Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2018-08-03 16:24:19
|
Hi Fabian, W dniu 02.08.2018 o 15:41, Fabian Mangels pisze: > > Hi Krzysztof, > > I have another question. > Is it possible to change the hash function for the locally stored > password? > At the moment the default password storage scheme is SCRYPT. I would > like to use SSHA. > The background is that I use the REST interface to get user accounts > and then I would like to add them to an LDAP directory (OpenLDAP). > Thanks in advance! Well, you can plug your own storage of password, however this is rather low level development in Unity. You would need to either replace unity-std-plugins with your patched implementation or (much better IMO) add a new credential type, which will be the same as existing password (also compatible with existing password retrieval methods) but will use the desired storage scheme. E.g. password-ssha. This 2nd variant is cleaner but requires much work as you will have to provide UI plugins for new credential type (those would be very similar if not the same as the ones for password, but anyway). You can see how the core part can be done in pl.edu.icm.unity.stdext.credential.pass.PasswordEngine class in the unity-std-plugins module. HTH, Krzysztof |
|
From: Fabian M. <fab...@aw...> - 2018-08-02 13:41:40
|
Hi Krzysztof, I have another question. Is it possible to change the hash function for the locally stored password? At the moment the default password storage scheme is SCRYPT. I would like to use SSHA. The background is that I use the REST interface to get user accounts and then I would like to add them to an LDAP directory (OpenLDAP). Thanks in advance! Yours sincerely Fabian Mangels Alfred-Wegener-Institut, Helmholtz-Zentrum für Polar- und Meeresforschung Infrastructure/Administration | Computing and Data Centre |
|
From: Krzysztof B. <kb...@un...> - 2018-08-01 21:03:22
|
Dear Subscribers,
The first revision of the 2.6 release trunk is available.
**
This is in the first bugfix release, however also brings two features.
The most important changes are:
* Bulk entity operation UI fixed in number of places, should not crash
and be more useable
* Automatic (proxy) login feature fixed after being broken in 2.6.0
* The in-place update works with any Unity 2 version, not only with 2.5.0
* Performance was greatly improved, when using slow (typically cloud
or remote) RDBMS storage backned. You should especially notice it
when using entities table in the AdminUI.
* A new REST admin operation was added to retrieve all group members
with their attributes and details in one shot
As always for more details see: http://www.unity-idm.eu/downloads/
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2018-08-01 12:14:32
|
Hi Sander, W dniu 26.07.2018 o 08:23, Sander Apweiler pisze: > Hi Krzysztof, > > within unity 1.x it was possible to set system attributes like the > return URL of Oauth clients to self modifiable. Since version 2 it is > not possible. > > Sadly Oauth client admins don't know what they are doing (sometimes). I > got a lot of emails because their return URL changed and they asked to > update them. Requesting a new client is not much better, because we > have a manually evaluation of the requests. Is it possible to make the > attribute self modifiable again? That's small UI glitch only which is making edit button inactive for those types - whole feature is still available. Will be fixed in 2.6.1 Thanks KB |
|
From: Krzysztof B. <kb...@un...> - 2018-07-27 19:26:47
|
Hi Fabian, W dniu 26.07.2018 o 10:12, Fabian Mangels pisze: > > Hi list, > > Is it possible to integrate an LDAP endpoint in Unity? > I would like to access the local entities in the Unity database via > LDAP, so that even non-web-based services can use the stored entities > in Unity. > Or is there another workaround for such a project? > Thanks in advance! We have a long-lasting effort to expose such functionality in Unity. However it was still not integrated into baseline code as there are quite a few issues with the code to be solved first. It is hard for me to provide timeline for this - depends bit on Willem's help here. Alternatives are to use the proprietary REST-admin endpoint of Unity or (even better) OAuth, which can be used without web too. Best Krzysztof |
|
From: Fabian M. <fab...@aw...> - 2018-07-26 08:37:15
|
Hi list, Is it possible to integrate an LDAP endpoint in Unity? I would like to access the local entities in the Unity database via LDAP, so that even non-web-based services can use the stored entities in Unity. Or is there another workaround for such a project? Thanks in advance! Yours sincerely Fabian Mangels Alfred-Wegener-Institut, Helmholtz-Zentrum für Polar- und Meeresforschung Infrastructure/Administration | Computing and Data Centre |
|
From: Sander A. <sa....@fz...> - 2018-07-26 06:23:29
|
Hi Krzysztof, within unity 1.x it was possible to set system attributes like the return URL of Oauth clients to self modifiable. Since version 2 it is not possible. Sadly Oauth client admins don't know what they are doing (sometimes). I got a lot of emails because their return URL changed and they asked to update them. Requesting a new client is not much better, because we have a manually evaluation of the requests. Is it possible to make the attribute self modifiable again? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-07-24 17:25:42
|
Hi, W dniu 24.07.2018 o 07:41, Sander Apweiler pisze: > Hi Krzysztof, > > I can understand your concerns about authentication via query parameter > and agree to it. Sadly users does not. Most given answer is but it > works with X. But this is another story. Adding another credential retrieval, extracting username and password from query parameters is simple in Unity, we can rather easily implement this. But currently it is not supported, and as it is insecure, I'd add it only if we have a solid use case. > At least for Mattermost and keycloak, the clients had already an access > token and want to fetch the userinfromation. So most likely what you need, is to add to the endpoint that those clients talk to in Unity, an additional authenticator, allowing for authenticating with an unity-issued access token. See http://www.unity-idm.eu/documentation/unity-2.6.0/manual.html#_simple_oauth2_unity_as_oauth_resource_provider in this case you want the simplest variant: unity.oauth2-rp.verificationProtocol=internal HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-07-24 06:29:26
|
Hi Krzysztof, I think this would be a good feature and rises the comfort for admins and especially users if the certificate has to be renewed. Otherwise the federated login might broke until all IdPs and SPs have updated the cert of unity. Best regards, Sander Am Montag, den 23.07.2018, 20:02 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 20.07.2018 o 07:54, Sander Apweiler pisze: > > Hi Krzysztof, > > > > Ok, got it. Just one question in addition. If I configure both in > > pki.properties and add both manually in the metadata, can unity use > > the > > second cert, not configured in requesterCredential, to decrypt > > messages > > from IdPs, if they use for some reason the second one. E.g. they > > did > > not fetch federation metadata. > > Unfortunately no, it is not supported. This would require an > additional > option to enumerate those other credentials and bit of development > to > find a proper key per message. > > Best, > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2018-07-24 05:42:13
|
Hi Krzysztof, I can understand your concerns about authentication via query parameter and agree to it. Sadly users does not. Most given answer is but it works with X. But this is another story. At least for Mattermost and keycloak, the clients had already an access token and want to fetch the userinfromation. Best regards, Sander Am Montag, den 23.07.2018, 19:39 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 23.07.2018 o 11:58, Sander Apweiler pisze: > > Hi Krzysztof, > > > > In last weeks we had a lot of requests for service integration via > > oauth/oidc. We had the problem that unity rejected the requests > > because > > of missing HTTP BASIC auth header. E.g. the integration of > > Mattermost > > (chat server) and Keycloak as SP was not possible because both did > > not > > send the header. > > > > Is it possible to disable the need for HTTP BASIC auth header in > > authentication for oauth clients? I didn't find something in the > > manual. > > Well, yes it is possible to disable this. But the real question is: > how > do you want to authenticate those clients instead? You can with > client-certificate (tls authn), but I guess your client won't > support > this as well. Other option which is used in OAuth ecosystem is to > pass > client's username and pass via query params - but this is highly > insecure, not recommended and not supported by Unity. Is this your > case? > Or maybe your only concern is about client who already has a valid > access token and accesses Unity to fetch user's profile? > > Best, > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-07-23 18:02:27
|
Hi Sander, W dniu 20.07.2018 o 07:54, Sander Apweiler pisze: > Hi Krzysztof, > > Ok, got it. Just one question in addition. If I configure both in > pki.properties and add both manually in the metadata, can unity use the > second cert, not configured in requesterCredential, to decrypt messages > from IdPs, if they use for some reason the second one. E.g. they did > not fetch federation metadata. Unfortunately no, it is not supported. This would require an additional option to enumerate those other credentials and bit of development to find a proper key per message. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-07-23 17:47:25
|
Sander, W dniu 23.07.2018 o 12:37, Sander Apweiler pisze: > Hi Krysztof, > > I found another issue in attribute statements in unity 2.4.2 and 2.5.0. > We had no time to test 2.6.0 yet. > > I create an attribute statement without "use attributes from an > external group". I change it and use attributes from an external group > and save it. But unity does not take this change. The checkbox is > unchecked again and the external group is disabled. Yes, I can confirm that bug, as far as I can see this only happens when also the external group is set to the default value '/'. Otherwise edit is working. Seems like minor UI bug, should be fixed in 2.6.1. Thanks, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-07-23 17:40:08
|
Hi Sander, W dniu 23.07.2018 o 11:58, Sander Apweiler pisze: > Hi Krzysztof, > > In last weeks we had a lot of requests for service integration via > oauth/oidc. We had the problem that unity rejected the requests because > of missing HTTP BASIC auth header. E.g. the integration of Mattermost > (chat server) and Keycloak as SP was not possible because both did not > send the header. > > Is it possible to disable the need for HTTP BASIC auth header in > authentication for oauth clients? I didn't find something in the > manual. Well, yes it is possible to disable this. But the real question is: how do you want to authenticate those clients instead? You can with client-certificate (tls authn), but I guess your client won't support this as well. Other option which is used in OAuth ecosystem is to pass client's username and pass via query params - but this is highly insecure, not recommended and not supported by Unity. Is this your case? Or maybe your only concern is about client who already has a valid access token and accesses Unity to fetch user's profile? Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-07-23 17:32:21
|
Hi Tim, W dniu 19.07.2018 o 13:58, Tim Kreuzer pisze: > > Hi Krzysztof, > > i have configured two different SAMLUnicoreSoapIdP - Endpoints with > two different oauth-rp with cxf-oauth-bearer authenticators. In the > configuration of the authenticators i used the attribute > 'unity.oauth2-rp.cacheTime'. Are these two different authenticators > use the same cache? > Yes, I've checked this and cache instances are shared between all authenticators. That's bug actually as configuration is per authenticator and therefore we should have a separate cache per each authenticator too. Should be easy to fix, should be included in 2.6.1. Thanks for spotting this and precise description of the problem, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-07-23 10:38:05
|
Hi Krysztof, I found another issue in attribute statements in unity 2.4.2 and 2.5.0. We had no time to test 2.6.0 yet. I create an attribute statement without "use attributes from an external group". I change it and use attributes from an external group and save it. But unity does not take this change. The checkbox is unchecked again and the external group is disabled. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2018-07-23 09:58:58
|
Hi Krzysztof, In last weeks we had a lot of requests for service integration via oauth/oidc. We had the problem that unity rejected the requests because of missing HTTP BASIC auth header. E.g. the integration of Mattermost (chat server) and Keycloak as SP was not possible because both did not send the header. Is it possible to disable the need for HTTP BASIC auth header in authentication for oauth clients? I didn't find something in the manual. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2018-07-20 05:55:47
|
Hi Krzysztof, Ok, got it. Just one question in addition. If I configure both in pki.properties and add both manually in the metadata, can unity use the second cert, not configured in requesterCredential, to decrypt messages from IdPs, if they use for some reason the second one. E.g. they did not fetch federation metadata. Best regards, Sander Am Donnerstag, den 19.07.2018, 23:31 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 17.07.2018 o 08:11, Sander Apweiler pisze: > > Hi Krzysztof, > > > > we have to renew our certificate, used for SAML signing and > > en/decryption. We want to add a second one to propagate it to the > > IdPs > > and remove the old one later. Switch has a good explanation about > > our > > goals [1]. > > > > I configured a second certificate: > > unity.pki.credentials.ROLLOVER.format=pkcs12 > > unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 > > unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS > > unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD > > > > Restart unity and add the second cert in requester credentials: > > unity.saml.requester.requesterCredential=MAIN;ROLLOVER > > > > When I reload the authenticator, the process hung up. No second > > cert > > was stored in metadata. I must remove the second cert from > > requester > > credentials and restart unity to get the system running again. I > > saw no > > issues in logs. > > > > Is this purpose possible? Or must I replace the cert in a timeslot > > where I expect only few user to propagate the new cert? > > I'm not sure if I've got your intention. requesterCredential setting > is > used to select which certificate you use for signing/decryption. You > can > use only one. However if you want, you can prepare your own > metadata, > including two certificates (current and future). Then you wait for > the > new metadata to be propagated (what is your federation dependent). > After > new certificate is loaded in metadata of all peers in the > federation, > you can make a real switch: change requesterCredential to the new > one. > And you can remove the old one (soon to be expired) from metadata to > clean up the environment. > > HTH > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-07-19 21:31:24
|
Hi Sander, W dniu 17.07.2018 o 08:11, Sander Apweiler pisze: > Hi Krzysztof, > > we have to renew our certificate, used for SAML signing and > en/decryption. We want to add a second one to propagate it to the IdPs > and remove the old one later. Switch has a good explanation about our > goals [1]. > > I configured a second certificate: > unity.pki.credentials.ROLLOVER.format=pkcs12 > unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 > unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS > unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD > > Restart unity and add the second cert in requester credentials: > unity.saml.requester.requesterCredential=MAIN;ROLLOVER > > When I reload the authenticator, the process hung up. No second cert > was stored in metadata. I must remove the second cert from requester > credentials and restart unity to get the system running again. I saw no > issues in logs. > > Is this purpose possible? Or must I replace the cert in a timeslot > where I expect only few user to propagate the new cert? I'm not sure if I've got your intention. requesterCredential setting is used to select which certificate you use for signing/decryption. You can use only one. However if you want, you can prepare your own metadata, including two certificates (current and future). Then you wait for the new metadata to be propagated (what is your federation dependent). After new certificate is loaded in metadata of all peers in the federation, you can make a real switch: change requesterCredential to the new one. And you can remove the old one (soon to be expired) from metadata to clean up the environment. HTH Krzysztof |
|
From: Tim K. <t.k...@fz...> - 2018-07-19 11:59:25
|
Hi Krzysztof,
i have configured two different SAMLUnicoreSoapIdP - Endpoints with two
different oauth-rp with cxf-oauth-bearer authenticators. In the
configuration of the authenticators i used the attribute
'unity.oauth2-rp.cacheTime'. Are these two different authenticators use
the same cache?
An UNICORE/X Server is configured against these two endpoints. It
depends on the order of the connections to the endpoints, whether my
token is validated correctly or not. If hbpoidc ist connected first, the
given bearer token is unknown (which is ok, because it was granted from
myunity, not from the external MITRE OAuth Authorization Server). But
connecting the second endpoint after the first one it says "Caching
token for null ...". When changing the order and connecting to the unity
Authorization Server first everything works fine.
Best regards,
Tim Kreuzer
unity-server.log:
2018-07-19T09:36:44,348 [qtp256719132-38] DEBUG
unity.server.oauth.ResultsCache: Caching token validation result for
null: false expiry: Thu Jul 19 09:37:04 CEST 2018
2018-07-19T09:36:44,365 [qtp256719132-38] DEBUG
unity.server.rest.AuthenticationInterceptor: Authentication set failed
to authenticate the client, will try another:
pl.edu.icm.unity.engine.api.authn.AuthenticationException:
AuthenticationProcessorUtil.authnFailed
2018-07-19T09:36:44,365 [qtp256719132-38] INFO
unity.server.rest.AuthenticationInterceptor: Authentication failed for
client
2018-07-19T09:36:44,365 [qtp256719132-38] WARN
org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
{http://ws.samlidp.unicore.unity.icm.edu.pl/}SAMLETDAuthnImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Invalid user name, credential or
external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:114)
~[unity-server-rest-2.5.0.jar:?]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
[javax.servlet-api-3.1.0.jar:3.1.0]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
[jetty-rewrite-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:674)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at org.eclipse.jetty.server.Server.handle(Server.java:531)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:760)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:678)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
Invalid user name, credential or external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:105)
~[unity-server-rest-2.5.0.jar:?]
... 45 more
Configuration:
unityServer.conf:
...
unityServer.core.authenticators.hbpoidc.authenticatorName=hbpoidc
unityServer.core.authenticators.hbpoidc.authenticatorType=oauth-rp with
cxf-oauth-bearer
unityServer.core.authenticators.hbpoidc.verificatorConfigurationFile=${CONF}/authenticators/hbp-remoteOAuth.properties
unityServer.core.authenticators.jupyteroauthRPcxf.authenticatorName=jupyteroauthRP-cxf
unityServer.core.authenticators.jupyteroauthRPcxf.authenticatorType=oauth-rp
with cxf-oauth-bearer
unityServer.core.authenticators.jupyteroauthRPcxf.retrievalConfigurationFile=conf/authenticators/empty.json
unityServer.core.authenticators.jupyteroauthRPcxf.verificatorConfigurationFile=conf/authenticators/jupyter-internalOAuthRP.properties
...
hbp-remoteOAuth.properties:
unity.oauth2-rp.verificationProtocol=mitre
....
unity.oauth2-rp.translationProfile=hbp-tr-input-oauth
unity.oauth2-rp.cacheTime=20
....
jupyter-internalOAuthRP.properties:
unity.oauth2-rp.verificationProtocol=unity
unity.oauth2-rp.profileEndpoint=https://myunity.../oauth2/userinfo
unity.oauth2-rp.verificationEndpoint=https://myunity.../oauth2/tokeninfo
unity.oauth2-rp.translationProfile=jupyter-tr-input-oauth
....
samlIdP.module:
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointConfigurationFile=${CONF}/modules/saml/hbp-saml-webidp.properties
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.contextPath=/hbp-unicore-soapidp-oidc
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointRealm=defaultRealm
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointName=HBP
UNICORE SOAP SAML OIDCservice
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointAuthenticators=hbpoidc
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointConfigurationFile=${CONF}/modules/saml/jupyter-saml-webidp.properties
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.contextPath=/jupyter-unicore-soapidp-oidc
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointRealm=defaultRealm
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointName=Jupyter@JSC
UNICORE SOAP SAML service
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointAuthenticators=jupyteroauthRP-cxf
And in the UNICORE/X configuration... :
container.security.rest.authentication.UNITY-OIDC.class=eu.unicore.services.rest.security.UnityOAuthAuthenticator
container.security.rest.authentication.UNITY-OIDC.address=https://unity-jsc.fz-juelich.de/hbp-unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService
container.security.rest.authentication.UNITY-OIDC.validate=true
container.security.rest.authentication.JHUB.class=eu.unicore.services.rest.security.UnityOAuthAuthenticator
container.security.rest.authentication.JHUB.address=https://unity-jsc.fz-juelich.de/jupyter-unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService
container.security.rest.authentication.JHUB.validate=true
container.security.rest.authentication.order=UNITY-OIDC JHUB (if the
order is JHUB UNITY-OIDC everything is fine).
--
M.Sc. Tim Kreuzer
Federated Systems and Data
Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 2461 61-1583
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Sander A. <sa....@fz...> - 2018-07-17 06:12:00
|
Hi Krzysztof, we have to renew our certificate, used for SAML signing and en/decryption. We want to add a second one to propagate it to the IdPs and remove the old one later. Switch has a good explanation about our goals [1]. I configured a second certificate: unity.pki.credentials.ROLLOVER.format=pkcs12 unity.pki.credentials.ROLLOVER.path=/PATH/TO/keystore.p12 unity.pki.credentials.ROLLOVER.keyAlias=NEW-ALIAS unity.pki.credentials.ROLLOVER.password=MY-SUPER-PASSWORD Restart unity and add the second cert in requester credentials: unity.saml.requester.requesterCredential=MAIN;ROLLOVER When I reload the authenticator, the process hung up. No second cert was stored in metadata. I must remove the second cert from requester credentials and restart unity to get the system running again. I saw no issues in logs. Is this purpose possible? Or must I replace the cert in a timeslot where I expect only few user to propagate the new cert? Best regards, Sander [1]: https://www.switch.ch/aai/guides/sp/certificate-rollover/ -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-07-16 20:33:24
|
Dear Subscribers,
On behalf of the Unity Team, I'm happy to announce that release *2.6.0
is out.*
2.6.0 is a major Unity milestone concluding our architectural changes
started in the previous release. The release focus was on
authentication: a reworked authentication screen, 2 factor
authentication, step up authentication and improved remember me are
available.
When installing this release as an update a migration will be performed
and some configuration changes may be necessary. Make sure to make
backup and read update instructions in the documentation. At the same
time the good news is that this is the last release with breaking
changes. We have no more planned in the near-to-mid term, so subsequent
updates should be much easier. We are also planning to have couple of
2.6.x revision releases bringing smaller improvements and bugfixes next,
before 2.7.0 which can take more time.
The highlights of the 2.6.0 are:
* We are introducing *authentication flow* concept. Authentication
flow is used *to configure two factor authentication* (2FA, MFA). So
far Unity allowed for configuring MFA in a simplistic way by
requiring to login with two fixed authenticators. With
authentication flows which replace the old mechanism it is possible
to control 2FA flexibly:
o 2nd factor authenticator can be selected at runtime, depending
on active user's credentials,
o it is possible to set a policy which controls when 2FA is
required. Besides simple always required 2FA, it is possible to
delegate the decision to end user, who can opt-in to use 2FA.
o The new syntax will allow us in future to introduce risk based
authentication models easily, without additional breaking
configuration changes.
* *Authentication screen* was fully reworked, the former tiles concept
was dropped. This is the biggest breaking change – authentication
screen will need to be configured and branded from scratch. However,
this process should be way easier and result with great UX, not
possible before.
o Authentication options are organized in configured number of
columns (typically 1 or 2).
o All options visible on the screen can be immediately used. No
more extra clicking to select an option to authenticate with.
o Unity takes care about formatting of options so that the screen
looks nice and is following the common authentication patterns
that are popular on the web (and should be familiar to end users).
o Authentication screen can be made dynamic, adapting to user. The
most useful option is to only show the previously used
authentication widget for returning users. This simplifies login
experience a lot.
o A lot of effort was made to make the screen easy to style. The
top bar is gone. All types of elements have distinct classes
making it easy to address then in custom CSS.
* *Remember me feature*, making device trusted for easier login in
future, was fully rewritten. First of all we are using safer
architecture then before. What is more the feature can be enabled
only for 2nd factor authentication. Finally users have access to
remembered devices on HomeUI and can clear the list.
* *Additional/step up authentication* before executing *sensitive
operations*. Unity can be configured to expose (via HomeUI) certain
sensitive operations to end-users. The most obvious one is changing
of user’s password, but also SMS telephone number (for SMS
credential) or email address (used for password reset) are falling
into this category. In this release we are adding possibility to
configure how to ensure security of those operations. User may be
forced to authenticate again, or to perform step up authentication
with 2nd factor (even if it was not needed for initial
authentication) before being able to perform a sensitive operation.
* *Composite password* can be used to create an *authenticator* which
will present a single password-login widget, which will under the
hood use one of many configured password verification methods. Using
this feature you can mix local password authentication (even with
multiple password credentials) with say remote LDAP authentication,
without making this anyhow visible to end-users.
Other, smaller changes:
* Microsoft Azure/AD can be be easily used as a new preconfigured
remote OAuth authentication service.
* SAML metadata Service Providers with multiple endpoints advertised
in metadata are now properly supported, including full support for
metadata indexing of endpoints.
* Consent and email confirmation screens have top header removed, what
allows for easier branding.
* It is possible to configure messages which are sent to users upon
account removal and deactivation.
* Users bulk operations subsystem have a new action, which can send
notification to the selected users. This can be used to send for
instance information prior to disabling or removing an account or
simply to mass-send any form of update.
* IdP endpoints (SAML and OAuth) can be configured to ask user for
selecting attribute values, which will be active for the login
session. This can be used to ask for active role, organization etc.
It is possible to offer single or multi selection of values.
As always for more details see: http://www.unity-idm.eu/downloads/
With this release we have completed a big milestone that we planned over
a year ago, to bring all fundamental core features that IdM software
should offer. Unity was excellent in many advanced and complex
scenarios, but was lacking in some simpler ones. Now this has changed.
We still want to provide many more core features (as risk based
authentication, server LDAP interface, easier to use mobile
authentication to name a few), but our focus will slightly change now to
create a better administration experience for Unity.
Best regards,
Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2018-07-09 19:33:31
|
W dniu 04.07.2018 o 09:33, Sander Apweiler pisze: > 2.4.2. Sorry I forgot to enter it. > OK, got it. Minor issue, will be fixed in next release. Thanks, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-07-09 19:19:43
|
Hi Nikolaos,
I'm answering here for both recent emails. With this information I can
understand what you want to perform now.
Should work - at least the similar setup worked fine for me without a
problem a moment ago:
Site ---OAuth login-->Unity AS with autoLogin --SAML login-->SAML IdP on
Unity
More or less configured as below but there are still tons of places
where problems may happen.
First of all read the logs. Looking for warns/errors is not always
helpful. You should enable debug (or for this purpose even TRACE)
logging of SAML, OAuth and web subsystems. You will have information
(search for "Proxy") on auto login fact (or that it is skipped).
2nd thing to do is to compare this with browser log (Developer tools ->
Network tab, important: turn off persistent logs, otherwise each
redirect will clean the log).
With this information you should be able to precisely identify in which
moment your flow is not behaving as expected and perhaps what is the
reason.
HTH,
Krzysztof
W dniu 04.07.2018 o 13:47, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
> I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
>
> Here are all the changes I made:
> 1. Modified conf/unityServer.conf
> unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
> unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
> unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
> unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
>
> And
>
> # Enables MarineID AS functionality
> $include.marineAS=${CONF}/modules/marineAS.module
>
> Both are copies of samlWeb and $include.oauthAS correspondingly.
>
> 2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
> unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
> unity.saml.requester.metadataPath=metadata1
> unity.saml.requester.requesterCredential=MAIN
> unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
> unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
> unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
>
> unity.saml.requester.sloPath=slo1
> unity.saml.requester.sloRealm=defaultRealm
>
> unity.saml.requester.remoteIdp.marine.name=MarineID IdP
> unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
> unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
> unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
> unity.saml.requester.remoteIdp.marine.certificate=MARINEID
> unity.saml.requester.remoteIdp.marine.translationProfile=marineID
> unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
> unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
> unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
>
> 3. Created modules/oauthAS.module copy of oauthAS.module
> unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
> unityServer.core.script.909.trigger=pre-init
>
> unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
> unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
> unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
> unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
> unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
> unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
>
> unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
> unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
> unityServer.core.endpoints.marineToken.contextPath=/marine
> unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
> unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
> unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
>
> 4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
> unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
>
> unity.oauth2.as.signingCredential=MAIN
>
> unity.oauth2.as.clientsGroup=/oauth-clients
> unity.oauth2.as.usersGroup=/
>
> unity.oauth2.as.translationProfile=marineIDout
> unity.oauth2.as.accessTokenValidity=600
> unity.oauth2.as.extendAccessTokenValidityUpTo=86400
> unity.oauth2.as.refreshTokenValidity=0
> # Definition of scopes
>
> unity.oauth2.as.scopes.1.name=openid
> unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
>
> unity.oauth2.as.scopes.4.name=email
> unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
> unity.oauth2.as.scopes.4.attributes.1=email
>
> unity.oauth2.as.scopes.5.name=profile
> unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
> unity.oauth2.as.scopes.5.attributes.1=name
>
> unity.oauth2.as.scopes.2.name=USER_PROFILE
> unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
> unity.oauth2.as.scopes.2.attributes.1=userName
> unity.oauth2.as.scopes.2.attributes.2=email
> unity.oauth2.as.scopes.2.attributes.3=groups
> unity.oauth2.as.scopes.2.attributes.4=unity:persistent
> unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
> unity.oauth2.as.scopes.2.attributes.6=name
> unity.oauth2.as.scopes.2.attributes.7=cn
>
>
> unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
> unity.oauth2.as.scopes.3.description=Generate User Certificate
> unity.oauth2.as.scopes.3.attributes.1=userName
> unity.oauth2.as.scopes.3.attributes.2=email
> unity.oauth2.as.scopes.3.attributes.3=name
> unity.oauth2.as.scopes.3.attributes.4=groups
>
>
> #UI specific properties
> unity.endpoint.web.enableRegistration=false
> unity.endpoint.web.autoLogin=true
>
> unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
> unity.endpoint.web.authenticationTiles.4.tileMode=table
> unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
>
> ———————
> Best regards,
> Nick
>
>> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>>
>> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>>> Hello Krzysztof,
>>>
>>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>>
>> Best,
>> Krzysztof
|
|
From: Nikolaos E. <ni...@ad...> - 2018-07-06 11:00:50
|
Hello Krzysztof,
OK, I will try to describe my use case. I have created an OAuth client and I want to make an authorization request. The only change I want to make is, when the user login to unity, to preselect an IdP for him instead to present him/her multiple IdPs, only for this client. I tried to select the IdP using the URL parameters (?uy_select_authn=samlWeb.${authenticationOptionId}&uy_auto_login=true) but it wasn’t working because uy_select_authn and uy_auto_login were ignored.
I then tried your suggestion to create an authorization endpoint and an authenticator with only one IdP.
When I set unity.endpoint.web.autoLogin=true the flow asks from the user to login 2 times.
[cid:2F7...@ad...]
When I set unity.endpoint.web.autoLogin=false the flow works fine.
[cid:B4A...@ad...]
However the user still needs to select the marine IdP even though it’s the only option.
Is it possible to skip this step?
Regards,
Nick
On 4 Jul 2018, at 10:03, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Nikolaos,
W dniu 28.06.2018 o 08:46, Nikolaos Evangelou pisze:
Hello Krzysztof,
I have a different approach for this subject. The users are using a web portal where they request tokens from a client of b2access.
The request is: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile>
After that the flow will throw the users here: https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry to login
Is it possible, instead of the previous url, to redirect the users in this login screen https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz-web-entry?uy_select_authn=samlWeb.marine&uy_auto_login=true for that specific client?
I have tried to pass these parameters to the authorisation request (like this https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https%3A%2F%2Fsnf-761524.vm.okeanos.grnet.gr%2Fb2access%2Frefreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile<https://unity.eudat-aai.fz-juelich.de/oauth2-as/oauth2-authz?uy_select_authn=samlWeb.marine&uy_auto_login=true&response_type=code&redirect_uri=https://snf-761524.vm.okeanos.grnet.gr/b2access/refreshtoken.php&client_id=sdc-test-client-id&scope=openid+email+profile> ) but it doesn’t work.
Can you rephrase and extend your use case? I have made 2nd approach to read it and I'm filing to understand. Just precisely describe what you want to realize and then how you try this.
Best,
Krzysztof
|
|
From: Nikolaos E. <ni...@ad...> - 2018-07-04 11:48:01
|
Hello Krzysztof,
I don’t see any warns or errors in logs. In the browser if I try to login I will get this message “There is a SAML authentication going on already. Perhaps you used a Back button during authentication or authenticate in two browser windows? Either finish that login process or cancel it locally with the ''Cancel'' button before trying again.”
I tried to switch unity.endpoint.web.autoLogin to false and it works. Maybe I misconfigured something.
Here are all the changes I made:
1. Modified conf/unityServer.conf
unityServer.core.authenticators.marineWeb.authenticatorName=marineWeb
unityServer.core.authenticators.marineWeb.authenticatorType=saml2 with web-saml2
unityServer.core.authenticators.marineWeb.verificatorConfigurationFile=${CONF}/authenticators/marineAuth.properties
unityServer.core.authenticators.marineWeb.retrievalConfigurationFile=${CONF}/authenticators/marineAuth.properties
And
# Enables MarineID AS functionality
$include.marineAS=${CONF}/modules/marineAS.module
Both are copies of samlWeb and $include.oauthAS correspondingly.
2. Created authenticators/marineAuth.properties copy of remoteSamlAuth.properties
unity.saml.requester.requesterEntityId=https://unity.eudat-aai.fz-juelich.de:8443/unitygw/saml-sp-metadata
unity.saml.requester.metadataPath=metadata1
unity.saml.requester.requesterCredential=MAIN
unity.saml.requester.acceptedNameFormats.1=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
unity.saml.requester.acceptedNameFormats.2=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
unity.saml.requester.acceptedNameFormats.3=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unity.saml.requester.sloPath=slo1
unity.saml.requester.sloRealm=defaultRealm
unity.saml.requester.remoteIdp.marine.name=MarineID IdP
unity.saml.requester.remoteIdp.marine.address=https://idp.marine-id.org/idp/profile/SAML2/Redirect/SSO
unity.saml.requester.remoteIdp.marine.binding=HTTP_REDIRECT
unity.saml.requester.remoteIdp.marine.samlId=https://idp.marine-id.org/idp/shibboleth
unity.saml.requester.remoteIdp.marine.certificate=MARINEID
unity.saml.requester.remoteIdp.marine.translationProfile=marineID
unity.saml.requester.remoteIdp.marine.registrationFormForUnknown=marineID Registration Form
unity.saml.requester.remoteIdp.marine.enableAccountAssociation=false
unity.saml.requester.remoteIdp.marine.logoURI.en=https://www.marine-id.org/img/logo-noBG.svg
3. Created modules/oauthAS.module copy of oauthAS.module
unityServer.core.script.909.file=${CONF}/scripts/oauthDemoInitializer.groovy
unityServer.core.script.909.trigger=pre-init
unityServer.core.endpoints.marineOauth.endpointType=OAuth2Authz
unityServer.core.endpoints.marineOauth.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineOauth.contextPath=/oauth2-marine
unityServer.core.endpoints.marineOauth.endpointName=MarineID OAuth2 Authorization Server
unityServer.core.endpoints.marineOauth.endpointRealm=defaultRealm
unityServer.core.endpoints.marineOauth.endpointAuthenticators=marineWeb
unityServer.core.endpoints.marineToken.endpointType=OAuth2Token
unityServer.core.endpoints.marineToken.endpointConfigurationFile=${CONF}/modules/oauth/oauth2-marine.properties
unityServer.core.endpoints.marineToken.contextPath=/marine
unityServer.core.endpoints.marineToken.endpointName=MarineID OAuth2 Token endpoint
unityServer.core.endpoints.marineToken.endpointRealm=defaultRealm
unityServer.core.endpoints.marineToken.endpointAuthenticators=pwdRest;certRest
4. Created modules/oauth/oauth2-marine.properties copy of modules/oauth/oauth2-as.properties
unity.oauth2.as.issuerUri=https://unity.eudat-aai.fz-juelich.de:8443/marine
unity.oauth2.as.signingCredential=MAIN
unity.oauth2.as.clientsGroup=/oauth-clients
unity.oauth2.as.usersGroup=/
unity.oauth2.as.translationProfile=marineIDout
unity.oauth2.as.accessTokenValidity=600
unity.oauth2.as.extendAccessTokenValidityUpTo=86400
unity.oauth2.as.refreshTokenValidity=0
# Definition of scopes
unity.oauth2.as.scopes.1.name=openid
unity.oauth2.as.scopes.1.description=Enables the OpenID Connect support
unity.oauth2.as.scopes.4.name=email
unity.oauth2.as.scopes.4.description=OpenID Connect Email Scope
unity.oauth2.as.scopes.4.attributes.1=email
unity.oauth2.as.scopes.5.name=profile
unity.oauth2.as.scopes.5.description=OpenID Connect user profile scope
unity.oauth2.as.scopes.5.attributes.1=name
unity.oauth2.as.scopes.2.name=USER_PROFILE
unity.oauth2.as.scopes.2.description=Provides access to the user's profile information
unity.oauth2.as.scopes.2.attributes.1=userName
unity.oauth2.as.scopes.2.attributes.2=email
unity.oauth2.as.scopes.2.attributes.3=groups
unity.oauth2.as.scopes.2.attributes.4=unity:persistent
unity.oauth2.as.scopes.2.attributes.5=urn:oid:2.5.4.49
unity.oauth2.as.scopes.2.attributes.6=name
unity.oauth2.as.scopes.2.attributes.7=cn
unity.oauth2.as.scopes.3.name=GENERATE_USER_CERTIFICATE
unity.oauth2.as.scopes.3.description=Generate User Certificate
unity.oauth2.as.scopes.3.attributes.1=userName
unity.oauth2.as.scopes.3.attributes.2=email
unity.oauth2.as.scopes.3.attributes.3=name
unity.oauth2.as.scopes.3.attributes.4=groups
#UI specific properties
unity.endpoint.web.enableRegistration=false
unity.endpoint.web.autoLogin=true
unity.endpoint.web.authenticationTiles.4.tileContents=oauthMarine
unity.endpoint.web.authenticationTiles.4.tileMode=table
unity.endpoint.web.authenticationTiles.4.tileName.en=Login with your MarineID
———————
Best regards,
Nick
> On 4 Jul 2018, at 10:06, Krzysztof Benedyczak <kb...@un...> wrote:
>
> W dniu 03.07.2018 o 16:22, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>>
>> I’m testing your suggestion to create a separate oauth authorization endpoint, but I got some issues. When I make an authentication request to the new endpoint, I go directly to the login page of my preselected IdP (as expected) but after the login I got stack to ${new_endpoint}/oauth2-authz-web-entry portal, and I’m asked to login again. Do you have any suggestion to deal with this issue?
>
> Can you evaluate debug logs carefully, together with web browser logs? What happens there, what is precise flow of redirections? Visually this effect in web browser can be due many reasons - up to situation where everything works but your client is redirecting to Unity again as it doesn't accept your new endpoint.
>
> Best,
> Krzysztof
|
