unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Cannot submit forms with empty optional attributes

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 09.05.2018 o 13:49, Shiraz Memon pisze:
> Hi,
>
> Unity (v2.4.2) is not accepting/submitting any registration form which 
> has "optional" attributes of type string, BUT the minimum length is 
> set to above zero (0) under schema management. Moreover the error 
> which only appears on pop-up (not in the logs) is misleading as it 
> does not say which "optional" attribute is suppose to be non-zero, if 
> the multiple non-mandatory attributes are defined.
>
> "can not submit the registration request Value lenght(0) is too small, 
> must be at least 2."
>
Hmm - I can notice problem but only on acceptance (processing) of an 
already submitted request. Can you describe how you got the error upon 
submission? From your description it seems that you was able both to get 
this upon submission and when processing the request.
> A work around: Set minimum length of the non-mandatory/optional 
> attributes of type string set to 0 under the schema management tab and 
> ask the users to register again.
>
> I have not tested the inverse case: configure an attribute with 
> minimum length to '0' but make it mandatory in the registration form

Seems we will have to re-think support for 0-length values. It makes 
little sense in practice but lot of troubles as missing value and 
0-length value are "hard" to distinguish.

I've opened a ticket to cover this. Won't make it for the upcoming 
2.5.0, but at least the error message upon accepting the request was 
improved so you get the name of the problematic attribute (and so you 
can ignore it).

Cheers,
Krzysztof

Re: [Unity-idm-discuss] SAML Single Logout with Unity IDP and Shibboleth SP

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 07.05.2018 o 19:09, D Baum pisze:
> Hi,
>
> SSO works fine between my Unity IDP and Shibboleth SP now - but
> unfortunately SAML Logout doesn't and I'm not even sure where the
> problem comes from.
>
> If I set
> unity.saml.spAcceptPolicy=validRequester
> on the Unity IDP, it complains about unsigned LogoutRequests. Cut from
> the attached log file:
> eu.unicore.samly2.exceptions.SAMLRequesterException: SAML document is
> not signed and the policy requires a signature
> 	at
> eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87)
> ~[samly2-2.3.3.jar:2.3.3]
>
> However, the Shibboleth SP is configured with
>
> <Logout signing="true" encryption="false">SAML2 Local</Logout>

While looking at your attached log it seems that Unity receives an 
unsigned request. I don't know details of your config - for 
validRequester have you configured trusted URLs (unless you use metadata 
to configure SLO)? You have an example at the very end of 
http://www.unity-idm.eu/documentation/unity-2.4.0/saml-howto.html#_using_single_logout_slo

Also one more hint: for redirect binding signing most likely won't be 
performed by initiating side: request would be too large for encoding 
into URL.


HTH,
KB

[Unity-idm-discuss] Cannot submit forms with empty optional attributes

[Shiraz M. <a....@fz...>]

Hi,

Unity (v2.4.2) is not accepting/submitting any registration form which has "optional" attributes of type string, BUT the minimum length is set to above zero (0) under schema management. Moreover the error which only appears on pop-up (not in the logs) is misleading as it does not say which "optional" attribute is suppose to be non-zero, if the multiple non-mandatory attributes are defined.

"can not submit the registration request Value lenght(0) is too small, must be at least 2."

A work around: Set minimum length of the non-mandatory/optional attributes of type string set to 0 under the schema management tab and ask the users to register again.

I have not tested the inverse case: configure an attribute with minimum length to '0' but make it mandatory in the registration form

Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] SAML Single Logout with Unity IDP and Shibboleth SP

[D B. <ba...@aw...>]

Hi,

SSO works fine between my Unity IDP and Shibboleth SP now - but
unfortunately SAML Logout doesn't and I'm not even sure where the
problem comes from.

If I set
unity.saml.spAcceptPolicy=validRequester
on the Unity IDP, it complains about unsigned LogoutRequests. Cut from
the attached log file:
eu.unicore.samly2.exceptions.SAMLRequesterException: SAML document is
not signed and the policy requires a signature
	at
eu.unicore.samly2.validators.AbstractRequestValidator.validate(AbstractRequestValidator.java:87)
~[samly2-2.3.3.jar:2.3.3]

However, the Shibboleth SP is configured with

<Logout signing="true" encryption="false">SAML2 Local</Logout>

and says this in its shibd.log:

2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]:
marshalled message:
<samlp:LogoutRequest ...>
2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]:
signing the message
2018-05-07 18:52:17 DEBUG OpenSAML.MessageEncoder.SAML2Redirect [5]:
message encoded, sending redirect to client

No signing error in the Shibboleth log...

Finally, if I set
unity.saml.spAcceptPolicy=all
on Unity, logout works without errors.
Shibboleth reports:
Status of Global Logout: Logout completed successfully.

Any hints on what's going wrong here or how I could figure out what's
really going on?

Cheers,
D.

Re: [Unity-idm-discuss] Attribute split in input translation profile

[Sander A. <sa....@fz...>]

Hi Krzysztof,

yes the mixed rows was because of pasting the "old" content. New
condition seems to work. Thank you very much.

Best regards,
Sander

Am Donnerstag, den 03.05.2018, 09:53 +0200 schrieb Krzysztof
Benedyczak:
> Hi Sander,
> 
> W dniu 02.05.2018 o 08:55, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > I want to extract the organisation of users from
> > eduPersonScopedAffiliation (role@organisation) in input translation
> > rpofile, if this attribute is provided by remote IdP.
> > 
> > At the moment my definition is:
> > condition: attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
> > action: mapAttribute
> > expression: attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].split("@")[1]
> > 
> > It works fine if the IdP releases the correct attribute. But I got
> > the
> > first user with a malformed attribute. Is it possible to extend the
> > condition with a check if the attribute contains a @?
> > 
> > Something like attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
> > action: mapAttribute &&
> > attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].contains('@') ?
> 
> Yes - that's correct. I think you pasted the expression mixing rows
> with 
> action, so to be sure something like this for the condition:
> 
> attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' &&
> attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].contains('@')
> 
> 
> Cheers
> Krzysztof
> 
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] refresh IdPs

[Krzysztof B. <kb...@un...>]

W dniu 02.05.2018 o 13:40, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I have still a problem with refresh of IdPs. Unity refreshes the list
> of IdPs once per hour but changes are not applied. E.g. DKFZ updates
> their cert for signatures two weeks ago. I had to restart unity today
> to enable login for users from DKFZ IdP. Before they got an error about
> untrusted issuer.
>
> Deutsches Krebsforschungszentrum (DKFZ) Remote authentication failed.
> Information for IT personnel:
> The SAML response is either invalid or is issued by an untrusted
> identity provider.
>
I think we have a generic problem with the endpoints which are in 
operation not catching up with runtime authenticator updates on some 
strange conditions. It was also reported for other then SAML 
authenticators, bug is already filled.

Thanks
KB

Re: [Unity-idm-discuss] Attribute split in input translation profile

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 02.05.2018 o 08:55, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I want to extract the organisation of users from
> eduPersonScopedAffiliation (role@organisation) in input translation
> rpofile, if this attribute is provided by remote IdP.
>
> At the moment my definition is:
> condition: attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
> action: mapAttribute
> expression: attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].split("@")[1]
>
> It works fine if the IdP releases the correct attribute. But I got the
> first user with a malformed attribute. Is it possible to extend the
> condition with a check if the attribute contains a @?
>
> Something like attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
> action: mapAttribute &&
> attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].contains('@') ?

Yes - that's correct. I think you pasted the expression mixing rows with 
action, so to be sure something like this for the condition:

attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9' &&
attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].contains('@')


Cheers
Krzysztof

[Unity-idm-discuss] refresh IdPs

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I have still a problem with refresh of IdPs. Unity refreshes the list
of IdPs once per hour but changes are not applied. E.g. DKFZ updates
their cert for signatures two weeks ago. I had to restart unity today
to enable login for users from DKFZ IdP. Before they got an error about
untrusted issuer.

Deutsches Krebsforschungszentrum (DKFZ) Remote authentication failed.
Information for IT personnel:
The SAML response is either invalid or is issued by an untrusted
identity provider.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Attribute split in input translation profile

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I want to extract the organisation of users from
eduPersonScopedAffiliation (role@organisation) in input translation
rpofile, if this attribute is provided by remote IdP.

At the moment my definition is:
condition: attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
action: mapAttribute
expression: attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].split("@")[1]

It works fine if the IdP releases the correct attribute. But I got the
first user with a malformed attribute. Is it possible to extend the
condition with a check if the attribute contains a @?

Something like attr contains 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
action: mapAttribute &&
attr['urn:oid:1.3.6.1.4.1.5923.1.1.1.9'].contains('@') ?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Password verification

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 25.04.2018 o 18:52, D Baum pisze:
> Hi!
>
> On 24/04/18 00:05, Krzysztof Benedyczak wrote:
>> Well probably this is bit misleading. The meaning of 0 means that no
>> history should be checked previous passwords) but your new candidate for
>> a password must be different from the current one still. Also I think
>> (but I'd need to verify this) we may have a bug that reconfiguring
>> credential to have lower limit (so changing the setting from say 10 to
>> 1) in some cases won't work. This latter I need to confirm.>
>> Anyway if you create a new credential with 0 then you won't be able to
>> set a password to the current one. While this sounds nonsense I think we
>> can still allow for this (assuming the setting is 0): to rehash the same
>> password after password hashing configuration change.
> Not quite sure I understand. Is there a difference between setting
> history of 0 and 1 then? Does 1 mean "not the last one and the one
> before that"?
So the current one (which you call last one I think) is always checked 
and the config number tells how many additional should be checked.
>> Have you changed your authenticator configuration to use the
>> 'SimplePassword' instead of sys:password?
> Ah, that's the trick! Thanks!
>
> One thing I'm not sure about yet is: Do I need to manually reset the
> passwords for the users (as admin) so that they are able to log in when
> the new password restrictions are applied? (I got that impression but
> I'm not sure.)
>
> If so, how do I update the admin password without locking myself out of
> the admin account?
There is huge difference between updating credential settings and 
changing the credential. In the first case you basically have to do 
nothing special: if you change configuration of the password that some 
existing passwords do not conform, those will be treated as outdated on 
the first subseqent use (and user will have to change the password).

If you however want to start using a new password credential (e.g. used 
fooPass, now using barPass) you just need to make sure that your users 
have this password.
>> Actually we hit this couple of times too. We are thinking how to enable
>> such feature without creating super-complex credential config and at the
>> same time being able to provide sensible user experience and control.
> Yeah, if the user only gets "Password too weak" they have no indication
> what it takes to make the password stronger.
> Maybe a progress bar above/below the password field that fills up as
> more "password strength" gets added to the password?
yes, and more :-)

Thanks,
Krzysztof

Re: [Unity-idm-discuss] Password verification

[D B. <ba...@aw...>]

Hi!

On 24/04/18 00:05, Krzysztof Benedyczak wrote:
> Well probably this is bit misleading. The meaning of 0 means that no
> history should be checked previous passwords) but your new candidate for
> a password must be different from the current one still. Also I think
> (but I'd need to verify this) we may have a bug that reconfiguring
> credential to have lower limit (so changing the setting from say 10 to
> 1) in some cases won't work. This latter I need to confirm.>
> Anyway if you create a new credential with 0 then you won't be able to
> set a password to the current one. While this sounds nonsense I think we
> can still allow for this (assuming the setting is 0): to rehash the same
> password after password hashing configuration change.

Not quite sure I understand. Is there a difference between setting
history of 0 and 1 then? Does 1 mean "not the last one and the one
before that"?

> Have you changed your authenticator configuration to use the
> 'SimplePassword' instead of sys:password?

Ah, that's the trick! Thanks!

One thing I'm not sure about yet is: Do I need to manually reset the
passwords for the users (as admin) so that they are able to log in when
the new password restrictions are applied? (I got that impression but
I'm not sure.)

If so, how do I update the admin password without locking myself out of
the admin account?

> Actually we hit this couple of times too. We are thinking how to enable
> such feature without creating super-complex credential config and at the
> same time being able to provide sensible user experience and control. 

Yeah, if the user only gets "Password too weak" they have no indication
what it takes to make the password stronger.
Maybe a progress bar above/below the password field that fills up as
more "password strength" gets added to the password?

> I
> even think this can go into next release as we are anyway working on
> making password setting/reset/update user friendly (better UI, feedback)
> for 2.5.

Sounds great!

> Having this defined as "minimum allowed security index" is somewhat
> difficult as admins typically won't know what is a "strong" or "low"
> index. But maybe it is the way to go. I've checked keepass and indeed it
> seems to use dictionary ('alic' has higher score then 'alice'), but this
> is pretty poor dictionary

And also the dictionary would/could depend on the language.

> Thinking in progress - feature request of course accepted.

Thanks!

Best,
D.

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[D B. <ba...@aw...>]

Hi!

On 23/04/18 23:41, Krzysztof Benedyczak wrote:
> Sorry - I should have noticed this earlier. You wrote that you are using
> 2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is
> precisely what you are observing. So please update to the latest version.

Fix confirmed, thank you! :-)

And: sorry - I should have checked the issue tracker and worked on the
latest version... I hope next time I'll do better :-)

Best,
D.

Re: [Unity-idm-discuss] Password verification

[Krzysztof B. <kb...@un...>]

W dniu 23.04.2018 o 17:28, D Baum pisze:
> Hi,
>
> I'm trying to change the password requirements for my unity setup
> (knowing my users, if I put too many requirements on them they'll just
> write their passwords down or reuse them; see also NIST's new password
> recommendations, e.g.
> https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).
>
> So far, I haven't had much success: I created a new credential
> definition called SimplePassword with
> Number of previous, forbidden passwords: 0
> and edited the "Password requirement" credential requirement to use it
> instead of sys:password.
>
> However, when I try to update an identity's password credential, the
> password verificator complains that I'm reusing a password (which I am,
> but I've just configured that unity shouldn't worry about it...). How
> can I get unity to allow users to reuse previous passwords?

Well probably this is bit misleading. The meaning of 0 means that no 
history should be checked previous passwords) but your new candidate for 
a password must be different from the current one still. Also I think 
(but I'd need to verify this) we may have a bug that reconfiguring 
credential to have lower limit (so changing the setting from say 10 to 
1) in some cases won't work. This latter I need to confirm.

Anyway if you create a new credential with 0 then you won't be able to 
set a password to the current one. While this sounds nonsense I think we 
can still allow for this (assuming the setting is 0): to rehash the same 
password after password hashing configuration change.

I'll check this up.
> More importantly, when set a new, weak password and try to log in with
> it, authentication is denied.
>
> So something seems to be going on with the password update after
> changing a credential requirement by swapping in a new credential
> definition.
Have you changed your authenticator configuration to use the 
'SimplePassword' instead of sys:password?
> Once I swap back to the original sys:password requirement and change the
> password again, login works fine.
>
>
>
> Somewhat related to the password verification issue, may I add a feature
> request?
> In times of "correct battery horse staple", could you introduce a
> measure of password strength that also takes length into account? So
> that users can e.g. have 30+ character passwords but with only one
> character class OR 10 character passwords with more character classes.
> I've seen KeePass use some sort of entropy (password strength is
> measured in bits), probably using a dictionary to detect frequently used
> character combinations (-> words).
> The admin could then configure the required entropy of the passwords and
> let the users decide themselves whether they want longer or more random
> passwords.

Actually we hit this couple of times too. We are thinking how to enable 
such feature without creating super-complex credential config and at the 
same time being able to provide sensible user experience and control. I 
even think this can go into next release as we are anyway working on 
making password setting/reset/update user friendly (better UI, feedback) 
for 2.5.

Having this defined as "minimum allowed security index" is somewhat 
difficult as admins typically won't know what is a "strong" or "low" 
index. But maybe it is the way to go. I've checked keepass and indeed it 
seems to use dictionary ('alic' has higher score then 'alice'), but this 
is pretty poor dictionary - I was able to easily find real words, 5 
chars long, which had same score as random strings (and of course way 
higher then 'alice'). So this index meaning is bit fuzzy.

Thinking in progress - feature request of course accepted.

Thanks
Krzysztof

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Krzysztof B. <kb...@un...>]

Hi Doris,

W dniu 23.04.2018 o 10:37, Doris Baum pisze:
> Hi!
>
> On 21/04/18 13:17, Krzysztof Benedyczak wrote:
>> Can you also share the metadata for the portal?
> Here are somewhat anonymised versions of the xml config files for both SPs.
>
Sorry - I should have noticed this earlier. You wrote that you are using 
2.4.1 - it contained bug UY-684 which was fixed in 2.4.2 - and it is 
precisely what you are observing. So please update to the latest version.

Best,
Krzysztof

[Unity-idm-discuss] Password verification

[D B. <ba...@aw...>]

Hi,

I'm trying to change the password requirements for my unity setup
(knowing my users, if I put too many requirements on them they'll just
write their passwords down or reuse them; see also NIST's new password
recommendations, e.g.
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).

So far, I haven't had much success: I created a new credential
definition called SimplePassword with
Number of previous, forbidden passwords: 0
and edited the "Password requirement" credential requirement to use it
instead of sys:password.

However, when I try to update an identity's password credential, the
password verificator complains that I'm reusing a password (which I am,
but I've just configured that unity shouldn't worry about it...). How
can I get unity to allow users to reuse previous passwords?

More importantly, when set a new, weak password and try to log in with
it, authentication is denied.

So something seems to be going on with the password update after
changing a credential requirement by swapping in a new credential
definition.

Once I swap back to the original sys:password requirement and change the
password again, login works fine.



Somewhat related to the password verification issue, may I add a feature
request?
In times of "correct battery horse staple", could you introduce a
measure of password strength that also takes length into account? So
that users can e.g. have 30+ character passwords but with only one
character class OR 10 character passwords with more character classes.
I've seen KeePass use some sort of entropy (password strength is
measured in bits), probably using a dictionary to detect frequently used
character combinations (-> words).
The admin could then configure the required entropy of the passwords and
let the users decide themselves whether they want longer or more random
passwords.

Cheers,
D.

[Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Doris B. <ba...@aw...>]

Hi!

On 21/04/18 13:17, Krzysztof Benedyczak wrote:
> Can you also share the metadata for the portal?

Here are somewhat anonymised versions of the xml config files for both SPs.

Cheers,
D.

Re: [Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 19.04.2018 o 18:06, D Baum pisze:
> Hi,
>
> I'm trying to have multiple SAML services providers authenticate against
> unity (v2.4.1) as the IDP.
>
> The relevant config file looks like this:
>
> unity.saml.issuerURI=http://unity
> unity.saml.credential=PORTAL
> unity.saml.defaultGroup=/A
> unity.saml.spAcceptPolicy=validRequester
> unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml
> unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml
> unity.saml.signResponses=asRequest
> unity.saml.translationProfile=portalSAMLOutputProfile
> unity.saml.skipConsent=true
> unity.saml.userCanEditConsent=false
> unity.endpoint.web.autoLogin=true
>
> However, if I try to log in to the portal SP, I get this error:
>
> ERROR
> SAML service got an invalid request.
> If you are a user then you can be sure that the web application you was
> using previously is either misconfigured or buggy.
> If you are an administrator or developer, here the details of the error
> follows:
> eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
> trusted: portal
> Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer
> is not among trusted: portal
>
> So it seems I can't configure two SPs in this way, is that right?
> Is the only way to configure two SPs to copy-paste their xml config into
> the same metadata xml file together?
Your config is all right, Unity can use multiple metadata sources and 
merges them (of course should not clash).

Try to enable more detailed logging on saml subsystem and verify 
carefully logs when metadata is loaded/refreshed. I suppose there is 
some configuration mismatch somewhere.

Cheers,
Krzysztof

[Unity-idm-discuss] Multiple SAML service providers authenticating against unity?

[D B. <ba...@aw...>]

Hi,

I'm trying to have multiple SAML services providers authenticate against
unity (v2.4.1) as the IDP.

The relevant config file looks like this:

unity.saml.issuerURI=http://unity
unity.saml.credential=PORTAL
unity.saml.defaultGroup=/A
unity.saml.spAcceptPolicy=validRequester
unity.saml.acceptedSPMetadataSource.portal.url=file:///etc/unity-idm/portal-metadata_fed.xml
unity.saml.acceptedSPMetadataSource.simpleSAMLphp.url=file:///etc/unity-idm/simpleSAMLphp_fed.xml
unity.saml.signResponses=asRequest
unity.saml.translationProfile=portalSAMLOutputProfile
unity.saml.skipConsent=true
unity.saml.userCanEditConsent=false
unity.endpoint.web.autoLogin=true

However, if I try to log in to the portal SP, I get this error:

ERROR
SAML service got an invalid request.
If you are a user then you can be sure that the web application you was
using previously is either misconfigured or buggy.
If you are an administrator or developer, here the details of the error
follows:
eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer is not among
trusted: portal
Caused by: eu.unicore.samly2.exceptions.SAMLRequesterException: Issuer
is not among trusted: portal

So it seems I can't configure two SPs in this way, is that right?
Is the only way to configure two SPs to copy-paste their xml config into
the same metadata xml file together?

Cheers,
D.

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Piotr P. <pio...@gm...>]

wt., 27.03.2018, 14:39 użytkownik Shiraz Memon <a....@fz...>
napisał:

> Dear Piotr,
>
> On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...>
> wrote:
>
>>
>>
>> wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
>> napisał:
>>
>>> Hi Krzysztof, Piotr, All,
>>>
>>> I am using v2.4.2 and have added a new password credential (under schema
>>> management tab) as I do not want to use sys:password after using the
>>> default admin user credentials. Then, I have configured new initial
>>> username (say admin2) and password credentials, subsequently changed all
>>> the authenticators which were relying on sys:password and restarted the
>>> server.
>>>
>> Dear Shiraz
>> I am not sure if I understand it well but if you set new initial user and
>> password by config file you add new admin with default sys:password
>> credential. If you first add new admin 'admin3' by ui and set him new
>> 'customPassword' credential and then set him new initial password by config
>> file nothing will be changed. You can not update 'customPassword'
>> credential by setting initialPassword in config file.
>>
>>
> Here are the steps I have followed:
> i) Added a new credential definition called "PasswordCredential" on the
> Web admin UI, while signed in as the default "admin" user
> ii) Stopped the server, configured initial admin credentials inside
> unityServer.config - so not adding the credentials on the admin UI assuming
> they are created automatically upon next restart
>
By setting new admin in config you added new 'admin' with 'sys:password'
credential. No 'PasswordCredential'.

iii) Reconfigured all the authenticators, basically replacing sys:password
> with PasswordCredential
>
Then you cannot using sys:password to login

iv) Restart the server and tried to authenticate with new the admin
> credentials, also found an important info (see below :))
>
> 2018-03-27T14:08:06,945 [main] WARN
>  unity.server.config.UnityServerConfiguration: IMPORTANT:
> Database was initialized with a default admin user and password. Log in
> and change the admin's password immediatelly! U: admin2 P: the!unity
> The credential used for this user is named: 'sys:password' make sure that
> this credential is enabled for the admin UI endpoint. If not add an
> authentic
> ator using this credential to the admin endpoint.
>
> I wonder why the admin UI endpoint is enabled for sys:password when the
> authenticator configuration is:
>
You can sign in to unity admin UI using sys:password credential? I think
you can only login using 'PasswordCredential'.


> unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb
> unityServer.core.authenticators.pwdWeb.authenticatorType=password with
> web-password
> #unityServer.core.authenticators.pwdWeb.localCredential=sys:password
> unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential
>
> unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json
>
> and the endpoint config is:
>
> unityServer.core.endpoints.adminUI.endpointType=WebAdminUI
> unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties
>
> unityServer.core.endpoints.adminUI.contextPath=/admin
> unityServer.core.endpoints.adminUI.endpointRealm=adminRealm
> unityServer.core.endpoints.adminUI.endpointName=UNITY administration
> interface
>
> unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb
>
>
>
>> After making several failed attempts, Unity is not signing me in with the
>>> newly defined admin credentials on admin UI. Do you know what could be the
>>> issue? and I wonder why I cannot change the sys:password credential
>>> properties on admin UI, are they intentionally immutable?
>>>
>>
>> Yes. sys:password is the system credential and can not be changed
>>
>
> Ok.
>
> Cheers,
> Shiraz
>
>
>>
>>
>>> Cheers,
>>> Shiraz
>>> --
>>> Shiraz Memon
>>> Federated Systems and Data
>>> Jülich Supercomputing Centre (JSC)
>>>
>>> Phone: +49 2461 61 6899 <02461%20616899>
>>> Fax:     +49 2461 61 6656 <02461%20616656>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------------------------
>>> Forschungszentrum Juelich GmbH
>>> 52425 Juelich
>>> Sitz der Gesellschaft: Juelich
>>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>>> Prof. Dr. Sebastian M. Schmidt
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Unity-idm-discuss mailing list
>>> Uni...@li...
>>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>>
>>
>
>
> --
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899
> Fax:     +49 2461 61 6656
>

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Shiraz M. <a....@fz...>]

Dear Piotr,

On Tue, Mar 27, 2018 at 2:20 PM, Piotr Piernik <pio...@gm...>
wrote:

>
>
> wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
> napisał:
>
>> Hi Krzysztof, Piotr, All,
>>
>> I am using v2.4.2 and have added a new password credential (under schema
>> management tab) as I do not want to use sys:password after using the
>> default admin user credentials. Then, I have configured new initial
>> username (say admin2) and password credentials, subsequently changed all
>> the authenticators which were relying on sys:password and restarted the
>> server.
>>
> Dear Shiraz
> I am not sure if I understand it well but if you set new initial user and
> password by config file you add new admin with default sys:password
> credential. If you first add new admin 'admin3' by ui and set him new
> 'customPassword' credential and then set him new initial password by config
> file nothing will be changed. You can not update 'customPassword'
> credential by setting initialPassword in config file.
>
>
Here are the steps I have followed:
i) Added a new credential definition called "PasswordCredential" on the Web
admin UI, while signed in as the default "admin" user
ii) Stopped the server, configured initial admin credentials inside
unityServer.config - so not adding the credentials on the admin UI assuming
they are created automatically upon next restart
iii) Reconfigured all the authenticators, basically replacing sys:password
with PasswordCredential
iv) Restart the server and tried to authenticate with new the admin
credentials, also found an important info (see below :))

2018-03-27T14:08:06,945 [main] WARN
 unity.server.config.UnityServerConfiguration: IMPORTANT:
Database was initialized with a default admin user and password. Log in and
change the admin's password immediatelly! U: admin2 P: the!unity
The credential used for this user is named: 'sys:password' make sure that
this credential is enabled for the admin UI endpoint. If not add an
authentic
ator using this credential to the admin endpoint.

I wonder why the admin UI endpoint is enabled for sys:password when the
authenticator configuration is:

unityServer.core.authenticators.pwdWeb.authenticatorName=pwdWeb
unityServer.core.authenticators.pwdWeb.authenticatorType=password with
web-password
#unityServer.core.authenticators.pwdWeb.localCredential=sys:password
unityServer.core.authenticators.pwdWeb.localCredential=PasswordCredential
unityServer.core.authenticators.pwdWeb.retrievalConfigurationFile=${CONF}/authenticators/passwordRetrieval.json

and the endpoint config is:

unityServer.core.endpoints.adminUI.endpointType=WebAdminUI
unityServer.core.endpoints.adminUI.endpointConfigurationFile=${CONF}/modules/core/webadmin.properties

unityServer.core.endpoints.adminUI.contextPath=/admin
unityServer.core.endpoints.adminUI.endpointRealm=adminRealm
unityServer.core.endpoints.adminUI.endpointName=UNITY administration
interface
unityServer.core.endpoints.adminUI.endpointAuthenticators=pwdWeb;certWeb;oauthWeb;samlWeb



> After making several failed attempts, Unity is not signing me in with the
>> newly defined admin credentials on admin UI. Do you know what could be the
>> issue? and I wonder why I cannot change the sys:password credential
>> properties on admin UI, are they intentionally immutable?
>>
>
> Yes. sys:password is the system credential and can not be changed
>

Ok.

Cheers,
Shiraz


>
>
>> Cheers,
>> Shiraz
>> --
>> Shiraz Memon
>> Federated Systems and Data
>> Jülich Supercomputing Centre (JSC)
>>
>> Phone: +49 2461 61 6899 <02461%20616899>
>> Fax:     +49 2461 61 6656 <02461%20616656>
>>
>>
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>> Forschungszentrum Juelich GmbH
>> 52425 Juelich
>> Sitz der Gesellschaft: Juelich
>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>> Prof. Dr. Sebastian M. Schmidt
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>
>


-- 
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656

Re: [Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Piotr P. <pio...@gm...>]

wt., 27.03.2018, 13:52 użytkownik Shiraz Memon <a....@fz...>
napisał:

> Hi Krzysztof, Piotr, All,
>
> I am using v2.4.2 and have added a new password credential (under schema
> management tab) as I do not want to use sys:password after using the
> default admin user credentials. Then, I have configured new initial
> username (say admin2) and password credentials, subsequently changed all
> the authenticators which were relying on sys:password and restarted the
> server.
>
Dear Shiraz
I am not sure if I understand it well but if you set new initial user and
password by config file you add new admin with default sys:password
credential. If you first add new admin 'admin3' by ui and set him new
'customPassword' credential and then set him new initial password by config
file nothing will be changed. You can not update 'customPassword'
credential by setting initialPassword in config file.

After making several failed attempts, Unity is not signing me in with the
> newly defined admin credentials on admin UI. Do you know what could be the
> issue? and I wonder why I cannot change the sys:password credential
> properties on admin UI, are they intentionally immutable?
>

Yes. sys:password is the system credential and can not be changed


> Cheers,
> Shiraz
> --
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899
> Fax:     +49 2461 61 6656
>
>
>
> ------------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
>
> ------------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Unable to use new password type credential on admin/home UI

[Shiraz M. <a....@fz...>]

Hi Krzysztof, Piotr, All,

I am using v2.4.2 and have added a new password credential (under schema management tab) as I do not want to use sys:password after using the default admin user credentials. Then, I have configured new initial username (say admin2) and password credentials, subsequently changed all the authenticators which were relying on sys:password and restarted the server.

After making several failed attempts, Unity is not signing me in with the newly defined admin credentials on admin UI. Do you know what could be the issue? and I wonder why I cannot change the sys:password credential properties on admin UI, are they intentionally immutable?

Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Account acceptance and email confirmation workflow

[Krzysztof B. <kb...@un...>]

W dniu 26.03.2018 o 14:26, Willem Elbers pisze:
> Dear Krzysztof,
>
> we are indeed using the users email as login. This checkbox in the
> registration form config sounds good.
>
> Please add this as a feature request. Do not however that we want to
> have the confirmation link included in the acceptance email in this
> case, so that the user only receives a single email.

UY-689.
You will be able to have a single email as described: do not set any 
message for request acceptance and in email confirmation message provide 
necessary information about successful registration.

Best
Krzysztof

Re: [Unity-idm-discuss] Add remote IdP using API

[Krzysztof B. <kb...@un...>]

Hi Nikolaos,

W dniu 26.03.2018 o 13:28, Nikolaos Evangelou pisze:
> Hello Krzysztof,
>
> What I mean is when I register to b2access using my orcid account (through the form in web UI) and get entity information using the restAPI I get this response:
>
> 	{
>              "comparableValue": "XXXX-XXXX-XXXX-XXXX",
>              "confirmationInfo": {
>                  "confirmationDate": 0,
>                  "confirmed": false,
>                  "sentRequestAmount": 0
>              },
>              "creationTs": 1518000192796,
>              "entityId": XXX,
>              "remoteIdp": "https://pub.orcid.org/oauth/token",
>              "translationProfile": "orcidProfile",
>              "typeId": "identifier",
>              "updateTs": 1518000192796,
>              "value": “XXXX-XXXX-XXXX-XXXX"
>          }
>
> Would it be possible to register a user using the restAPI instead of the web form? If so, how could I set the remote idp and the translation profile?
>
 From what you wrote it seems that you want to create the "same" 
identity as the pasted one, and the problem is with setting the identity 
*metadata* remoteIdp and translationProfile, correct?
If so then no, you can't set it via rest (and with anything else). 
Similarly as you can not set creationTs and updateTs. This is metadata 
about the identity, which is set automatically by Unity to provide 
context information mostly admin oriented about the origin of element. 
For instance if you create identity using rest call (or clicking in 
AdminUI) translation profile is not used so won't be set.

HTH,
Krzysztof

Re: [Unity-idm-discuss] Support for multiple SAML assertion consumer service endpoints for a single SAML SP

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 26.03.2018 o 14:32, Willem Elbers pisze:
> Dear Krzysztof,
>
> do you have an indication when
> https://dev.unity-idm.eu/jira/browse/UY-680 could be implemented?

I'm not sure if this will be squeezed still into 2.5.0 (next) - ca 40% 
chances. If not then 2.6.0.


Best
Krzysztof