.4.editable=true

unity.endpoint.web.enableRegistration=true

unity.endpoint.web.authnScreenOptionsLabel.OR.text=OR

unity.endpoint.web.authnGrid.G1.gridContents=samlWeb
unity.endpoint.web.authnGrid.G1.gridRows=10

unity.endpoint.web.authnScreenColumn.1.columnSeparator=OR
unity.endpoint.web.authnScreenColumn.1.columnWidth=17
unity.endpoint.web.authnScreenColumn.1.columnContents=pwdWeb

unity.endpoint.web.authnScreenColumn.2.columnSeparator=OR
unity.endpoint.web.authnScreenColumn.2.columnWidth=34
unity.endpoint.web.authnScreenColumn.2.columnContents=_GRID_G1

unity.endpoint.web.authnScreenColumn.3.columnSeparator=OR
unity.endpoint.web.authnScreenColumn.3.columnWidth=17
unity.endpoint.web.authnScreenColumn.3.columnContents=oauthWeb

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] IdP Sort in grid

[Krzysztof B. <kb...@un...>]

W dniu 13.11.2018 o 09:17, Sander Apweiler pisze:
> Hi Krzysztof,
>
> With unity 2.7.2 (.1 was not tested) the sort of IdPs in the grid is
> much better. But it can still improved. For the tiles unity switch in
> past from ASCII sort (AMOLF before Aalto) to alphabetical sort (Aalto
> before AMOLF). It would be greate if this could be done for the grid
> too.

OK, I'll open a ticket to improve it.

Thanks for the notice
KB

[Unity-idm-discuss] IdP Sort in grid

[Sander A. <sa....@fz...>]

Hi Krzysztof,

With unity 2.7.2 (.1 was not tested) the sort of IdPs in the grid is
much better. But it can still improved. For the tiles unity switch in
past from ASCII sort (AMOLF before Aalto) to alphabetical sort (Aalto
before AMOLF). It would be greate if this could be done for the grid
too.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Important bugfix in 2.7.2

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

Unity bugfix release 2.7.2 was published, eliminating problem with DB cache.

The RDBMS cache implementation turned out to suffer from a race 
condition. It is not happening often but consequences might be severe, 
as Unity may answer with stale information. For installations of 2.6.x 
and 2.7.x versions which can not be updated immediately, we advise to 
turn off the DB cache (assuming you use relational database store):

|unityServer.storage.engine.rdbms.cacheMaxEntries=0|

As the fixing the cache would be by far not trivial and would make the 
caching layer even more complex, we decided to fully remove the DB-level 
cache. Instead a series of smaller optimizations were applied as well as 
a simple cache of authorization layer was added. Together performance 
should be pretty comparable as with DB cache layer while stability is 
greatly improved.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] IdP information in registration form

[Sander A. <sa....@fz...>]

Hi Krzysztof,

It works. Thank you very much. I just moved the rule from registration
form to translation profile. So existing users got this attribute at
next login too.

Cheers,
Sander

Am Montag, den 05.11.2018, 20:27 +0100 schrieb Krzysztof Benedyczak:
> Hi Sander,
> 
> W dniu 05.11.2018 o 11:53, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > we want to add some attributes, if not provided by the IdP, based
> > on
> > the IdP itself. Is it possible to compare the IdP in the condition
> > of
> > automatically assigned settings?
> > 
> > To give an example. I login with the Juelich IdP and the IdP does
> > not
> > provide some assurance information. I want to set them during the
> > account creation. The condition would look like !(eattr contains
> > 'eduPersonAssurance') && IdP=='fz-juelich.de'
> > 
> > Do I get the IdP in some variables?
> 
> Out of the box not - registration quite often done locally without
> any 
> remote information.
> 
> But it is possible to set this up:
> 
> 1. the remote IDP id is available in input translation profile (the 
> 'idp' variable) used by your authenticator, that is authenticating a 
> user to be registered. So first of all save this information into an 
> attribute in input profile, e.g. in an attribute IDP.
> 
> 2. in the registration form add a collected attribute - IDP. Set
> this 
> attribute as collected from remote IdP and hidden. Then you can use
> it 
> in your registration form automation (e.g. rattr['idp'])
> 
> See respective chapters in manual for more details.
> 
> HTH,
> 
> Krzysztof
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] IdP information in registration form

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 05.11.2018 o 11:53, Sander Apweiler pisze:
> Hi Krzysztof,
>
> we want to add some attributes, if not provided by the IdP, based on
> the IdP itself. Is it possible to compare the IdP in the condition of
> automatically assigned settings?
>
> To give an example. I login with the Juelich IdP and the IdP does not
> provide some assurance information. I want to set them during the
> account creation. The condition would look like !(eattr contains
> 'eduPersonAssurance') && IdP=='fz-juelich.de'
>
> Do I get the IdP in some variables?

Out of the box not - registration quite often done locally without any 
remote information.

But it is possible to set this up:

1. the remote IDP id is available in input translation profile (the 
'idp' variable) used by your authenticator, that is authenticating a 
user to be registered. So first of all save this information into an 
attribute in input profile, e.g. in an attribute IDP.

2. in the registration form add a collected attribute - IDP. Set this 
attribute as collected from remote IdP and hidden. Then you can use it 
in your registration form automation (e.g. rattr['idp'])

See respective chapters in manual for more details.

HTH,

Krzysztof

[Unity-idm-discuss] 2.7.1 released, Unity @ Weblate

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

Two updates this time:

1. *Unity 2.7.1 was released*

The main focus was on improvements in speed of loading users list and 
groups tree in AdminUI (significant if you have thousands of 
users/groups or just a slow DB). AdminUI scales now nicely up to tens of 
thousands of users and similar number of groups - what was a problem so 
far, especially with slower RDBMS storage backends. We have future plans 
for scaling AdminUI even more - to support millions of users - but this 
will require some compromises in functionality.

There is also a performance bugfix for admins who were members of many 
groups (100+): using AdminUI by such users is not extremely slow 
anymore, there is no difference on amount of group memberships.

Other improvements include enhanced message templates loading: Unity can 
be configured to load configured templates on startup overwriting the 
templates stored in DB and AdminUI allows for reloading templates from 
configuration at runtime. There are also several other minor enhancements:

  * UY-812 <https://dev.unity-idm.eu/jira/browse/UY-812> Fix sorting and
    searching on authN screen
  * UY-793 <https://dev.unity-idm.eu/jira/browse/UY-793> More flexible
    OAuth trusted URL matching
  * UY-795 <https://dev.unity-idm.eu/jira/browse/UY-795> Subject text
    field in template editor should be 100% wide
  * UY-813 <https://dev.unity-idm.eu/jira/browse/UY-813> Allow to
    configure a custom link for signup on authentication screen
  * UY-814 <https://dev.unity-idm.eu/jira/browse/UY-814> Enable
    Norwegian locale


2. *Unity is now hosted at Weblate*

Weblate is an open source web translation management system. If you want 
to contribute with translating Unity it should be very easy starting 
now. Everybody can join and start fixing localized strings right away. 
What is more the platform keeps track of what has changed in the base 
translations making translation maintenance simpler. See:

https://hosted.weblate.org/projects/unity-idm/

The system is integrated with Unity repository and we accept pull 
requests directly to Unity's Github repository.

Best regards,
Krzysztof

[Unity-idm-discuss] IdP information in registration form

[Sander A. <sa....@fz...>]

Hi Krzysztof,

we want to add some attributes, if not provided by the IdP, based on
the IdP itself. Is it possible to compare the IdP in the condition of
automatically assigned settings?

To give an example. I login with the Juelich IdP and the IdP does not
provide some assurance information. I want to set them during the
account creation. The condition would look like !(eattr contains
'eduPersonAssurance') && IdP=='fz-juelich.de'

Do I get the IdP in some variables?

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Audit log

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 17.10.2018 o 14:28, Sander Apweiler pisze:
> Hi Krzysztof,
>
> is it possible to create some kind of audit log or something else where
> I can see who increases access roles or adds privileged users outside
> of the regular unity log?

Unfortunately not. This is a missing feature, we even have a ticket open 
for this (since 2013, the oldest ones not done) but as there was no push 
for this from community it was postponed many times...

Best,
KB

[Unity-idm-discuss] Audit log

[Sander A. <sa....@fz...>]

Hi Krzysztof,

is it possible to create some kind of audit log or something else where
I can see who increases access roles or adds privileged users outside
of the regular unity log?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] 2.7.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

On behalf of the Unity Team, I'm happy to announce that release 2.7.0 is 
out.

Release *2.7.0* is a subsequent important Unity milestone completing 
huge change around end-user facing UI improvements. The main focus of 
this release  was on registration: both in terms of UI, UX and core 
features.

/When installing this release as an update a migration will be performed 
and some configuration changes may be necessary. Make sure to make 
backup and read update instructions in the documentation!
/

The highlights are:

  * There is a completely new registration path possible: a
    *registration form *may *allow for selecting a remote signup*, with
    any of enabled external authentication options (like Google, FB,
    other OAuth providers, or SAML Idps). So far this was only possible
    in effect of failed authentication try, what was not working well
    with typical use cases.
      o User may be given a choice to use remote credential for
        registered account or a local one, stored in Unity.
      o Local registration form may be embedded on a starting
        registration screen (with external options), or presented only
        after selecting the local registration path.
      o After external registration, a registration form may be still
        rendered: if some of the required information was not provided
        by the external IdP.
  * *Enrolment to groups is* now way more flexible: instead of setting a
    static list of available groups for the form, admin may configure a
    wildcard: the actual groups to be offered are established at
    runtime. This feature supports enrolment to
    projects/tenant/organization unit groups which are changing over time.
      o What is more, form attributes may be configured to be set in the
        group selected by the user on the same form.
  * A new *finalization* feature was added *in registration* subsystem.
    Finalization allows for specifying details of behavior in effect of
    all final states of registration process: from successful
    submission, to all kinds of errors.
      o Note: this feature deprecates the former partial support for
        controlling some of such behaviors in registration form profile.
        Please update your form if you used such, the actions will be
        preserved after upgrade for your reference.
  * *Rendering of the registration form* and UX of individual elements
    was greatly improved and refactored to be streamlined with how
    authentication UI works. Password setup offers nice hints, fields
    are validated during typing, layout was improved.
  * *Credential reset flow UI* as well as *UI of outdated credential*
    change was improved and simplified.
  * Custom and *invitation message templates* allow for using arbitrary,
    *custom parameters*. Those parameters can be filled when preparing a
    personalized invitation or sending an email with a REST API.

Other, smaller changes:

  * Invitation can preset identity for remote OAuth registration. This
    preset identity may be also mandatory, so that user can not register
    with different one.
  * Registration form configuration UI was refactored. Forms may be only
    inspected after opening.
  * AdminUI -> Contents management is not showing group attribute
    classes (still can be inspected from the group’s context menu).
    Instead basic group stats are shown.
  * New registration profile action allows to process all pending
    invitations for the same user, when the user registers. This may
    work regardless if the registration is made by invitation or not.
  * Plus many smaller improvements and bugfixes, see detailed changelog
    below.


As always for more details see: http://www.unity-idm.eu/downloads/

Best regards,
Krzysztof

**

Re: [Unity-idm-discuss] Translation profile action if attribute does not exists

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 04.10.2018 o 08:02, Sander Apweiler pisze:
> Hi Krzysztof,
>
> we are redesigning our attribute set, collected from IdP/users and we
> want to replace CN by givenName and sn. The CN will be build by ourself
> from givenName and SN for the services who needs it.
>
> Some users will have the CN but no givenName and sn for some time and
> vice versa. How can I create the CN by givenName and sn if CN does not
> exists?
>
> If I create both statements in output translation profile, the first
> will be overwritten by the second one and send some null values.


Hmm either I miss something or this can be achieved with proper rule 
condition? Like :

condition: !(attr contains 'cn') && (attr contains 'sn') && (attr 
contains 'givenName')

action: create cn from sn and given name


HTH,

KB

[Unity-idm-discuss] Translation profile action if attribute does not exists

[Sander A. <sa....@fz...>]

Hi Krzysztof, 

we are redesigning our attribute set, collected from IdP/users and we
want to replace CN by givenName and sn. The CN will be build by ourself
from givenName and SN for the services who needs it.

Some users will have the CN but no givenName and sn for some time and
vice versa. How can I create the CN by givenName and sn if CN does not
exists?

If I create both statements in output translation profile, the first
will be overwritten by the second one and send some null values.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] No Enquiries if skipConsent=true

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 26.09.2018 o 12:44, Krzysztof Benedyczak pisze:
> Dear Tim,
>
> W dniu 26.09.2018 o 11:46, Tim Kreuzer pisze:
>>
>> Dear Krzysztof,
>>
>> in version 2.5.0 of Unity-IdM Enquiry Forms are only shown if 
>> skipConsent is set to false. Is this an intended behavior? Is there a 
>> way to show Enquiry Forms even if the consent page should be skipped?
>>
> Yeah, this will behave like this. This is related to an important 
> optimization (requested by many parties): if possible the UI should 
> not be loaded upon authN. And having consent screen off is the main 
> requisite for this to kick in.
>
> I can check whether it is easy to still trigger UI loading if there is 
> an enquiry for the user, hard to say out of the top of my head. 


Fixed, will be delivered in 2.7.0


Best

KB

Re: [Unity-idm-discuss] No Enquiries if skipConsent=true

[Krzysztof B. <kb...@un...>]

Dear Tim,

W dniu 26.09.2018 o 11:46, Tim Kreuzer pisze:
>
> Dear Krzysztof,
>
> in version 2.5.0 of Unity-IdM Enquiry Forms are only shown if 
> skipConsent is set to false. Is this an intended behavior? Is there a 
> way to show Enquiry Forms even if the consent page should be skipped?
>
Yeah, this will behave like this. This is related to an important 
optimization (requested by many parties): if possible the UI should not 
be loaded upon authN. And having consent screen off is the main 
requisite for this to kick in.

I can check whether it is easy to still trigger UI loading if there is 
an enquiry for the user, hard to say out of the top of my head.

Best,
Krzysztof

Re: [Unity-idm-discuss] Out of memory error while using grid in webadmin ui

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 26.09.2018 o 10:43, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I'm preparing the update to unity 2.6. and try to convert the tiles
> into columns. As first step I started with password authenticator and
> tried to extend it to the example from manual. When Grid is loaded an
> Out of Memory error occures. samlWeb and pwdWeb authenticators are
> copied from previous installations. The log is attached. Do you have
> any idea about the problem?


There are two possibilities. Either you should increase Unity memory 
limit and this will go away (startup.properties). Or there is a bug. To 
check this option, please create and send me a memory dump (with jmap 
-dump ...), when the error occurs. Log file in case of OOM is not of 
much help.

Thanks,
KB