unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Password verification

[D B. <ba...@aw...>]

Hi!

On 24/04/18 00:05, Krzysztof Benedyczak wrote:
> Well probably this is bit misleading. The meaning of 0 means that no
> history should be checked previous passwords) but your new candidate for
> a password must be different from the current one still. Also I think
> (but I'd need to verify this) we may have a bug that reconfiguring
> credential to have lower limit (so changing the setting from say 10 to
> 1) in some cases won't work. This latter I need to confirm.>
> Anyway if you create a new credential with 0 then you won't be able to
> set a password to the current one. While this sounds nonsense I think we
> can still allow for this (assuming the setting is 0): to rehash the same
> password after password hashing configuration change.

Not quite sure I understand. Is there a difference between setting
history of 0 and 1 then? Does 1 mean "not the last one and the one
before that"?

> Have you changed your authenticator configuration to use the
> 'SimplePassword' instead of sys:password?

Ah, that's the trick! Thanks!

One thing I'm not sure about yet is: Do I need to manually reset the
passwords for the users (as admin) so that they are able to log in when
the new password restrictions are applied? (I got that impression but
I'm not sure.)

If so, how do I update the admin password without locking myself out of
the admin account?

> Actually we hit this couple of times too. We are thinking how to enable
> such feature without creating super-complex credential config and at the
> same time being able to provide sensible user experience and control. 

Yeah, if the user only gets "Password too weak" they have no indication
what it takes to make the password stronger.
Maybe a progress bar above/below the password field that fills up as
more "password strength" gets added to the password?

> I
> even think this can go into next release as we are anyway working on
> making password setting/reset/update user friendly (better UI, feedback)
> for 2.5.

Sounds great!

> Having this defined as "minimum allowed security index" is somewhat
> difficult as admins typically won't know what is a "strong" or "low"
> index. But maybe it is the way to go. I've checked keepass and indeed it
> seems to use dictionary ('alic' has higher score then 'alice'), but this
> is pretty poor dictionary

And also the dictionary would/could depend on the language.

> Thinking in progress - feature request of course accepted.

Thanks!

Best,
D.

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[D B. <ba...@aw...>]

Hi!

On 23/04/18 23:41, Krzysztof Benedyczak wrote:
> Sorry - I should have noticed this earlier. You wrote that you are using
> 2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is
> precisely what you are observing. So please update to the latest version.

Fix confirmed, thank you! :-)

And: sorry - I should have checked the issue tracker and worked on the
latest version... I hope next time I'll do better :-)

Best,
D.

Re: [Unity-idm-discuss] Password verification

[Krzysztof B. <kb...@un...>]

W dniu 23.04.2018 o 17:28, D Baum pisze:
> Hi,
>
> I'm trying to change the password requirements for my unity setup
> (knowing my users, if I put too many requirements on them they'll just
> write their passwords down or reuse them; see also NIST's new password
> recommendations, e.g.
> https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).
>
> So far, I haven't had much success: I created a new credential
> definition called SimplePassword with
> Number of previous, forbidden passwords: 0
> and edited the "Password requirement" credential requirement to use it
> instead of sys:password.
>
> However, when I try to update an identity's password credential, the
> password verificator complains that I'm reusing a password (which I am,
> but I've just configured that unity shouldn't worry about it...). How
> can I get unity to allow users to reuse previous passwords?

Well probably this is bit misleading. The meaning of 0 means that no 
history should be checked previous passwords) but your new candidate for 
a password must be different from the current one still. Also I think 
(but I'd need to verify this) we may have a bug that reconfiguring 
credential to have lower limit (so changing the setting from say 10 to 
1) in some cases won't work. This latter I need to confirm.

Anyway if you create a new credential with 0 then you won't be able to 
set a password to the current one. While this sounds nonsense I think we 
can still allow for this (assuming the setting is 0): to rehash the same 
password after password hashing configuration change.

I'll check this up.
> More importantly, when set a new, weak password and try to log in with
> it, authentication is denied.
>
> So something seems to be going on with the password update after
> changing a credential requirement by swapping in a new credential
> definition.
Have you changed your authenticator configuration to use the 
'SimplePassword' instead of sys:password?
> Once I swap back to the original sys:password requirement and change the
> password again, login works fine.
>
>
>
> Somewhat related to the password verification issue, may I add a feature
> request?
> In times of "correct battery horse staple", could you introduce a
> measure of password strength that also takes length into account? So
> that users can e.g. have 30+ character passwords but with only one
> character class OR 10 character passwords with more character classes.
> I've seen KeePass use some sort of entropy (password strength is
> measured in bits), probably using a dictionary to detect frequently used
> character combinations (-> words).
> The admin could then configure the required entropy of the passwords and
> let the users decide themselves whether they want longer or more random
> passwords.

Actually we hit this couple of times too. We are thinking how to enable 
such feature without creating super-complex credential config and at the 
same time being able to provide sensible user experience and control. I 
even think this can go into next release as we are anyway working on 
making password setting/reset/update user friendly (better UI, feedback) 
for 2.5.

Having this defined as "minimum allowed security index" is somewhat 
difficult as admins typically won't know what is a "strong" or "low" 
index. But maybe it is the way to go. I've checked keepass and indeed it 
seems to use dictionary ('alic' has higher score then 'alice'), but this 
is pretty poor dictionary - I was able to easily find real words, 5 
chars long, which had same score as random strings (and of course way 
higher then 'alice'). So this index meaning is bit fuzzy.

Thinking in progress - feature request of course accepted.

Thanks
Krzysztof

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Krzysztof B. <kb...@un...>]

Hi Doris,

W dniu 23.04.2018 o 10:37, Doris Baum pisze:
> Hi!
>
> On 21/04/18 13:17, Krzysztof Benedyczak wrote:
>> Can you also share the metadata for the portal?
> Here are somewhat anonymised versions of the xml config files for both SPs.
>
Sorry - I should have noticed this earlier. You wrote that you are using 
2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is 
precisely what you are observing. So please update to the latest version.

Best,
Krzysztof

[Unity-idm-discuss] Password verification

[D B. <ba...@aw...>]

Hi,

I'm trying to change the password requirements for my unity setup
(knowing my users, if I put too many requirements on them they'll just
write their passwords down or reuse them; see also NIST's new password
recommendations, e.g.
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).

So far, I haven't had much success: I created a new credential
definition called SimplePassword with
Number of previous, forbidden passwords: 0
and edited the "Password requirement" credential requirement to use it
instead of sys:password.

However, when I try to update an identity's password credential, the
password verificator complains that I'm reusing a password (which I am,
but I've just configured that unity shouldn't worry about it...). How
can I get unity to allow users to reuse previous passwords?

More importantly, when set a new, weak password and try to log in with
it, authentication is denied.

So something seems to be going on with the password update after
changing a credential requirement by swapping in a new credential
definition.

Once I swap back to the original sys:password requirement and change the
password again, login works fine.



Somewhat related to the password verification issue, may I add a feature
request?
In times of "correct battery horse staple", could you introduce a
measure of password strength that also takes length into account? So
that users can e.g. have 30+ character passwords but with only one
character class OR 10 character passwords with more character classes.
I've seen KeePass use some sort of entropy (password strength is
measured in bits), probably using a dictionary to detect frequently used
character combinations (-> words).
The admin could then configure the required entropy of the passwords and
let the users decide themselves whether they want longer or more random
passwords.

Cheers,
D.

[Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Doris B. <ba...@aw...>]

Hi!

On 21/04/18 13:17, Krzysztof Benedyczak wrote:
> Can you also share the metadata for the portal?

Here are somewhat anonymised versions of the xml config files for both SPs.

Cheers,
D.

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 19.04.2018 o 18:06, D Baum pisze:
> Hi,
>
> I'm trying to have multiple SAML services providers authenticate against
> unity (v2.4.1) as the IDP.
>
> The relevant config file looks like this:
>
> unity.saml.issuerURI=http://unity
> unity.saml.credential=PORTAL
> unity.saml.defaultGroup=/A
> unity.saml.spAcceptPolicy=validRequester
> unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml
> unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml
> unity.saml.signResponses=asRequest
> unity.saml.translationProfile=portalSAMLOutputProfile
> unity.saml.skipConsent=true
> unity.saml.userCanEditConsent=false
> unity.endpoint.web.autoLogin=true
>
> However, if I try to log in to the portal SP, I get this error:
>
> ERROR
> SAML service got an invalid request.
> If you are a user then you can be sure that the web application you was
> using previously is either misconfigured or buggy.
> If you are an administrator or developer, here the details of the error
> follows:
> eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
> trusted: portal
> Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer
> is not among trusted: portal
>
> So it seems I can't configure two SPs in this way, is that right?
> Is the only way to configure two SPs to copy-paste their xml config into
> the same metadata xml file together?
Your config is all right, Unity can use multiple metadata sources and 
merges them (of course should not clash).

Try to enable more detailed logging on saml subsystem and verify 
carefully logs when metadata is loaded/refreshed. I suppose there is 
some configuration mismatch somewhere.

Cheers,
Krzysztof

[Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[D B. <ba...@aw...>]

Hi,

I'm trying to have multiple SAML services providers authenticate against
unity (v2.4.1) as the IDP.

The relevant config file looks like this:

unity.saml.issuerURI=http://unity
unity.saml.credential=PORTAL
unity.saml.defaultGroup=/A
unity.saml.spAcceptPolicy=validRequester
unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml
unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml
unity.saml.signResponses=asRequest
unity.saml.translationProfile=portalSAMLOutputProfile
unity.saml.skipConsent=true
unity.saml.userCanEditConsent=false
unity.endpoint.web.autoLogin=true

However, if I try to log in to the portal SP, I get this error:

ERROR
SAML service got an invalid request.
If you are a user then you can be sure that the web application you was
using previously is either misconfigured or buggy.
If you are an administrator or developer, here the details of the error
follows:
eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: portal
Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer
is not among trusted: portal

So it seems I can't configure two SPs in this way, is that right?
Is the only way to configure two SPs to copy-paste their xml config into
the same metadata xml file together?

Cheers,
D.

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Piotr P. <pio...@gm...>]

wt., 27.03.2018, 14:39 użytkownik Shiraz Memon <a....@fz...>
napisał:

> Dear Piotr,
>
> On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...>
> wrote:
>
>>
>>
>> wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
>> napisał:
>>
>>> Hi Krzysztof, Piotr, All,
>>>
>>> I am using v2.4.2 and have added a new password credential (under schema
>>> management tab) as I do not want to use sys:password after using the
>>> default admin user credentials. Then, I have configured new initial
>>> username (say admin2) and password credentials, subsequently changed all
>>> the authenticators which were relying on sys:password and restarted the
>>> server.
>>>
>> Dear Shiraz
>> I am not sure if I understand it well but if you set new initial user and
>> password by config file you add new admin with default sys:password
>> credential. If you first add new admin 'admin3' by ui and set him new
>> 'customPassword' credential and then set him new initial password by config
>> file nothing will be changed. You can not update 'customPassword'
>> credential by setting initialPassword in config file.
>>
>>
> Here are the steps I have followed:
> i) Added a new credential definition called "PasswordCredential" on the
> Web admin UI, while signed in as the default "admin" user
> ii) Stopped the server, configured initial admin credentials inside
> unityServer.config - so not adding the credentials on the admin UI assuming
> they are created automatically upon next restart
>
By setting new admin in config you added new 'admin' with 'sys:password'
credential. No 'PasswordCredential'.

iii) Reconfigured all the authenticators, basically replacing sys:password
> with PasswordCredential
>
Then you cannot using sys:password to login

iv) Restart the server and tried to authenticate with new the admin
> credentials, also found an important info (see below :))
>
> 2018-03-27T14:08:06,945 [main] WARN
>  unity.server.config.UnityServerConfiguration: IMPORTANT:
> Database was initialized with a default admin user and password. Log in
> and change the admin's password immediatelly! U: admin2 P: the!unity
> The credential used for this user is named: 'sys:password' make sure that
> this credential is enabled for the admin UI endpoint. If not add an
> authentic
> ator using this credential to the admin endpoint.
>
> I wonder why the admin UI endpoint is enabled for sys:password when the
> authenticator configuration is:
>
You can sign in to unity admin UI using sys:password credential? I think
you can only login using 'PasswordCredential'.


> unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb
> unityServer.core.authenticators.pwdWeb.authenticatorType=password with
> web-password
> #unityServer.core.authenticators.pwdWeb.localCredential=sys:password
> unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential
>
> unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json
>
> and the endpoint config is:
>
> unityServer.core.endpoints.adminUI.endpointType=WebAdminUI
> unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties
>
> unityServer.core.endpoints.adminUI.contextPath=/admin
> unityServer.core.endpoints.adminUI.endpointRealm=adminRealm
> unityServer.core.endpoints.adminUI.endpointName=UNITY administration
> interface
>
> unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb
>
>
>
>> After making several failed attempts, Unity is not signing me in with the
>>> newly defined admin credentials on admin UI. Do you know what could be the
>>> issue? and I wonder why I cannot change the sys:password credential
>>> properties on admin UI, are they intentionally immutable?
>>>
>>
>> Yes. sys:password is the system credential and can not be changed
>>
>
> Ok.
>
> Cheers,
> Shiraz
>
>
>>
>>
>>> Cheers,
>>> Shiraz
>>> --
>>> Shiraz Memon
>>> Federated Systems and Data
>>> Jülich Supercomputing Centre (JSC)
>>>
>>> Phone: +49 2461 61 6899 <02461%20616899>
>>> Fax:     +49 2461 61 6656 <02461%20616656>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------------------------
>>> Forschungszentrum Juelich GmbH
>>> 52425 Juelich
>>> Sitz der Gesellschaft: Juelich
>>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>>> Prof. Dr. Sebastian M. Schmidt
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Unity-idm-discuss mailing list
>>> Uni...@li...
>>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>>
>>
>
>
> --
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899
> Fax:     +49 2461 61 6656
>

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Shiraz M. <a....@fz...>]

Dear Piotr,

On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...>
wrote:

>
>
> wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
> napisał:
>
>> Hi Krzysztof, Piotr, All,
>>
>> I am using v2.4.2 and have added a new password credential (under schema
>> management tab) as I do not want to use sys:password after using the
>> default admin user credentials. Then, I have configured new initial
>> username (say admin2) and password credentials, subsequently changed all
>> the authenticators which were relying on sys:password and restarted the
>> server.
>>
> Dear Shiraz
> I am not sure if I understand it well but if you set new initial user and
> password by config file you add new admin with default sys:password
> credential. If you first add new admin 'admin3' by ui and set him new
> 'customPassword' credential and then set him new initial password by config
> file nothing will be changed. You can not update 'customPassword'
> credential by setting initialPassword in config file.
>
>
Here are the steps I have followed:
i) Added a new credential definition called "PasswordCredential" on the Web
admin UI, while signed in as the default "admin" user
ii) Stopped the server, configured initial admin credentials inside
unityServer.config - so not adding the credentials on the admin UI assuming
they are created automatically upon next restart
iii) Reconfigured all the authenticators, basically replacing sys:password
with PasswordCredential
iv) Restart the server and tried to authenticate with new the admin
credentials, also found an important info (see below :))

2018-03-27T14:08:06,945 [main] WARN
 unity.server.config.UnityServerConfiguration: IMPORTANT:
Database was initialized with a default admin user and password. Log in and
change the admin's password immediatelly! U: admin2 P: the!unity
The credential used for this user is named: 'sys:password' make sure that
this credential is enabled for the admin UI endpoint. If not add an
authentic
ator using this credential to the admin endpoint.

I wonder why the admin UI endpoint is enabled for sys:password when the
authenticator configuration is:

unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb
unityServer.core.authenticators.pwdWeb.authenticatorType=password with
web-password
#unityServer.core.authenticators.pwdWeb.localCredential=sys:password
unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential
unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json

and the endpoint config is:

unityServer.core.endpoints.adminUI.endpointType=WebAdminUI
unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties

unityServer.core.endpoints.adminUI.contextPath=/admin
unityServer.core.endpoints.adminUI.endpointRealm=adminRealm
unityServer.core.endpoints.adminUI.endpointName=UNITY administration
interface
unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb



> After making several failed attempts, Unity is not signing me in with the
>> newly defined admin credentials on admin UI. Do you know what could be the
>> issue? and I wonder why I cannot change the sys:password credential
>> properties on admin UI, are they intentionally immutable?
>>
>
> Yes. sys:password is the system credential and can not be changed
>

Ok.

Cheers,
Shiraz


>
>
>> Cheers,
>> Shiraz
>> --
>> Shiraz Memon
>> Federated Systems and Data
>> Jülich Supercomputing Centre (JSC)
>>
>> Phone: +49 2461 61 6899 <02461%20616899>
>> Fax:     +49 2461 61 6656 <02461%20616656>
>>
>>
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>> Forschungszentrum Juelich GmbH
>> 52425 Juelich
>> Sitz der Gesellschaft: Juelich
>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>> Prof. Dr. Sebastian M. Schmidt
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>
>


-- 
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Piotr P. <pio...@gm...>]

wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
napisał:

> Hi Krzysztof, Piotr, All,
>
> I am using v2.4.2 and have added a new password credential (under schema
> management tab) as I do not want to use sys:password after using the
> default admin user credentials. Then, I have configured new initial
> username (say admin2) and password credentials, subsequently changed all
> the authenticators which were relying on sys:password and restarted the
> server.
>
Dear Shiraz
I am not sure if I understand it well but if you set new initial user and
password by config file you add new admin with default sys:password
credential. If you first add new admin 'admin3' by ui and set him new
'customPassword' credential and then set him new initial password by config
file nothing will be changed. You can not update 'customPassword'
credential by setting initialPassword in config file.

After making several failed attempts, Unity is not signing me in with the
> newly defined admin credentials on admin UI. Do you know what could be the
> issue? and I wonder why I cannot change the sys:password credential
> properties on admin UI, are they intentionally immutable?
>

Yes. sys:password is the system credential and can not be changed


> Cheers,
> Shiraz
> --
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899
> Fax:     +49 2461 61 6656
>
>
>
> ------------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
>
> ------------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Shiraz M. <a....@fz...>]

Hi Krzysztof, Piotr, All,

I am using v2.4.2 and have added a new password credential (under schema management tab) as I do not want to use sys:password after using the default admin user credentials. Then, I have configured new initial username (say admin2) and password credentials, subsequently changed all the authenticators which were relying on sys:password and restarted the server.

After making several failed attempts, Unity is not signing me in with the newly defined admin credentials on admin UI. Do you know what could be the issue? and I wonder why I cannot change the sys:password credential properties on admin UI, are they intentionally immutable?

Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Account acceptance and email confirmation workflow

[Krzysztof B. <kb...@un...>]

W dniu 26.03.2018 o 14:26, Willem Elbers pisze:
> Dear Krzysztof,
>
> we are indeed using the users email as login. This checkbox in the
> registration form config sounds good.
>
> Please add this as a feature request. Do not however that we want to
> have the confirmation link included in the acceptance email in this
> case, so that the user only receives a single email.

UY-689.
You will be able to have a single email as described: do not set any 
message for request acceptance and in email confirmation message provide 
necessary information about successful registration.

Best
Krzysztof

Re: [Unity-idm-discuss] Add remote IdP using API

[Krzysztof B. <kb...@un...>]

Hi Nikolaos,

W dniu 26.03.2018 o 13:28, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> What I mean is when I register to b2access using my orcid account (through the form in web UI) and get entity information using the restAPI I get this response:
>
> 	{
>              "comparableValue": "XXXX-XXXX-XXXX-XXXX",
>              "confirmationInfo": {
>                  "confirmationDate": 0,
>                  "confirmed": false,
>                  "sentRequestAmount": 0
>              },
>              "creationTs": 1518000192796,
>              "entityId": XXX,
>              "remoteIdp": "https://pub.orcid.org/oauth/token",
>              "translationProfile": "orcidProfile",
>              "typeId": "identifier",
>              "updateTs": 1518000192796,
>              "value": “XXXX-XXXX-XXXX-XXXX"
>          }
>
> Would it be possible to register a user using the restAPI instead of the web form? If so, how could I set the remote idp and the translation profile?
>
 From what you wrote it seems that you want to create the "same" 
identity as the pasted one, and the problem is with setting the identity 
*metadata* remoteIdp and translationProfile, correct?
If so then no, you can't set it via rest (and with anything else). 
Similarly as you can not set creationTs and updateTs. This is metadata 
about the identity, which is set automatically by Unity to provide 
context information mostly admin oriented about the origin of element. 
For instance if you create identity using rest call (or clicking in 
AdminUI) translation profile is not used so won't be set.

HTH,
Krzysztof

Re: [Unity-idm-discuss] Support for multiple SAML assertion consumer service endpoints for a single SAML SP

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 26.03.2018 o 14:32, Willem Elbers pisze:
> Dear Krzysztof,
>
> do you have an indication when
> https://dev.unity-idm.eu/jira/browse/UY-680 could be implemented?

I'm not sure if this will be squeezed still into 2.5.0 (next) - ca 40% 
chances. If not then 2.6.0.


Best
Krzysztof

Re: [Unity-idm-discuss] One-time password reset url instead of code

[Krzysztof B. <kb...@un...>]

Dear Willem,

W dniu 26.03.2018 o 14:34, Willem Elbers pisze:
> Dear Krzysztof,
>
> When doing a password reset, users need to copy and paste a code from an
> email to the password reset dialog.
> If UnityIDM allows to send a 1-time URL instead this would be a nice and
> user-friendly alternative.
>
> Would this be something you would consider implementing?
This is a quite insecure way of resetting password. Everybody having 
read access to user mail (as any mail admin) can then easily overtake 
Unity account using that email (triggering sending of email code is 
easy). On the other hand this is (should be) a very infrequent operation 
so coping few characters shouldn't be too demanding.

In the next version there will be a new feature allowing for even more 
secure password reset with use of mobile, however requiring retyping the 
code.

So sorry, but I wouldn't go for it.

Best,
Krzysztof

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 26.03.2018 o 14:29, Willem Elbers pisze:
>
> Hi Krzysztof,
>
> did this conversion materialize in an issue? If not I would like to 
> request this as a feature.
>

UY-601, released since 2.4.0. Hopefully in all places where truncation 
was used the full value should be displayed now (no special config 
required).

Best
Krzysztof

[Unity-idm-discuss] One-time password reset url instead of code

[Willem E. <wi...@cl...>]

Dear Krzysztof,

When doing a password reset, users need to copy and paste a code from an
email to the password reset dialog.
If UnityIDM allows to send a 1-time URL instead this would be a nice and
user-friendly alternative.

Would this be something you would consider implementing?

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Support for multiple SAML assertion consumer service endpoints for a single SAML SP

[Willem E. <wi...@cl...>]

Dear Krzysztof,

do you have an indication when
https://dev.unity-idm.eu/jira/browse/UY-680 could be implemented?

Best,

Willem


On 17/09/2017 21:30, Krzysztof Benedyczak wrote:
> Hi Willem,
>
> W dniu 14.09.2017 o 14:20, Willem Elbers pisze:
>> Hello Krzysztof,
>>
>> does unity (we are still on version 1.9.6) support multiple assertion
>> consumer (ACS) endpoints (with different hostnames) for a single SAML
>> SP?
>>
>> We have integrated a SAML SP with a separate ACS for each application
>> they host via that SP, as described in the shibboleth documentation [1]
>> under 'Applications'. See the attached metadata for an example.
>>
>> None of these locations seems to work and throw a
>> "eu.unicore.samly2.exceptions.SAMLRequesterException:
>> AssertionConsumerServiceURL in request
>> (https://registries.clarin-dariah.eu/Shibboleth.sso/SAML2/POST) is not
>> among trusted endpoints of the issuer." error.
>>
>> There is no information in the unity log file (log level = DEBUG)
>> indicating any issue with this SP
>> (entityID="https://clarin.oeaw.ac.at/shibboleth").
>>
>> Any help to fix this issue is greatly appreciated. Please let me know if
>> you need more information.
>
> Unfortunately as of now we support only one endpoint per each type of
> endpoint for trusted SP (i.e. one HTTP Web-SSO, one HTTP SLO-Redirect,
> ...). The first one from metadata is taken.
>
> If you need support for multiple endpoints please write or open a
> ticket directly.
>
> Best,
> Krzysztof

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Willem E. <wi...@cl...>]

Hi Krzysztof,

did this conversion materialize in an issue? If not I would like to
request this as a feature.

Best,

Willem

On 08/05/2017 09:29, Willem Elbers wrote:
>
> Hi Krzysztof, Shiraz,
>
> +1 for toggle behavior. An alternative could be to show a popup with
> the full text.
>
> If toggle behavior is added, a toggle all option might also be useful.
>
> Best,
>
> Willem
>
>
> On 05/05/2017 16:55, Shiraz Memon wrote:
>> Krzysztof,
>>
>> On Thu, May 4, 2017 at 8:54 PM, Krzysztof Benedyczak <kb...@un...
>> <mailto:kb...@un...>> wrote:
>>
>>     Willem, Shiraz,
>>
>>     W dniu 01.05.2017 o 13:03, Willem Elbers pisze:
>>     > Dear Krzysztof,
>>     >
>>     > we have noticed that for one of our attributes (unlimited free
>>     text),
>>     > supplied via a registration form, the content is truncated
>>     "[...]" in
>>     > the accept registration window.
>>     >
>>     > Is there any way to view the full content of the attribute, before
>>     > accepting the request from the UI?
>>
>>
>>     Right, this is something to be improved.
>>     We have a special reusable component used to display attribute with
>>     values. It truncates the values, in different ways to fit to the UI
>>     without cluttering it.
>>
>>     What I can propose:
>>     a) currently attribute's type description (if present) is added as a
>>     tooltip for all the values. We can assign it to the attribute
>>     name only
>>     and on values add the full text representation.
>>
>>     b) in selected cases (as those two that you mentioned) we can
>>     change the
>>     UI to put the full representation.
>>
>>
>> With proposal a (if I understand it correctly) users have to go
>> through multiple truncated attributes (if there are many) one by one
>> and wait for the tooltip to appear, I'd prefer proposal b instead to
>> show the whole attribute value(s), ideally without cluttering.
>>
>>
>>     If you have any better ideas please write,
>>
>>
>> Perhaps enhanced b with toggle behavior, that is, expanding the value
>> by clicking the [...] or [>] or [+] and hide back after the second
>> mouse click, do you think it make sense and/or technically feasible.
>> However, other ideas from the subscribers of this list are most welcome. 
>>
>> Cheers,
>> Shiraz
>>  
>>
>>     Krzystof
>>
>>     ------------------------------------------------------------------------------
>>     Check out the vibrant tech community on one of the world's most
>>     engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>     <http://sdm.link/slashdot>
>>     _______________________________________________
>>     Unity-idm-discuss mailing list
>>     Uni...@li...
>>     <mailto:Uni...@li...>
>>     https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>     <https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss>
>>
>>
>>
>>
>> -- 
>> Shiraz Memon
>> Federated Systems and Data
>> Jülich Supercomputing Centre (JSC)
>>
>> Phone: +49 2461 61 6899
>> Fax:     +49 2461 61 6656
>>
>>
>> ------------------------------------------------------------------------------------------------
>> ------------------------------------------------------------------------------------------------
>> Forschungszentrum Juelich GmbH
>> 52425 Juelich
>> Sitz der Gesellschaft: Juelich
>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>> Prof. Dr. Sebastian M. Schmidt
>> ------------------------------------------------------------------------------------------------
>> ------------------------------------------------------------------------------------------------
>>
>
> -- 
> Willem Elbers
> CLARIN ERIC
> www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Account acceptance and email confirmation workflow

[Willem E. <wi...@cl...>]

Dear Krzysztof,

we are indeed using the users email as login. This checkbox in the
registration form config sounds good.

Please add this as a feature request. Do not however that we want to
have the confirmation link included in the acceptance email in this
case, so that the user only receives a single email.

Best,

Willem


On 10/02/2018 18:54, Krzysztof Benedyczak wrote:
> Hi Willem,
>
> W dniu 08.02.2018 o 10:35, Willem Elbers pisze:
>> Dear Krzysztof,
>>
>> we have been been noticing a pattern with some end-user being confused
>> with our current workflow where account acceptance and email
>> confirmation are running in parallel.
>>
>> Especially when accounts are accepted before the email address is
>> confirmed (sometime the confirmation email might end up in the spam
>> folder or the user ignored the email). If users try to login or reset
>> the password they get the generic error message "invalid username,
>> credential or external authentication failed". There is no indication
>> that the account is not active because of the unconfirmed email address.
>>
>> 1. Ideally we would like to switch to a sequential accept and confirm
>> workflow, where the email confirmation link is included in the
>> acceptance email. So (1) an admin accepts the account request, (2) this
>> triggers sending the acceptance email to the user with a confirmation
>> link included, (3) after confirming the email address the account is
>> ready to be used. Is such a workflow currently supported? If not we
>> would like to make this a feature request.
>
> OK, understood. No this is not possible currently. Do you use user's
> email as login? I.e. email identity is subject of confirmation?
> If so then it should be possible to achieve the above with the
> following feature: additional checkbox in registration form config:
> [ ] trigger email verification only after request acceptance
>
> Does it sound OK?
>> 2. Additionally the error message in this case be improved, so it is
>> clear to the user that confirmation is still required? I guess the
>> downside here is that this could be abused to leak information about
>> what accounts might exist or not.
> well, we can think about something like this but only if a proper
> password is provided (i.e. valid password and existing but not
> verified email as login).
>
> As a short term solution you can change the generic authN failure
> message to something better matching your needs.
>
> Thanks,
> Krzysztof

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Add remote IdP using API

[Nikolaos E. <ni...@ad...>]

Hello Krzysztof,

What I mean is when I register to b2access using my orcid account (through the form in web UI) and get entity information using the restAPI I get this response:

	{
            "comparableValue": "XXXX-XXXX-XXXX-XXXX",
            "confirmationInfo": {
                "confirmationDate": 0,
                "confirmed": false,
                "sentRequestAmount": 0
            },
            "creationTs": 1518000192796,
            "entityId": XXX,
            "remoteIdp": "https://pub.orcid.org/oauth/token",
            "translationProfile": "orcidProfile",
            "typeId": "identifier",
            "updateTs": 1518000192796,
            "value": “XXXX-XXXX-XXXX-XXXX"
        }

Would it be possible to register a user using the restAPI instead of the web form? If so, how could I set the remote idp and the translation profile?

Regards,
Nick


> On 19 Mar 2018, at 18:55, Krzysztof Benedyczak <kb...@un...> wrote:
> 
> Hi Nikolaos,
> 
> W dniu 19.03.2018 o 08:52, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>> 
>> We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background.
> Sounds good.
> 
>> Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this?
> I'm not sure what do you mean here. Translation profile is not added to user's profile, nor remoteIDP is. If you want to allow the user to use the service then you have to add it to its group of authorized users (what can be done with REST call or via registration process above).
> 
> Best,
> 
> Krzysztof
> 

Re: [Unity-idm-discuss] Add remote IdP using API

[Krzysztof B. <kb...@un...>]

Hi Nikolaos,

W dniu 19.03.2018 o 08:52, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background.
Sounds good.

> Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this?
I'm not sure what do you mean here. Translation profile is not added to 
user's profile, nor remoteIDP is. If you want to allow the user to use 
the service then you have to add it to its group of authorized users 
(what can be done with REST call or via registration process above).

Best,

Krzysztof

Re: [Unity-idm-discuss] Add remote IdP using API

[Nikolaos E. <ni...@ad...>]

Hello Krzysztof,

We are developing a new platform and the users must register to 3 different services (service A, service B and B2ACCESS). So we don’t want the user to register in 3 different services and we are trying to register the user at once. In that way the user will fill a single form and he will be registered in the background. Now service A, will be added as IdP to B2ACCESS in the future and this is where the remoteIDP and translation profile are needed to be added to the user’s account. Any idea how we will achieve this?

Regards,
Nick

> On 17 Mar 2018, at 01:39, Krzysztof Benedyczak <kb...@un...> wrote:
> 
> Hi,
> 
> W dniu 16.03.2018 o 12:19, Nikolaos Evangelou pisze:
>> Hello Krzysztof,
>> 
>> The scenario is that a service register users using API calls. I have created an entity using API calls and I wonder if it’s possible to add a remoteIdP and translationProfile.
>> 
> No, adding translation profiles is not exposed by REST admin. Regarding 'remoteIDP' - it depends on what you mean by that?
> 
> In any way do you need to add translation profile to register users?
> 
> Best
> Krzysztof

Re: [Unity-idm-discuss] Add remote IdP using API

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.03.2018 o 12:19, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> The scenario is that a service register users using API calls. I have created an entity using API calls and I wonder if it’s possible to add a remoteIdP and translationProfile.
>
No, adding translation profiles is not exposed by REST admin. Regarding 
'remoteIDP' - it depends on what you mean by that?

In any way do you need to add translation profile to register users?

Best
Krzysztof