Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Krzysztof B. <kb...@un...> - 2018-03-04 15:49:09
|
Dear Subscribers, A minor release 2.42 was published. It contains update of ORCID 3rd party authentication, to the latest version 2.1. The so far used version 1.2 was deprecated by ORCID and is being removed so update is necessary if ORCID is used. Other then that some recently reported bugs were fixed: -) Output profile create attribute action does not validate its attribute name argument as MVEL expression -) Using multiple trusted metadata sources in SAML authenticator works now -) confirmation subsystem was failing on optional registration attributes, which were not provided -) a low level bug was fixed in JSON parser, failing parsing of some complex JSON user profiles with arrays. -) Creating new output translation profile in UI was not possible without using mandatory checkbox More details and download links as usual available here: http://www.unity-idm.eu/downloads/ Best regards, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2018-03-04 03:13:18
|
Hi Krzysztof, Am Donnerstag, den 01.03.2018, 20:48 +0100 schrieb Krzysztof Benedyczak: > Hi Sander, > > I'd need more details to understand what is wrong in this scenario. > > W dniu 01.03.2018 o 11:39, Sander Apweiler pisze: > > Hi Krzysztof, Piotr, > > > > I found another problem. I create a new account using an external > > IdP. > > The new account is created and user can log in, although the email > > address was not confirmed so far. > > That is OK, unless this user is logging using this unconfirmed email > as > identity (with a local password set in Unity). Us this the case? > Using > external authN, if you allowed to create an account, unconfirmed > email > is irrelevant (if it is for you, then you should provision the > account > after email confirmation, what is also possible). The mapped identity is eppn. > > > Within registration from I created the rule for like it is > > described in > > manual and work on other instances with unity 1.x. > > Can you provide the details of this? I created a registration form for the IdP with following Automatically assigned setting: condition: attr["email"].confirmed == true action: autoProcess action parameter: action = accept I understood the manual, and in V1 it worked in that way, that the account is created after the email address was confirmed. Yesterday, when I tested the integration, my account was created and I was able to sign in before I confirmed the email address. > > I don't see the registration within Requests management under > > Registration & enquiry. Is this the wanted behaviour? > > > You mean there is no registration request, but user was filling it > and > it was accepted? Yes, there are only the request for oauthclients listed. Not the request from external IdPs. See the attached picture. Registration form for IdPs is DFN. Cheers, Sander > > Cheers, > KB -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-03-01 22:30:01
|
Hi Sander, I'd need more details to understand what is wrong in this scenario. W dniu 01.03.2018 o 11:39, Sander Apweiler pisze: > Hi Krzysztof, Piotr, > > I found another problem. I create a new account using an external IdP. > The new account is created and user can log in, although the email > address was not confirmed so far. That is OK, unless this user is logging using this unconfirmed email as identity (with a local password set in Unity). Us this the case? Using external authN, if you allowed to create an account, unconfirmed email is irrelevant (if it is for you, then you should provision the account after email confirmation, what is also possible). > Within registration from I created the rule for like it is described in > manual and work on other instances with unity 1.x. Can you provide the details of this? > I don't see the registration within Requests management under > Registration & enquiry. Is this the wanted behaviour? You mean there is no registration request, but user was filling it and it was accepted? Cheers, KB |
|
From: Krzysztof B. <kb...@un...> - 2018-03-01 22:20:47
|
Dear Tim,
W dniu 01.03.2018 o 08:19, Tim Kreuzer pisze:
> Dear Krzysztof,
>
> i want to add new users with the REST API of Unity. While creating the
> user and move them to the right group is no problem, i have problems
> to set a credential. I am not sure about the JSON Object i have to add.
>
> What i do right now is:
>
> URL =
> '...rest-admin/v1/entity/train015/credential/train:password?identityType=userName'
>
> Header = {'Content-Type': 'application/json', 'Authorization': 'Basic
> nmVfdGUkbWluOmc4OWYrbyFFeG2mVHRtaEQlZ3RQ'}
>
I guess all you need is:
http://www.unity-idm.eu/documentation/unity-2.4.1/rest-api-v1.html#_set_credential_admin
(you are trying to set credential as a user, what is described in
subsequent section)
Best,
KB
|
|
From: Sander A. <sa....@fz...> - 2018-03-01 10:40:25
|
Hi Krzysztof, Piotr, I found another problem. I create a new account using an external IdP. The new account is created and user can log in, although the email address was not confirmed so far. Within registration from I created the rule for like it is described in manual and work on other instances with unity 1.x. I don't see the registration within Requests management under Registration & enquiry. Is this the wanted behaviour? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Piotr P. <pio...@gm...> - 2018-03-01 08:14:12
|
Dear Sander This is next small bug but I think there is a workaround. If you do not want mandatory attr please click on mandatory checkbox twice -check and uncheck. Then you can save profile. If you want to add new profile action with attrDisplayName and attrDescription you can also before save profile click twice on mandatory checkbox. Then the actions params will be save in proper way. We will fix this in upcomming 2.4.2 realese. Best regards Piotr 01.03.2018 8:21 AM "Sander Apweiler" <sa....@fz...> napisał(a): Hi Krzysztof, I created a new output translation profile within unity 2.4.1 and found two problems. 1) The entered values are not stored to its "attributes". E.g. I did not set a mark as mandatory but enter the display name and description. At least in GUI the display name is stored as value of mandatory and the description as value of display name. See picture 1. 2) I create a new attribute name in output translation profile. This attribute is create from internal attributes givenName and sn. My expression is: attr['givenName'] + ' ' + attr['sn'] If I don't enter the last three options (mandatory, display name and description), I get an error "Action parameters are invalid: Action requires min 3 parameters". See picture 2. I guess the first one is only a display problem. Do you have a solution for the second one? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 <+49%202461%20618847> fax: +49 2461 61 6656 <+49%202461%20616656> email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Unity-idm-discuss mailing list Uni...@li... https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: Sander A. <sa....@fz...> - 2018-03-01 07:21:16
|
Hi Krzysztof, I created a new output translation profile within unity 2.4.1 and found two problems. 1) The entered values are not stored to its "attributes". E.g. I did not set a mark as mandatory but enter the display name and description. At least in GUI the display name is stored as value of mandatory and the description as value of display name. See picture 1. 2) I create a new attribute name in output translation profile. This attribute is create from internal attributes givenName and sn. My expression is: attr['givenName'] + ' ' + attr['sn'] If I don't enter the last three options (mandatory, display name and description), I get an error "Action parameters are invalid: Action requires min 3 parameters". See picture 2. I guess the first one is only a display problem. Do you have a solution for the second one? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Tim K. <t.k...@fz...> - 2018-03-01 07:20:10
|
Dear Krzysztof,
i want to add new users with the REST API of Unity. While creating the
user and move them to the right group is no problem, i have problems to
set a credential. I am not sure about the JSON Object i have to add.
What i do right now is:
URL =
'...rest-admin/v1/entity/train015/credential/train:password?identityType=userName'
Header = {'Content-Type': 'application/json', 'Authorization': 'Basic
nmVfdGUkbWluOmc4OWYrbyFFeG2mVHRtaEQlZ3RQ'}
Data = ??? i tried a lot, last try was: {'true':
'["{\\"password\\":\\"newPass1!\\"}"]'}
When i set another Key in Data (like 'value') i receive
"Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized
token 'values': was expecting ('true', 'false' or 'null')"
Because of this i tried the 'true' key. Right now i get this error
message in Unity Log:
2018-03-01T08:17:36,327 [qtp988637485-277] ERROR
unity.server.rest.JSONParsingExceptionMapper: JSON parse error during
RESTful API invocation
pl.edu.icm.unity.rest.exception.JSONParsingException: Request body must
be a JSON array
at
pl.edu.icm.unity.restadm.RESTAdmin.setCredentialByUser(RESTAdmin.java:395)
~[unity-server-rest-admin-2.4.1.jar:?]
at sun.reflect.GeneratedMethodAccessor261.invoke(Unknown
Source) ~[?:?]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_151]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
at
org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
~[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
~[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:189)
[cxf-rt-frontend-jaxrs-3.1.10.jar:3.1.10]
at
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:99)
[cxf-rt-frontend-jaxrs-3.1.10.jar:3.1.10]
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:235)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
[javax.servlet-api-3.1.0.jar:3.1.0]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:860)
[jetty-servlet-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
[jetty-servlet-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
[jetty-servlet-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
[jetty-rewrite-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:455)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at org.eclipse.jetty.server.Server.handle(Server.java:530)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256)
[jetty-server-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:289)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:149)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
[jetty-io-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:708)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:626)
[jetty-util-9.4.8.v20171121.jar:9.4.8.v20171121]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
Can you show me a working Data JSON Object? I don't know how to create a
JSON Object, so Unity accepts it as a 'JSON array'.
Thank you and best regards,
Tim Kreuzer
--
M.Sc. Tim Kreuzer
Federated Systems and Data
Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 2461 61-1583
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: D B. <ba...@aw...> - 2018-02-28 16:24:48
|
Hi, On 26/02/18 23:31, Krzysztof Benedyczak wrote: [...]> Anyway, instead you can try the automatic (server-driven) activation of > the auto login. Ensure you have a single remote authN option enabled on > your SAML IdP endpoint and add this to its config: > > |unity.endpoint.web.autoLogin=true| Thanks, it works now! Great! :-) D. |
|
From: Sander A. <sa....@fz...> - 2018-02-28 14:08:07
|
Hi Krzsztof, with untiy 2.4.1 I got an "Internal server error during confirmation". It seems that some attribute is not set (see attached log). DO you have a hint? Email confirmation for created entity did work. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-02-26 23:29:22
|
Hi Sander, W dniu 23.02.2018 o 14:48, Sander Apweiler pisze: > Hi Krzysztof, all, > > I configured multiple IdPs with SAML metadataSource. > (remoteSamlAuth.properties is attached.) When I start unity only the > IdPs from second metadata file are listed. If I comment the second > source (whole block) out and reload the authenticator, the IdPs from > first one are loaded. > > After commend in the second source, to have both, and reload the > authenticator, the IdPs from first source gone lost. > > I have this issue on three different instances with unity 2.4.0 and > 2.4.1. Do you have any idea to solve it? I'm investigating but looks like this is a regression bug, when multiple federations are enabled. If my findings are confirmed we will fix this for the next release. As a workaround you can tr to define two saml authenticators, each using a single federation metadata, and then enable both on your endpoint(s). Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-02-26 23:06:16
|
Hi Nikolaos, W dniu 23.02.2018 o 20:52, Nikolaos Evangelou pisze: > Hello everybody, > > I have 3 questions. First, is it possible to reproduce the > registration flow, when a user is logging in using an IdP, using API > calls? For example, can I register to B2ACCESS with my ORCID account > but using the API and not the web GUI? Fully reproducing is impossible and would be super hard anyway. But you can mostly reproduce the effects of successful registration of ORCID person using the REST API. You need to know how Unity is configured to act in such case: how the ORCID profile is translated to the local representation: input translation profile, registration form if any, its automation. And of course contents of your ORCID profile. Then you can invoke operations to add identity (likely it will be of identifier type with value equal to ORCID id), add attributes and most likely this will be it. There will be slight differences though: in Unity it will be visible that attributes and identity were directly defined and not obtained from orcid. > Second, I tried to make a put request to add an attribute to an entity > as is shown in this guide > http://www.unity-idm.eu/documentation/unity-2.2.0/rest-api-v1.html#_set_attribute > <http://www.unity-idm.eu/documentation/unity-2.2.0/rest-api-v1.html#_set_attribute> , > but when I pass the data I get the response “No JSON object could be > decoded”. I run this command: > ``` > curl -v -u ‘username’:'password' -H 'Content-Type: application/json' > -d '{"values": ["{\"value\":\"so...@em... > <mailto:so...@em...>\",\"tags\":[]}"],"name": "email","groupPath": > "/ROOT"}' -X PUT > 'https://unity.eudat-aai.fz-juelich.de/rest-admin/v1/entity/ > <https://unity.eudat-aai.fz-juelich.de/rest-admin/v1/entity/>{entityid}/attribute?identityType=email' > | python -m json.tool > ``` > So, how should be the format of the json data? The email value is incorrect. As you can see in the cited doc example, you are missing the confirmationData part. Something like this (only the value): "{\"value\":\"so...@em...\",\"confirmationData\":{\"confirmed\":false,\"confirmationDate\":0,\"sentRequestAmount\":0},\"tags\":[]}" > And third, what parameters should I pass to > https://unity.eudat-aai.fz-juelich.de/oauth2/token > <https://unity.eudat-aai.fz-juelich.de/oauth2/token> endpoint to get > an access token after registration? Hard to say, depends on OAuth flow you want to use and which is enabled for you client. In general please refer to the OAuth2 protocol spec. Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-02-26 22:31:13
|
Hi Doris, W dniu 22.02.2018 o 17:44, Doris Baum pisze: > Hi, > > finally got around to playing with the new uy_auto_login=true feature. > Could you go into more detail where this needs to be put? > > I tried the <urn:SingleSignOnService ...> tag in the unity ipd metadata > xmlfile of my SP but when I do this unity complains: > eu.unicore.samly2.exceptions.SAMLRequesterException: Destination value > https://unity:2443/saml-idp/saml2idp-web?uy_auto_login=true is not > matching the responder's URI: https://unity:2443/saml-idp/saml2idp-web It may be difficult to trigger this functionality from arbitrary SP - depends on what its implementation allows for. If SP is fully driven by SAML metadata, and you can not force it to add additional query parameter then I'd suggest not using the client driven variant of this feature. As a rule of thumb it will be typically a problem wen using SAML SP, and more likely possible when using OAuth clients. Anyway, instead you can try the automatic (server-driven) activation of the auto login. Ensure you have a single remote authN option enabled on your SAML IdP endpoint and add this to its config: |unity.endpoint.web.autoLogin=true| > Also, I gather that step 2 from my original question can now be done > with unity.saml.skipConsent - thanks for adding this! :-) No problem :-) Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-02-26 22:14:34
|
Hi Sander, W dniu 22.02.2018 o 09:48, Sander Apweiler pisze: > Hi Krzysztof, all, > > I have disabled several accounts in my unity instance. Some of them are > local accounts and some of them are federated account from Google or > home organisation. > > If one of the users with a disabled account tries to login at an SP > unity has a different behaviour. > > 1. User with local unity account signs in: > - SP redirects user to unity > - users tries to sign in > - unity shows an error > 2. User with federated account signs in: > - SP redirects user to unity > - user select IdP and is forwarded to it > - user signs in at IdP and come back to unity > - unity shows no error and send the user back to SP > - an error at SP occurs > > I think the behaviour in the first situation is correct/the better one. > Is there a reason why the error is not shown in the second case and an > incorrect authentication is send to the SPs? I've checked this and the second case indeed should not behave this way. I'll open a ticket to fix this behavior, thx for noting this. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-02-26 20:06:34
|
Hi Sander, W dniu 16.02.2018 o 11:34, Sander Apweiler pisze: > Hi Krzysztof, all > > I got an information from OCIRD about still using API version 1.2. This > version will be turned off on March 1st. Thereafter only version 2.0 > and 2.1 supported. > > I saw in the source code that unity 2.4.1 using ORCID API 1.2 too. > Please can you update it? > > ORCID has refereed to [1] for more information. > Thanks for the info. We have a ticket to do this, I'll bump its priority to include it in the next release. Best, KB |
|
From: Nikolaos E. <nik...@gm...> - 2018-02-23 19:53:06
|
Hello everybody, I have 3 questions. First, is it possible to reproduce the registration flow, when a user is logging in using an IdP, using API calls? For example, can I register to B2ACCESS with my ORCID account but using the API and not the web GUI? Second, I tried to make a put request to add an attribute to an entity as is shown in this guide http://www.unity-idm.eu/documentation/unity-2.2.0/ rest-api-v1.html#_set_attribute , but when I pass the data I get the response “No JSON object could be decoded”. I run this command: ``` curl -v -u ‘username’:'password' -H 'Content-Type: application/json' -d '{"values": ["{\"value\":\"so...@em...\",\"tags\":[]}"],"name": "email","groupPath": "/ROOT"}' -X PUT 'https://unity.eudat-aai.fz- juelich.de/rest-admin/v1/entity/{entityid}/attribute?identityType=email' | python -m json.tool ``` So, how should be the format of the json data? And third, what parameters should I pass to https://unity.eudat-aai.fz- juelich.de/oauth2/token endpoint to get an access token after registration? Best regards, Nick |
|
From: Piotr P. <pio...@gm...> - 2018-02-23 16:39:03
|
Dear Doris, I have checked this and and unfortunately it's a bug. To workaround this problem you can add output translation profile by config file. To simplify matters, you can first export problematic profile to JSON and then edit attribute name in json file. Then you can add this profile in config: unityServer.core.translationProfiles.PROFILE_NAME=path/to/json/PROFILE_NAME.json We will fix this bug asap. Best regards Piotr W dniu 22.02.2018 o 16:23, D Baum pisze: > Hi! > > I'm trying to set up a Translation Output Profile and map the username > attribute to attributeName urn:mace:dir:attribute-def:cn > > The web interface complains about this not being a valid MVEL expression > and the issue seems to be the "-" in the name. Can I escape this > somehow? I tried \ but that doesn't seem to do the trick. > > Cheers, > D. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss |
|
From: Sander A. <sa....@fz...> - 2018-02-23 13:49:07
|
Hi Krzysztof, all, I configured multiple IdPs with SAML metadataSource. (remoteSamlAuth.properties is attached.) When I start unity only the IdPs from second metadata file are listed. If I comment the second source (whole block) out and reload the authenticator, the IdPs from first one are loaded. After commend in the second source, to have both, and reload the authenticator, the IdPs from first source gone lost. I have this issue on three different instances with unity 2.4.0 and 2.4.1. Do you have any idea to solve it? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Doris B. <ba...@aw...> - 2018-02-22 16:44:02
|
Hi, finally got around to playing with the new uy_auto_login=true feature. Could you go into more detail where this needs to be put? I tried the <urn:SingleSignOnService ...> tag in the unity ipd metadata xmlfile of my SP but when I do this unity complains: eu.unicore.samly2.exceptions.SAMLRequesterException: Destination value https://unity:2443/saml-idp/saml2idp-web?uy_auto_login=true is not matching the responder's URI: https://unity:2443/saml-idp/saml2idp-web Also, I gather that step 2 from my original question can now be done with unity.saml.skipConsent - thanks for adding this! :-) Best, D. On 22/12/17 14:44, Krzysztof Benedyczak wrote: > Hi, > > W dniu 22.12.2017 o 13:48, D Baum pisze: >> Hi! >> >> I've set up Unity as a SAML "proxy" (which acts as a SAML IDP towards my >> applications but authenticates users with a SAML endpoint at an external >> IDP) and that's working fine. >> >> However, when users click "login" in my application, they are first >> taken to a unity page (https://unity/saml-idp/saml2idp-web-entry) where >> they have to click the "Authenticate" button to be forwarded to the >> external IDP (step 1). >> >> After they log in, they get redirected back to unity where they can >> select which information to share with the application and they have to >> click a button again (step 2). >> >> Is possible to configure unity so that it _doesn't_ display those two >> confirmation pages? So that the user doesn't have to click two buttons >> during the login process? Ideally, for this usage scenario unity would >> be "invisible" to the user. >> > > This feature will be available in the next release. If you want to play > with this already, there is a pre-release in unofficial folder on SF > (just use the latest distro from this folder). Adding uy_auto_login=true > query parameter to the Unity redirect URL will trigger this functionality. > > Best > Krzysztof |
|
From: D B. <ba...@aw...> - 2018-02-22 15:23:56
|
Hi! I'm trying to set up a Translation Output Profile and map the username attribute to attributeName urn:mace:dir:attribute-def:cn The web interface complains about this not being a valid MVEL expression and the issue seems to be the "-" in the name. Can I escape this somehow? I tried \ but that doesn't seem to do the trick. Cheers, D. |
|
From: Sander A. <sa....@fz...> - 2018-02-22 08:48:59
|
Hi Krzysztof, all, I have disabled several accounts in my unity instance. Some of them are local accounts and some of them are federated account from Google or home organisation. If one of the users with a disabled account tries to login at an SP unity has a different behaviour. 1. User with local unity account signs in: - SP redirects user to unity - users tries to sign in - unity shows an error 2. User with federated account signs in: - SP redirects user to unity - user select IdP and is forwarded to it - user signs in at IdP and come back to unity - unity shows no error and send the user back to SP - an error at SP occurs I think the behaviour in the first situation is correct/the better one. Is there a reason why the error is not shown in the second case and an incorrect authentication is send to the SPs? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2018-02-16 10:35:39
|
Hi Krzysztof, all I got an information from OCIRD about still using API version 1.2. This version will be turned off on March 1st. Thereafter only version 2.0 and 2.1 supported. I saw in the source code that unity 2.4.1 using ORCID API 1.2 too. Please can you update it? ORCID has refereed to [1] for more information. Best regards, Sander [1]: https://github.com/ORCID/ORCID-Source/tree/master/orcid-model/src/ main/resources/record_2.0#sample-files -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2018-02-11 23:48:37
|
Dear Subscribers, A minor bugfix release 2.4.1 of Unity was published. It contains couple of rather small fixes: -) It is not possible anymore to add attribute type with invalid configuration -) SAML IdP adds Destination attribute to signed responses -) Attribute statement UI properly handles equal instances -) LDAP password verification properly logs exception details -) Add attribute type with string value in UI is fixed More details and download links as usual available here: http://www.unity-idm.eu/downloads/ Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2018-02-11 21:06:46
|
Hi, First of all big thanks for this - needless to say - huge contribution, it is very welcomed! I'll merge it into main development branch and will be released in the next (2.5.0) feature version. Regarding your doubts: W dniu 09.02.2018 o 16:50, D Baum pisze: > Note that there are two files the Polish translation that contain > variables not present in the English one. I didn't quite know what to do > with those... > > web-common/src/main/resources/messages/webui/messages.properties > missing > RegistrationRequestEditorDialog.submitAndAccept > RegistrationRequest.requestedIdentity > RegistrationRequest.requestId > RegistrationRequest.status > RegistrationRequest.submitTime > RequestsComponent.caption With one exception those messages are only used in Admin UI, and were moved there. PL versions were left behind, what of course was not a big problem, but I'll remove them to eliminate the confusion. > web-admin/src/main/resources/messages/webhome/messages.properties > missing > IdentityDetails.identityLocal > IdentityDetails.identityLocalConfirmed > IdentityDetails.identityLocalNotConfirmed > IdentityDetails.identityLocalNotConfirmedWithRequest > IdentityDetails.identityRemote Those were some legacy ones, not used anymore. I'll remove them too. Thank you again! Krzysztof PS - fix for your SAML bug is just being released in 2.4.1. |
|
From: Krzysztof B. <kb...@un...> - 2018-02-10 17:54:49
|
Hi Willem, W dniu 08.02.2018 o 10:35, Willem Elbers pisze: > Dear Krzysztof, > > we have been been noticing a pattern with some end-user being confused > with our current workflow where account acceptance and email > confirmation are running in parallel. > > Especially when accounts are accepted before the email address is > confirmed (sometime the confirmation email might end up in the spam > folder or the user ignored the email). If users try to login or reset > the password they get the generic error message "invalid username, > credential or external authentication failed". There is no indication > that the account is not active because of the unconfirmed email address. > > 1. Ideally we would like to switch to a sequential accept and confirm > workflow, where the email confirmation link is included in the > acceptance email. So (1) an admin accepts the account request, (2) this > triggers sending the acceptance email to the user with a confirmation > link included, (3) after confirming the email address the account is > ready to be used. Is such a workflow currently supported? If not we > would like to make this a feature request. OK, understood. No this is not possible currently. Do you use user's email as login? I.e. email identity is subject of confirmation? If so then it should be possible to achieve the above with the following feature: additional checkbox in registration form config: [ ] trigger email verification only after request acceptance Does it sound OK? > 2. Additionally the error message in this case be improved, so it is > clear to the user that confirmation is still required? I guess the > downside here is that this could be abused to leak information about > what accounts might exist or not. well, we can think about something like this but only if a proper password is provided (i.e. valid password and existing but not verified email as login). As a short term solution you can change the generic authN failure message to something better matching your needs. Thanks, Krzysztof |
