You can subscribe to this list here.
2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: D B. <ba...@aw...> - 2018-04-25 16:52:30
|
Hi! On 24/04/18 00:05, Krzysztof Benedyczak wrote: > Well probably this is bit misleading. The meaning of 0 means that no > history should be checked previous passwords) but your new candidate for > a password must be different from the current one still. Also I think > (but I'd need to verify this) we may have a bug that reconfiguring > credential to have lower limit (so changing the setting from say 10 to > 1) in some cases won't work. This latter I need to confirm.> > Anyway if you create a new credential with 0 then you won't be able to > set a password to the current one. While this sounds nonsense I think we > can still allow for this (assuming the setting is 0): to rehash the same > password after password hashing configuration change. Not quite sure I understand. Is there a difference between setting history of 0 and 1 then? Does 1 mean "not the last one and the one before that"? > Have you changed your authenticator configuration to use the > 'SimplePassword' instead of sys:password? Ah, that's the trick! Thanks! One thing I'm not sure about yet is: Do I need to manually reset the passwords for the users (as admin) so that they are able to log in when the new password restrictions are applied? (I got that impression but I'm not sure.) If so, how do I update the admin password without locking myself out of the admin account? > Actually we hit this couple of times too. We are thinking how to enable > such feature without creating super-complex credential config and at the > same time being able to provide sensible user experience and control. Yeah, if the user only gets "Password too weak" they have no indication what it takes to make the password stronger. Maybe a progress bar above/below the password field that fills up as more "password strength" gets added to the password? > I > even think this can go into next release as we are anyway working on > making password setting/reset/update user friendly (better UI, feedback) > for 2.5. Sounds great! > Having this defined as "minimum allowed security index" is somewhat > difficult as admins typically won't know what is a "strong" or "low" > index. But maybe it is the way to go. I've checked keepass and indeed it > seems to use dictionary ('alic' has higher score then 'alice'), but this > is pretty poor dictionary And also the dictionary would/could depend on the language. > Thinking in progress - feature request of course accepted. Thanks! Best, D. |
From: D B. <ba...@aw...> - 2018-04-24 16:47:59
|
Hi! On 23/04/18 23:41, Krzysztof Benedyczak wrote: > Sorry - I should have noticed this earlier. You wrote that you are using > 2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is > precisely what you are observing. So please update to the latest version. Fix confirmed, thank you! :-) And: sorry - I should have checked the issue tracker and worked on the latest version... I hope next time I'll do better :-) Best, D. |
From: Krzysztof B. <kb...@un...> - 2018-04-23 22:06:13
|
W dniu 23.04.2018 o 17:28, D Baum pisze: > Hi, > > I'm trying to change the password requirements for my unity setup > (knowing my users, if I put too many requirements on them they'll just > write their passwords down or reuse them; see also NIST's new password > recommendations, e.g. > https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd). > > So far, I haven't had much success: I created a new credential > definition called SimplePassword with > Number of previous, forbidden passwords: 0 > and edited the "Password requirement" credential requirement to use it > instead of sys:password. > > However, when I try to update an identity's password credential, the > password verificator complains that I'm reusing a password (which I am, > but I've just configured that unity shouldn't worry about it...). How > can I get unity to allow users to reuse previous passwords? Well probably this is bit misleading. The meaning of 0 means that no history should be checked previous passwords) but your new candidate for a password must be different from the current one still. Also I think (but I'd need to verify this) we may have a bug that reconfiguring credential to have lower limit (so changing the setting from say 10 to 1) in some cases won't work. This latter I need to confirm. Anyway if you create a new credential with 0 then you won't be able to set a password to the current one. While this sounds nonsense I think we can still allow for this (assuming the setting is 0): to rehash the same password after password hashing configuration change. I'll check this up. > More importantly, when set a new, weak password and try to log in with > it, authentication is denied. > > So something seems to be going on with the password update after > changing a credential requirement by swapping in a new credential > definition. Have you changed your authenticator configuration to use the 'SimplePassword' instead of sys:password? > Once I swap back to the original sys:password requirement and change the > password again, login works fine. > > > > Somewhat related to the password verification issue, may I add a feature > request? > In times of "correct battery horse staple", could you introduce a > measure of password strength that also takes length into account? So > that users can e.g. have 30+ character passwords but with only one > character class OR 10 character passwords with more character classes. > I've seen KeePass use some sort of entropy (password strength is > measured in bits), probably using a dictionary to detect frequently used > character combinations (-> words). > The admin could then configure the required entropy of the passwords and > let the users decide themselves whether they want longer or more random > passwords. Actually we hit this couple of times too. We are thinking how to enable such feature without creating super-complex credential config and at the same time being able to provide sensible user experience and control. I even think this can go into next release as we are anyway working on making password setting/reset/update user friendly (better UI, feedback) for 2.5. Having this defined as "minimum allowed security index" is somewhat difficult as admins typically won't know what is a "strong" or "low" index. But maybe it is the way to go. I've checked keepass and indeed it seems to use dictionary ('alic' has higher score then 'alice'), but this is pretty poor dictionary - I was able to easily find real words, 5 chars long, which had same score as random strings (and of course way higher then 'alice'). So this index meaning is bit fuzzy. Thinking in progress - feature request of course accepted. Thanks Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-04-23 21:41:32
|
Hi Doris, W dniu 23.04.2018 o 10:37, Doris Baum pisze: > Hi! > > On 21/04/18 13:17, Krzysztof Benedyczak wrote: >> Can you also share the metadata for the portal? > Here are somewhat anonymised versions of the xml config files for both SPs. > Sorry - I should have noticed this earlier. You wrote that you are using 2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is precisely what you are observing. So please update to the latest version. Best, Krzysztof |
From: D B. <ba...@aw...> - 2018-04-23 15:29:07
|
Hi, I'm trying to change the password requirements for my unity setup (knowing my users, if I put too many requirements on them they'll just write their passwords down or reuse them; see also NIST's new password recommendations, e.g. https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd). So far, I haven't had much success: I created a new credential definition called SimplePassword with Number of previous, forbidden passwords: 0 and edited the "Password requirement" credential requirement to use it instead of sys:password. However, when I try to update an identity's password credential, the password verificator complains that I'm reusing a password (which I am, but I've just configured that unity shouldn't worry about it...). How can I get unity to allow users to reuse previous passwords? More importantly, when set a new, weak password and try to log in with it, authentication is denied. So something seems to be going on with the password update after changing a credential requirement by swapping in a new credential definition. Once I swap back to the original sys:password requirement and change the password again, login works fine. Somewhat related to the password verification issue, may I add a feature request? In times of "correct battery horse staple", could you introduce a measure of password strength that also takes length into account? So that users can e.g. have 30+ character passwords but with only one character class OR 10 character passwords with more character classes. I've seen KeePass use some sort of entropy (password strength is measured in bits), probably using a dictionary to detect frequently used character combinations (-> words). The admin could then configure the required entropy of the passwords and let the users decide themselves whether they want longer or more random passwords. Cheers, D. |
From: Doris B. <ba...@aw...> - 2018-04-23 08:37:57
|
Hi! On 21/04/18 13:17, Krzysztof Benedyczak wrote: > Can you also share the metadata for the portal? Here are somewhat anonymised versions of the xml config files for both SPs. Cheers, D. |
From: Krzysztof B. <kb...@un...> - 2018-04-20 07:57:55
|
Hi, W dniu 19.04.2018 o 18:06, D Baum pisze: > Hi, > > I'm trying to have multiple SAML services providers authenticate against > unity (v2.4.1) as the IDP. > > The relevant config file looks like this: > > unity.saml.issuerURI=http://unity > unity.saml.credential=PORTAL > unity.saml.defaultGroup=/A > unity.saml.spAcceptPolicy=validRequester > unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml > unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml > unity.saml.signResponses=asRequest > unity.saml.translationProfile=portalSAMLOutputProfile > unity.saml.skipConsent=true > unity.saml.userCanEditConsent=false > unity.endpoint.web.autoLogin=true > > However, if I try to log in to the portal SP, I get this error: > > ERROR > SAML service got an invalid request. > If you are a user then you can be sure that the web application you was > using previously is either misconfigured or buggy. > If you are an administrator or developer, here the details of the error > follows: > eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among > trusted: portal > Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer > is not among trusted: portal > > So it seems I can't configure two SPs in this way, is that right? > Is the only way to configure two SPs to copy-paste their xml config into > the same metadata xml file together? Your config is all right, Unity can use multiple metadata sources and merges them (of course should not clash). Try to enable more detailed logging on saml subsystem and verify carefully logs when metadata is loaded/refreshed. I suppose there is some configuration mismatch somewhere. Cheers, Krzysztof |
From: D B. <ba...@aw...> - 2018-04-19 16:49:53
|
Hi, I'm trying to have multiple SAML services providers authenticate against unity (v2.4.1) as the IDP. The relevant config file looks like this: unity.saml.issuerURI=http://unity unity.saml.credential=PORTAL unity.saml.defaultGroup=/A unity.saml.spAcceptPolicy=validRequester unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml unity.saml.signResponses=asRequest unity.saml.translationProfile=portalSAMLOutputProfile unity.saml.skipConsent=true unity.saml.userCanEditConsent=false unity.endpoint.web.autoLogin=true However, if I try to log in to the portal SP, I get this error: ERROR SAML service got an invalid request. If you are a user then you can be sure that the web application you was using previously is either misconfigured or buggy. If you are an administrator or developer, here the details of the error follows: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among trusted: portal Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among trusted: portal So it seems I can't configure two SPs in this way, is that right? Is the only way to configure two SPs to copy-paste their xml config into the same metadata xml file together? Cheers, D. |
From: Piotr P. <pio...@gm...> - 2018-03-27 13:00:47
|
wt., 27.03.2018, 14:39 użytkownik Shiraz Memon <a....@fz...> napisał: > Dear Piotr, > > On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...> > wrote: > >> >> >> wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...> >> napisał: >> >>> Hi Krzysztof, Piotr, All, >>> >>> I am using v2.4.2 and have added a new password credential (under schema >>> management tab) as I do not want to use sys:password after using the >>> default admin user credentials. Then, I have configured new initial >>> username (say admin2) and password credentials, subsequently changed all >>> the authenticators which were relying on sys:password and restarted the >>> server. >>> >> Dear Shiraz >> I am not sure if I understand it well but if you set new initial user and >> password by config file you add new admin with default sys:password >> credential. If you first add new admin 'admin3' by ui and set him new >> 'customPassword' credential and then set him new initial password by config >> file nothing will be changed. You can not update 'customPassword' >> credential by setting initialPassword in config file. >> >> > Here are the steps I have followed: > i) Added a new credential definition called "PasswordCredential" on the > Web admin UI, while signed in as the default "admin" user > ii) Stopped the server, configured initial admin credentials inside > unityServer.config - so not adding the credentials on the admin UI assuming > they are created automatically upon next restart > By setting new admin in config you added new 'admin' with 'sys:password' credential. No 'PasswordCredential'. iii) Reconfigured all the authenticators, basically replacing sys:password > with PasswordCredential > Then you cannot using sys:password to login iv) Restart the server and tried to authenticate with new the admin > credentials, also found an important info (see below :)) > > 2018-03-27T14:08:06,945 [main] WARN > unity.server.config.UnityServerConfiguration: IMPORTANT: > Database was initialized with a default admin user and password. Log in > and change the admin's password immediatelly! U: admin2 P: the!unity > The credential used for this user is named: 'sys:password' make sure that > this credential is enabled for the admin UI endpoint. If not add an > authentic > ator using this credential to the admin endpoint. > > I wonder why the admin UI endpoint is enabled for sys:password when the > authenticator configuration is: > You can sign in to unity admin UI using sys:password credential? I think you can only login using 'PasswordCredential'. > unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb > unityServer.core.authenticators.pwdWeb.authenticatorType=password with > web-password > #unityServer.core.authenticators.pwdWeb.localCredential=sys:password > unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential > > unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json > > and the endpoint config is: > > unityServer.core.endpoints.adminUI.endpointType=WebAdminUI > unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties > > unityServer.core.endpoints.adminUI.contextPath=/admin > unityServer.core.endpoints.adminUI.endpointRealm=adminRealm > unityServer.core.endpoints.adminUI.endpointName=UNITY administration > interface > > unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb > > > >> After making several failed attempts, Unity is not signing me in with the >>> newly defined admin credentials on admin UI. Do you know what could be the >>> issue? and I wonder why I cannot change the sys:password credential >>> properties on admin UI, are they intentionally immutable? >>> >> >> Yes. sys:password is the system credential and can not be changed >> > > Ok. > > Cheers, > Shiraz > > >> >> >>> Cheers, >>> Shiraz >>> -- >>> Shiraz Memon >>> Federated Systems and Data >>> Jülich Supercomputing Centre (JSC) >>> >>> Phone: +49 2461 61 6899 <02461%20616899> >>> Fax: +49 2461 61 6656 <02461%20616656> >>> >>> >>> >>> ------------------------------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------------------------ >>> Forschungszentrum Juelich GmbH >>> 52425 Juelich >>> Sitz der Gesellschaft: Juelich >>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 >>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher >>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), >>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, >>> Prof. Dr. Sebastian M. Schmidt >>> >>> ------------------------------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------------------------ >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Unity-idm-discuss mailing list >>> Uni...@li... >>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >>> >> > > > -- > Shiraz Memon > Federated Systems and Data > Jülich Supercomputing Centre (JSC) > > Phone: +49 2461 61 6899 > Fax: +49 2461 61 6656 > |
From: Shiraz M. <a....@fz...> - 2018-03-27 12:39:17
|
Dear Piotr, On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...> wrote: > > > wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...> > napisał: > >> Hi Krzysztof, Piotr, All, >> >> I am using v2.4.2 and have added a new password credential (under schema >> management tab) as I do not want to use sys:password after using the >> default admin user credentials. Then, I have configured new initial >> username (say admin2) and password credentials, subsequently changed all >> the authenticators which were relying on sys:password and restarted the >> server. >> > Dear Shiraz > I am not sure if I understand it well but if you set new initial user and > password by config file you add new admin with default sys:password > credential. If you first add new admin 'admin3' by ui and set him new > 'customPassword' credential and then set him new initial password by config > file nothing will be changed. You can not update 'customPassword' > credential by setting initialPassword in config file. > > Here are the steps I have followed: i) Added a new credential definition called "PasswordCredential" on the Web admin UI, while signed in as the default "admin" user ii) Stopped the server, configured initial admin credentials inside unityServer.config - so not adding the credentials on the admin UI assuming they are created automatically upon next restart iii) Reconfigured all the authenticators, basically replacing sys:password with PasswordCredential iv) Restart the server and tried to authenticate with new the admin credentials, also found an important info (see below :)) 2018-03-27T14:08:06,945 [main] WARN unity.server.config.UnityServerConfiguration: IMPORTANT: Database was initialized with a default admin user and password. Log in and change the admin's password immediatelly! U: admin2 P: the!unity The credential used for this user is named: 'sys:password' make sure that this credential is enabled for the admin UI endpoint. If not add an authentic ator using this credential to the admin endpoint. I wonder why the admin UI endpoint is enabled for sys:password when the authenticator configuration is: unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb unityServer.core.authenticators.pwdWeb.authenticatorType=password with web-password #unityServer.core.authenticators.pwdWeb.localCredential=sys:password unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json and the endpoint config is: unityServer.core.endpoints.adminUI.endpointType=WebAdminUI unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties unityServer.core.endpoints.adminUI.contextPath=/admin unityServer.core.endpoints.adminUI.endpointRealm=adminRealm unityServer.core.endpoints.adminUI.endpointName=UNITY administration interface unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb > After making several failed attempts, Unity is not signing me in with the >> newly defined admin credentials on admin UI. Do you know what could be the >> issue? and I wonder why I cannot change the sys:password credential >> properties on admin UI, are they intentionally immutable? >> > > Yes. sys:password is the system credential and can not be changed > Ok. Cheers, Shiraz > > >> Cheers, >> Shiraz >> -- >> Shiraz Memon >> Federated Systems and Data >> Jülich Supercomputing Centre (JSC) >> >> Phone: +49 2461 61 6899 <02461%20616899> >> Fax: +49 2461 61 6656 <02461%20616656> >> >> >> ------------------------------------------------------------ >> ------------------------------------ >> ------------------------------------------------------------ >> ------------------------------------ >> Forschungszentrum Juelich GmbH >> 52425 Juelich >> Sitz der Gesellschaft: Juelich >> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 >> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher >> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), >> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, >> Prof. Dr. Sebastian M. Schmidt >> ------------------------------------------------------------ >> ------------------------------------ >> ------------------------------------------------------------ >> ------------------------------------ >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______ >> _________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> > -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 |
From: Piotr P. <pio...@gm...> - 2018-03-27 12:20:37
|
wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...> napisał: > Hi Krzysztof, Piotr, All, > > I am using v2.4.2 and have added a new password credential (under schema > management tab) as I do not want to use sys:password after using the > default admin user credentials. Then, I have configured new initial > username (say admin2) and password credentials, subsequently changed all > the authenticators which were relying on sys:password and restarted the > server. > Dear Shiraz I am not sure if I understand it well but if you set new initial user and password by config file you add new admin with default sys:password credential. If you first add new admin 'admin3' by ui and set him new 'customPassword' credential and then set him new initial password by config file nothing will be changed. You can not update 'customPassword' credential by setting initialPassword in config file. After making several failed attempts, Unity is not signing me in with the > newly defined admin credentials on admin UI. Do you know what could be the > issue? and I wonder why I cannot change the sys:password credential > properties on admin UI, are they intentionally immutable? > Yes. sys:password is the system credential and can not be changed > Cheers, > Shiraz > -- > Shiraz Memon > Federated Systems and Data > Jülich Supercomputing Centre (JSC) > > Phone: +49 2461 61 6899 > Fax: +49 2461 61 6656 > > > > ------------------------------------------------------------------------------------------------ > > ------------------------------------------------------------------------------------------------ > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, > Prof. Dr. Sebastian M. Schmidt > > ------------------------------------------------------------------------------------------------ > > ------------------------------------------------------------------------------------------------ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
From: Shiraz M. <a....@fz...> - 2018-03-27 11:52:25
|
Hi Krzysztof, Piotr, All, I am using v2.4.2 and have added a new password credential (under schema management tab) as I do not want to use sys:password after using the default admin user credentials. Then, I have configured new initial username (say admin2) and password credentials, subsequently changed all the authenticators which were relying on sys:password and restarted the server. After making several failed attempts, Unity is not signing me in with the newly defined admin credentials on admin UI. Do you know what could be the issue? and I wonder why I cannot change the sys:password credential properties on admin UI, are they intentionally immutable? Cheers, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
From: Krzysztof B. <kb...@un...> - 2018-03-27 04:38:58
|
W dniu 26.03.2018 o 14:26, Willem Elbers pisze: > Dear Krzysztof, > > we are indeed using the users email as login. This checkbox in the > registration form config sounds good. > > Please add this as a feature request. Do not however that we want to > have the confirmation link included in the acceptance email in this > case, so that the user only receives a single email. UY-689. You will be able to have a single email as described: do not set any message for request acceptance and in email confirmation message provide necessary information about successful registration. Best Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-03-27 04:30:26
|
Hi Nikolaos, W dniu 26.03.2018 o 13:28, Nikolaos Evangelou pisze: > Hello Krzysztof, > > What I mean is when I register to b2access using my orcid account (through the form in web UI) and get entity information using the restAPI I get this response: > > { > "comparableValue": "XXXX-XXXX-XXXX-XXXX", > "confirmationInfo": { > "confirmationDate": 0, > "confirmed": false, > "sentRequestAmount": 0 > }, > "creationTs": 1518000192796, > "entityId": XXX, > "remoteIdp": "https://pub.orcid.org/oauth/token", > "translationProfile": "orcidProfile", > "typeId": "identifier", > "updateTs": 1518000192796, > "value": “XXXX-XXXX-XXXX-XXXX" > } > > Would it be possible to register a user using the restAPI instead of the web form? If so, how could I set the remote idp and the translation profile? > From what you wrote it seems that you want to create the "same" identity as the pasted one, and the problem is with setting the identity *metadata* remoteIdp and translationProfile, correct? If so then no, you can't set it via rest (and with anything else). Similarly as you can not set creationTs and updateTs. This is metadata about the identity, which is set automatically by Unity to provide context information mostly admin oriented about the origin of element. For instance if you create identity using rest call (or clicking in AdminUI) translation profile is not used so won't be set. HTH, Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-03-27 04:16:28
|
Hi Willem, W dniu 26.03.2018 o 14:32, Willem Elbers pisze: > Dear Krzysztof, > > do you have an indication when > https://dev.unity-idm.eu/jira/browse/UY-680 could be implemented? I'm not sure if this will be squeezed still into 2.5.0 (next) - ca 40% chances. If not then 2.6.0. Best Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-03-27 04:12:29
|
Dear Willem, W dniu 26.03.2018 o 14:34, Willem Elbers pisze: > Dear Krzysztof, > > When doing a password reset, users need to copy and paste a code from an > email to the password reset dialog. > If UnityIDM allows to send a 1-time URL instead this would be a nice and > user-friendly alternative. > > Would this be something you would consider implementing? This is a quite insecure way of resetting password. Everybody having read access to user mail (as any mail admin) can then easily overtake Unity account using that email (triggering sending of email code is easy). On the other hand this is (should be) a very infrequent operation so coping few characters shouldn't be too demanding. In the next version there will be a new feature allowing for even more secure password reset with use of mobile, however requiring retyping the code. So sorry, but I wouldn't go for it. Best, Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-03-27 03:57:05
|
Hi Willem, W dniu 26.03.2018 o 14:29, Willem Elbers pisze: > > Hi Krzysztof, > > did this conversion materialize in an issue? If not I would like to > request this as a feature. > UY-601, released since 2.4.0. Hopefully in all places where truncation was used the full value should be displayed now (no special config required). Best Krzysztof |
From: Willem E. <wi...@cl...> - 2018-03-26 12:34:21
|
Dear Krzysztof, When doing a password reset, users need to copy and paste a code from an email to the password reset dialog. If UnityIDM allows to send a 1-time URL instead this would be a nice and user-friendly alternative. Would this be something you would consider implementing? Best, Willem -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
From: Willem E. <wi...@cl...> - 2018-03-26 12:32:40
|
Dear Krzysztof, do you have an indication when https://dev.unity-idm.eu/jira/browse/UY-680 could be implemented? Best, Willem On 17/09/2017 21:30, Krzysztof Benedyczak wrote: > Hi Willem, > > W dniu 14.09.2017 o 14:20, Willem Elbers pisze: >> Hello Krzysztof, >> >> does unity (we are still on version 1.9.6) support multiple assertion >> consumer (ACS) endpoints (with different hostnames) for a single SAML >> SP? >> >> We have integrated a SAML SP with a separate ACS for each application >> they host via that SP, as described in the shibboleth documentation [1] >> under 'Applications'. See the attached metadata for an example. >> >> None of these locations seems to work and throw a >> "eu.unicore.samly2.exceptions.SAMLRequesterException: >> AssertionConsumerServiceURL in request >> (https://registries.clarin-dariah.eu/Shibboleth.sso/SAML2/POST) is not >> among trusted endpoints of the issuer." error. >> >> There is no information in the unity log file (log level = DEBUG) >> indicating any issue with this SP >> (entityID="https://clarin.oeaw.ac.at/shibboleth"). >> >> Any help to fix this issue is greatly appreciated. Please let me know if >> you need more information. > > Unfortunately as of now we support only one endpoint per each type of > endpoint for trusted SP (i.e. one HTTP Web-SSO, one HTTP SLO-Redirect, > ...). The first one from metadata is taken. > > If you need support for multiple endpoints please write or open a > ticket directly. > > Best, > Krzysztof -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
From: Willem E. <wi...@cl...> - 2018-03-26 12:29:56
|
Hi Krzysztof, did this conversion materialize in an issue? If not I would like to request this as a feature. Best, Willem On 08/05/2017 09:29, Willem Elbers wrote: > > Hi Krzysztof, Shiraz, > > +1 for toggle behavior. An alternative could be to show a popup with > the full text. > > If toggle behavior is added, a toggle all option might also be useful. > > Best, > > Willem > > > On 05/05/2017 16:55, Shiraz Memon wrote: >> Krzysztof, >> >> On Thu, May 4, 2017 at 8:54 PM, Krzysztof Benedyczak <kb...@un... >> <mailto:kb...@un...>> wrote: >> >> Willem, Shiraz, >> >> W dniu 01.05.2017 o 13:03, Willem Elbers pisze: >> > Dear Krzysztof, >> > >> > we have noticed that for one of our attributes (unlimited free >> text), >> > supplied via a registration form, the content is truncated >> "[...]" in >> > the accept registration window. >> > >> > Is there any way to view the full content of the attribute, before >> > accepting the request from the UI? >> >> >> Right, this is something to be improved. >> We have a special reusable component used to display attribute with >> values. It truncates the values, in different ways to fit to the UI >> without cluttering it. >> >> What I can propose: >> a) currently attribute's type description (if present) is added as a >> tooltip for all the values. We can assign it to the attribute >> name only >> and on values add the full text representation. >> >> b) in selected cases (as those two that you mentioned) we can >> change the >> UI to put the full representation. >> >> >> With proposal a (if I understand it correctly) users have to go >> through multiple truncated attributes (if there are many) one by one >> and wait for the tooltip to appear, I'd prefer proposal b instead to >> show the whole attribute value(s), ideally without cluttering. >> >> >> If you have any better ideas please write, >> >> >> Perhaps enhanced b with toggle behavior, that is, expanding the value >> by clicking the [...] or [>] or [+] and hide back after the second >> mouse click, do you think it make sense and/or technically feasible. >> However, other ideas from the subscribers of this list are most welcome. >> >> Cheers, >> Shiraz >> >> >> Krzystof >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> <http://sdm.link/slashdot> >> _______________________________________________ >> Unity-idm-discuss mailing list >> Uni...@li... >> <mailto:Uni...@li...> >> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss >> <https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss> >> >> >> >> >> -- >> Shiraz Memon >> Federated Systems and Data >> Jülich Supercomputing Centre (JSC) >> >> Phone: +49 2461 61 6899 >> Fax: +49 2461 61 6656 >> >> >> ------------------------------------------------------------------------------------------------ >> ------------------------------------------------------------------------------------------------ >> Forschungszentrum Juelich GmbH >> 52425 Juelich >> Sitz der Gesellschaft: Juelich >> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 >> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher >> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), >> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, >> Prof. Dr. Sebastian M. Schmidt >> ------------------------------------------------------------------------------------------------ >> ------------------------------------------------------------------------------------------------ >> > > -- > Willem Elbers > CLARIN ERIC > www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
From: Willem E. <wi...@cl...> - 2018-03-26 12:27:01
|
Dear Krzysztof, we are indeed using the users email as login. This checkbox in the registration form config sounds good. Please add this as a feature request. Do not however that we want to have the confirmation link included in the acceptance email in this case, so that the user only receives a single email. Best, Willem On 10/02/2018 18:54, Krzysztof Benedyczak wrote: > Hi Willem, > > W dniu 08.02.2018 o 10:35, Willem Elbers pisze: >> Dear Krzysztof, >> >> we have been been noticing a pattern with some end-user being confused >> with our current workflow where account acceptance and email >> confirmation are running in parallel. >> >> Especially when accounts are accepted before the email address is >> confirmed (sometime the confirmation email might end up in the spam >> folder or the user ignored the email). If users try to login or reset >> the password they get the generic error message "invalid username, >> credential or external authentication failed". There is no indication >> that the account is not active because of the unconfirmed email address. >> >> 1. Ideally we would like to switch to a sequential accept and confirm >> workflow, where the email confirmation link is included in the >> acceptance email. So (1) an admin accepts the account request, (2) this >> triggers sending the acceptance email to the user with a confirmation >> link included, (3) after confirming the email address the account is >> ready to be used. Is such a workflow currently supported? If not we >> would like to make this a feature request. > > OK, understood. No this is not possible currently. Do you use user's > email as login? I.e. email identity is subject of confirmation? > If so then it should be possible to achieve the above with the > following feature: additional checkbox in registration form config: > [ ] trigger email verification only after request acceptance > > Does it sound OK? >> 2. Additionally the error message in this case be improved, so it is >> clear to the user that confirmation is still required? I guess the >> downside here is that this could be abused to leak information about >> what accounts might exist or not. > well, we can think about something like this but only if a proper > password is provided (i.e. valid password and existing but not > verified email as login). > > As a short term solution you can change the generic authN failure > message to something better matching your needs. > > Thanks, > Krzysztof -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
From: Nikolaos E. <ni...@ad...> - 2018-03-26 11:28:26
|
Hello Krzysztof, What I mean is when I register to b2access using my orcid account (through the form in web UI) and get entity information using the restAPI I get this response: { "comparableValue": "XXXX-XXXX-XXXX-XXXX", "confirmationInfo": { "confirmationDate": 0, "confirmed": false, "sentRequestAmount": 0 }, "creationTs": 1518000192796, "entityId": XXX, "remoteIdp": "https://pub.orcid.org/oauth/token", "translationProfile": "orcidProfile", "typeId": "identifier", "updateTs": 1518000192796, "value": “XXXX-XXXX-XXXX-XXXX" } Would it be possible to register a user using the restAPI instead of the web form? If so, how could I set the remote idp and the translation profile? Regards, Nick > On 19 Mar 2018, at 18:55, Krzysztof Benedyczak <kb...@un...> wrote: > > Hi Nikolaos, > > W dniu 19.03.2018 o 08:52, Nikolaos Evangelou pisze: >> Hello Krzysztof, >> >> We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background. > Sounds good. > >> Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this? > I'm not sure what do you mean here. Translation profile is not added to user's profile, nor remoteIDP is. If you want to allow the user to use the service then you have to add it to its group of authorized users (what can be done with REST call or via registration process above). > > Best, > > Krzysztof > |
From: Krzysztof B. <kb...@un...> - 2018-03-19 16:55:57
|
Hi Nikolaos, W dniu 19.03.2018 o 08:52, Nikolaos Evangelou pisze: > Hello Krzysztof, > > We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background. Sounds good. > Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this? I'm not sure what do you mean here. Translation profile is not added to user's profile, nor remoteIDP is. If you want to allow the user to use the service then you have to add it to its group of authorized users (what can be done with REST call or via registration process above). Best, Krzysztof |
From: Nikolaos E. <ni...@ad...> - 2018-03-19 07:53:10
|
Hello Krzysztof, We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background. Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this? Regards, Nick > On 17 Mar 2018, at 01:39, Krzysztof Benedyczak <kb...@un...> wrote: > > Hi, > > W dniu 16.03.2018 o 12:19, Nikolaos Evangelou pisze: >> Hello Krzysztof, >> >> The scenario is that a service register users using API calls. I have created an entity using API calls and I wonder if it’s possible to add a remoteIdP and translationProfile. >> > No, adding translation profiles is not exposed by REST admin. Regarding 'remoteIDP' - it depends on what you mean by that? > > In any way do you need to add translation profile to register users? > > Best > Krzysztof |
From: Krzysztof B. <kb...@un...> - 2018-03-16 23:39:18
|
Hi, W dniu 16.03.2018 o 12:19, Nikolaos Evangelou pisze: > Hello Krzysztof, > > The scenario is that a service register users using API calls. I have created an entity using API calls and I wonder if it’s possible to add a remoteIdP and translationProfile. > No, adding translation profiles is not exposed by REST admin. Regarding 'remoteIDP' - it depends on what you mean by that? In any way do you need to add translation profile to register users? Best Krzysztof |