unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Language Translations

[D B. <ba...@aw...>]

Hi,

it took longer than I hoped but I've just now sent the pull request for
the German translation (https://github.com/unity-idm/unity/pull/11).

As you recommended, I've translated all variables present in Polish
(from English to German).

Note that there are two files the Polish translation that contain
variables not present in the English one. I didn't quite know what to do
with those...

web-common/src/main/resources/messages/webui/messages.properties
missing
  RegistrationRequestEditorDialog.submitAndAccept
  RegistrationRequest.requestedIdentity
  RegistrationRequest.requestId
  RegistrationRequest.status
  RegistrationRequest.submitTime
  RequestsComponent.caption

web-admin/src/main/resources/messages/webhome/messages.properties
missing
  IdentityDetails.identityLocal
  IdentityDetails.identityLocalConfirmed
  IdentityDetails.identityLocalNotConfirmed
  IdentityDetails.identityLocalNotConfirmedWithRequest
  IdentityDetails.identityRemote

HTH
D.

PS: "credentials" is a PITA to translate into German (when it refers to
both passwords and certificates).



On 13/11/17 20:15, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 13.11.2017 o 16:00, D Baum pisze:
>> Hi,
>>
>> I noticed that Unity IDM offers not only English but also a Polish as
>> configurable language. Are there plans for supporting more languages or
>> does this have low priority for the dev team?
>>
>> I'm asking because I'm wondering if there's a way to give back to this
>> useful project and I thought I could e.g. do a German language
>> translation - if that's useful to you.
>>
>> Is it useful and would you accept contributions from outside your core
>> team?
> 
> Sure - it is open source ;-)
> 
> We have already DE flag included, so "only" the messages are missing.
> 
> I think a complete translation (i.e. including Admin UI, which has by
> far the largest amount of messages) is not that critical, but end-user
> facing translation would be very welcome. This way the PL translation is
> done, so creating counterparts whenever there are messages_pl.properties
> will be (by far) enough.
> 
> Thanks,
> Krzysztof
> 
> 
> PS: The short list of contributors shown by GitHub is incomplete. After
> migrating to Gihub only people who contributed in the original Assembla
> repo and at the same time have Github account with the same email are
> listed. What means: Bernd.

[Unity-idm-discuss] Account acceptance and email confirmation workflow

[Willem E. <wi...@cl...>]

Dear Krzysztof,

we have been been noticing a pattern with some end-user being confused
with our current workflow where account acceptance and email
confirmation are running in parallel.

Especially when accounts are accepted before the email address is
confirmed (sometime the confirmation email might end up in the spam
folder or the user ignored the email). If users try to login or reset
the password they get the generic error message "invalid username,
credential or external authentication failed". There is no indication
that the account is not active because of the unconfirmed email address.

1. Ideally we would like to switch to a sequential accept and confirm
workflow, where the email confirmation link is included in the
acceptance email. So (1) an admin accepts the account request, (2) this
triggers sending the acceptance email to the user with a confirmation
link included, (3) after confirming the email address the account is
ready to be used. Is such a workflow currently supported? If not we
would like to make this a feature request.

2. Additionally the error message in this case be improved, so it is
clear to the user that confirmation is still required? I guess the
downside here is that this could be abused to leak information about
what accounts might exist or not.

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

[Unity-idm-discuss] New 2.4.0 release

[Krzysztof B. <kb...@un...>]

Dear Subscribers,


I'm happy to announce that 2.4.0 is available.

The main theme was to allow for quicker and easier setup in case of 
typical authentication integration scenarios.

The highlights are:

  * Unity now contains two *predefined attribute type sets*: common and
    eduPerson. The common set includes nearly 50 attribute types which
    should completely fulfill needs of majority of deployments. The set
    includes attributes with sensible settings which are counterparts of
    all commonly found user attributes. This set is loaded by default
    (via configuration module). The eduPerson set is not loaded by
    default. It includes couple of attributes of the eduPerson schema
    which are not found in the common set. You can freely edit and/or
    remove those standard attributes from AdminUI. What is more it is
    now possible to export and import attribute types to/from JSON, as
    well as (re-)import attribute types from the always available
    predefined sets described above.
  * For each supported external OAuth identity provider (e.g. Dropbox,
    Facebook, GitHub, Google, ...) a complete mapping of attributes to
    Unity standard attributes is now provided as a *ready to use system
    input translation profile*. Thanks to it the configuration of those
    providers requires only 3 parameters: type, client id and client
    secret. We have cleaned the providers, updated them to use current
    APIs. LinkedIn was added to the set of supported providers together
    with... Unity - so that one Unity instance can be easily configured
    to use other one.
  * There is also a symmetric change: Unity offers ready to use output
    profiles which translates the Unity attributes to the naming and
    syntax used by a protocol. For instance there is a *default
    OpenIdConnect output profile* which makes Unity returning standard
    OIDC attributes without any additional configuration effort.
  * Of course not always default mappings (either in or out) are fully
    sufficient. We have enhanced the translation profiles subsystem so
    now one *profile may include* (and optionally overwrite) definitions
    of *other profile*. This is especially useful to create a
    customized/enhanced version of any of the standard profiles.
  * Most of the development time in this release was spent on something
    bringing a little end-user value: update to the new major release of
    *Vaadin 8* - a web UI foundation used by Unity. This change enables
    many further planned developments, but already now you should be
    able to see some difference:
      o all icons were unified to font ones from a single set,
      o 'hamburger menus' are used in few places to hide rarely used
        operation icons,
      o the translation profile edit screen was significantly improved:
        is using dense formatting, supports collapsing rules, which can
        be dragged to easily control their order.
  * Unity now ships with a default, system password credential with
    reasonable security settings. It is used as a default credential for
    the initial admin user and always when creating admin user in
    emergency (lost admin account). There are also default system
    credential requirements provided.
  * *Date & time attribute syntax* were added.
  * *User import* functionality which so far was only possible on 3rd
    party query SAML/SOAP endpoint now is available on all IdP like
    endpoint (SAML, OAuth). It can be plugged just before output profile
    execution to import additional information about the user by a query
    to external system. Currently local OS users store and LDAP are
    supported, but we may add more providers in future.
  * There were few enhancements in the *output profiles*:
      o OAuth client's attributes can be used in expressions
      o it is possible to redirect the user to external URL instead of
        completing the regular protocol flow.


There were also many other, smaller improvements including: attribute 
values are never cut on UI, it is possible to configure Unity to be 
invisible login proxy (no UI presented), confirmation link validity is 
configurable now.

Note we also added a new - SMS - notification channel. It is not very 
useful so far (you can use it for sending registration request related 
notifications) but will be a fundamental element of the features coming 
in the next release.

See http://www.unity-idm.eu/downloads

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Registration forms with OAuth2Authz / ldap with web-password

[Krzysztof B. <kb...@un...>]

Dear Tim,

W dniu 16.01.2018 o 14:39, Tim Kreuzer pisze:
>
> Dear Krzysztof,
>
> i have a question about registration forms combined with ldapWeb. I'm 
> using Unity-IdM version 2.3.0. The registration form should be called 
> whenever a (local) unknown user has logged in via ldapWeb at an 
> OAuth2Authz endpoint. What i want to achieve is that new users need to 
> confirm their email-address before they can use the service / before 
> they get a local Unity-IdM entity. When a unknown user logs in the 
> logs shows:
>
>
> 2018-01-16T14:05:49,938 [qtp2016562839-38] DEBUG 
> unity.server.externaltranslation.InputTranslationRule: [[TrProfile 
> ldapTP], [r: 1]]Condition OK
> 2018-01-16T14:05:49,963 [qtp2016562839-38] DEBUG 
> unity.server.externaltranslation.MapIdentityAction: [[TrProfile 
> ldapTP], [r: 1], [ldap - 
> uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de]]Mapped identity: [x5
> 00Name] uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de
> 2018-01-16T14:05:49,964 [qtp2016562839-38] DEBUG 
> unity.server.externaltranslation.InputTranslationRule: [[TrProfile 
> ldapTP], [r: 2]]Condition OK
> 2018-01-16T14:05:49,975 [qtp2016562839-38] DEBUG 
> unity.server.externaltranslation.MapAttributeAction: [[TrProfile 
> ldapTP], [r: 2], [ldap - 
> uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de]]Mapped attribute: e
> mail: 
> [{"value":"t.k...@fz...","confirmationData":{"confirmed":false,"confirmationDate":0,"sentRequestAmount":0},"tags":[]}]
> 2018-01-16T14:05:49,979 [qtp2016562839-38] DEBUG 
> unity.server.externaltranslation.InputTranslationEngineImpl: No 
> identity needs to be added
> 2018-01-16T14:05:49,980 [qtp2016562839-38] INFO 
> unity.server.externaltranslation.InputTranslationEngineImpl: The 
> mapped identity does not exist in database and was not created. The 
> creation of groups and attributes is skipped, the mapped groups and 
> attributes will be available for the registration form (if any)
> 2018-01-16T14:05:56,512 [pool-2-thread-4] DEBUG 
> unity.server.EntitiesScheduledUpdater: Performing scheduled operations 
> on entities
>
>
> But a registration form is never shown. In the web browser is a red 
> rectangle with "Authentication failed - Invalid user name, credential 
> or external authentication failed.".
> Is a registration form in the combination with a OAuth2Authz endpoint 
> / "ldap with web-password"-authenticator possible? If yes, which part 
> of the configuration have i missed?
> I attached the complete log file and my configuration.
>

In case of LDAP authentication which is mixed (so that credential is 
collected locally but verified externally, in contrast to OAuth or SAML 
where everything is performed externally) the configuration of 
registration form for unknown users is slightly different.
Please read the end of the section 6.3 in documentation so see how to 
enable your registration form.

HTH
Krzysztof

Re: [Unity-idm-discuss] Extend metadata for compliancies

[Krzysztof B. <kb...@un...>]

Sander,

W dniu 19.01.2018 o 11:53, Sander Apweiler pisze:
> Hi Krzysztof,
>
> some compliancies like R&S or SIRTFI needs an extension of the IdP/SP
> metadata. Is it possible to extend the metadata files of unity to fill
> in the specific addition of the compliancies?

Yes, you can - check those settings for SP and IdP configs respectively.
|unity.saml.requester.metadataSource|
||unity.saml.metadataSource||
||||
||||
||Unity will publish given files, after signing if configured.||
||||
||Best||
||KB||
||||

||
||

Re: [Unity-idm-discuss] Extend metadata for compliancies

[Shiraz M. <a....@fz...>]

Hi Sander,

One quick hack (although not elegant) is to download the existing
dynamically generated metadata, add the R&S and SIRTFI extensions and place
it inside the VAADIN folder. Obviously the saved metadata files have to
sync'd with the saml sp and/or idp endpoint properties.

Cheers,
Shiraz

2018-01-19 11:53 GMT+01:00 Sander Apweiler <sa....@fz...>:

> Hi Krzysztof,
>
> some compliancies like R&S or SIRTFI needs an extension of the IdP/SP
> metadata. Is it possible to extend the metadata files of unity to fill
> in the specific addition of the compliancies?
>
> Best regards,
> Sander
> --
> Federated Systems and Data
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
>


-- 
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656

[Unity-idm-discuss] Extend metadata for compliancies

[Sander A. <sa....@fz...>]

Hi Krzysztof,

some compliancies like R&S or SIRTFI needs an extension of the IdP/SP
metadata. Is it possible to extend the metadata files of unity to fill
in the specific addition of the compliancies? 

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Registration forms with OAuth2Authz / ldap with web-password

[Tim K. <t.k...@fz...>]

Dear Krzysztof,

i have a question about registration forms combined with ldapWeb. I'm 
using Unity-IdM version 2.3.0. The registration form should be called 
whenever a (local) unknown user has logged in via ldapWeb at an 
OAuth2Authz endpoint. What i want to achieve is that new users need to 
confirm their email-address before they can use the service / before 
they get a local Unity-IdM entity. When a unknown user logs in the logs 
shows:

2018-01-16T14:05:49,938 [qtp2016562839-38] DEBUG 
unity.server.externaltranslation.InputTranslationRule: [[TrProfile 
ldapTP], [r: 1]]Condition OK
2018-01-16T14:05:49,963 [qtp2016562839-38] DEBUG 
unity.server.externaltranslation.MapIdentityAction: [[TrProfile ldapTP], 
[r: 1], [ldap - 
uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de]]Mapped identity: [x5
00Name] uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de
2018-01-16T14:05:49,964 [qtp2016562839-38] DEBUG 
unity.server.externaltranslation.InputTranslationRule: [[TrProfile 
ldapTP], [r: 2]]Condition OK
2018-01-16T14:05:49,975 [qtp2016562839-38] DEBUG 
unity.server.externaltranslation.MapAttributeAction: [[TrProfile 
ldapTP], [r: 2], [ldap - 
uid=kreuzer1,ou=webusers,ou=jsc,dc=fz-juelich,dc=de]]Mapped attribute: e
mail: 
[{"value":"t.k...@fz...","confirmationData":{"confirmed":false,"confirmationDate":0,"sentRequestAmount":0},"tags":[]}]
2018-01-16T14:05:49,979 [qtp2016562839-38] DEBUG 
unity.server.externaltranslation.InputTranslationEngineImpl: No identity 
needs to be added
2018-01-16T14:05:49,980 [qtp2016562839-38] INFO 
unity.server.externaltranslation.InputTranslationEngineImpl: The mapped 
identity does not exist in database and was not created. The creation of 
groups and attributes is skipped, the mapped groups and attributes will 
be available for the registration form (if any)
2018-01-16T14:05:56,512 [pool-2-thread-4] DEBUG 
unity.server.EntitiesScheduledUpdater: Performing scheduled operations 
on entities


But a registration form is never shown. In the web browser is a red 
rectangle with "Authentication failed - Invalid user name, credential or 
external authentication failed.".
Is a registration form in the combination with a OAuth2Authz endpoint / 
"ldap with web-password"-authenticator possible? If yes, which part of 
the configuration have i missed?
I attached the complete log file and my configuration.


Thank you very much in advance,
Tim Kreuzer


ps: to see my configured registration form or translation profile please 
look into configuration.conf.


-- 
M.Sc. Tim Kreuzer
Federated Systems and Data
Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 2461 61-1583

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Email identities case sensitivity

[Krzysztof B. <kb...@un...>]

Dear Willem,

W dniu 15.01.2018 o 13:46, Willem Elbers pisze:
> Dear Krzysztof,
>
> it seems that email identities are case-sensitive, is this configurable
> somewhere?

Yes - that is a long standing bug from day zero, only partially fixed.

This partial fix make the local part case in-sensitive (everything 
before @) - so this is fine. Unfortunately the domain in email is still 
compared in case sensitive manner in the current Unity version.

I'll drag the task to fix it up, we should do this long ago - but nobody 
asked and was bit forgotten.

Thanks for reminding about this.
Krzysztof

[Unity-idm-discuss] Email identities case sensitivity

[Willem E. <wi...@cl...>]

Dear Krzysztof,

it seems that email identities are case-sensitive, is this configurable
somewhere?

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Unity as SAML proxy - login without user interaction

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 22.12.2017 o 13:48, D Baum pisze:
> Hi!
>
> I've set up Unity as a SAML "proxy" (which acts as a SAML IDP towards my
> applications but authenticates users with a SAML endpoint at an external
> IDP) and that's working fine.
>
> However, when users click "login" in my application, they are first
> taken to a unity page (https://unity/saml-idp/saml2idp-web-entry) where
> they have to click the "Authenticate" button to be forwarded to the
> external IDP (step 1).
>
> After they log in, they get redirected back to unity where they can
> select which information to share with the application and they have to
> click a button again (step 2).
>
> Is possible to configure unity so that it _doesn't_ display those two
> confirmation pages? So that the user doesn't have to click two buttons
> during the login process? Ideally, for this usage scenario unity would
> be "invisible" to the user.
>

This feature will be available in the next release. If you want to play 
with this already, there is a pre-release in unofficial folder on SF 
(just use the latest distro from this folder). Adding uy_auto_login=true 
query parameter to the Unity redirect URL will trigger this functionality.

Best
Krzysztof

Re: [Unity-idm-discuss] Map attributes with special signs

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 22.12.2017 o 09:47, Sander Apweiler pisze:
> Hi All,
>
> I want to map external attributes from LDAP. I configured the
> translation input profile for it. It works fine except one attribute.
> The failing attributes name is 'login;x-ns-lifescienceid-persistent-
> shadow'. Can't unity map attributes with special signs in its name? In
> that case it would be the ;.
I'm not aware about any limitation here. Can you please investigate 
whether it is LDAP client specific or input profile problem? I.e. 
whether this attribute appears among attributes as the input of the 
profile (either in profile debugger or with DEBUG logging turned on)?

Thanks,
Krzysztof

[Unity-idm-discuss] Unity as SAML proxy - login without user interaction

[D B. <ba...@aw...>]

Hi!

I've set up Unity as a SAML "proxy" (which acts as a SAML IDP towards my
applications but authenticates users with a SAML endpoint at an external
IDP) and that's working fine.

However, when users click "login" in my application, they are first
taken to a unity page (https://unity/saml-idp/saml2idp-web-entry) where
they have to click the "Authenticate" button to be forwarded to the
external IDP (step 1).

After they log in, they get redirected back to unity where they can
select which information to share with the application and they have to
click a button again (step 2).

Is possible to configure unity so that it _doesn't_ display those two
confirmation pages? So that the user doesn't have to click two buttons
during the login process? Ideally, for this usage scenario unity would
be "invisible" to the user.

Cheers,
D.

[Unity-idm-discuss] Map attributes with special signs

[Sander A. <sa....@fz...>]

Hi All,

I want to map external attributes from LDAP. I configured the
translation input profile for it. It works fine except one attribute.
The failing attributes name is 'login;x-ns-lifescienceid-persistent-
shadow'. Can't unity map attributes with special signs in its name? In
that case it would be the ;.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Validity of the email confirmation link

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 19.12.2017 o 16:52, Willem Elbers pisze:
> Hi All,
>
> is there a limit on the validity of the email confirmation link? And if
> so, what is the default limit and how can we configure this limit?
>
That is 48 hours. Link can be re-send by admin, and we have a ticket to 
provide a way for a regular user to resend the link. Adding 
configuration option for the validity is of course not a problem, we can 
easily add this.

Best,
Krzysztof

[Unity-idm-discuss] Validity of the email confirmation link

[Willem E. <wi...@cl...>]

Hi All,

is there a limit on the validity of the email confirmation link? And if
so, what is the default limit and how can we configure this limit?

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth token validation

[Krzysztof B. <kb...@un...>]

W dniu 15.12.2017 o 10:59, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I have a question about Oauth token validation. Let me describe the
> situation first:
>
> We have two services (a and b) which are connected to unity. Both
> services have its own oauth client. Unity does the authentication for
> both services. Service b must query information from service a.
> Service a talk only to authenticated "users". Service b requests an
> access token from unity with its own oauth client and send the token to
> service b.
>
> Is service a allowed to validate the token by unity and request user
> information? Or is it no possible because the token was generated for
> another client?
Yes, it is. a should however check if the presented token was intended 
for b.

Cheers,
Krzysztof

[Unity-idm-discuss] Oauth token validation

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I have a question about Oauth token validation. Let me describe the
situation first:

We have two services (a and b) which are connected to unity. Both
services have its own oauth client. Unity does the authentication for
both services. Service b must query information from service a.
Service a talk only to authenticated "users". Service b requests an
access token from unity with its own oauth client and send the token to
service b.

Is service a allowed to validate the token by unity and request user
information? Or is it no possible because the token was generated for
another client?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem

[Krzysztof B. <kb...@un...>]

Hi Michał,

W dniu 12.12.2017 o 15:39, Michał Jankowski pisze:
> Hi,
> 
> I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured 
> with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I 
> have 2 entities, one local with password credential (userA), the second 
> with remote SAML authentication (userB). Both authenticators work 
> correctly for UserHomeUI, as I can login as the two entities. Both 
> entities are members of /eduGAIN group (the "SAML" entity got the group 
> automatically by translation profile).
> 
> I encounter problem while signing into a test simplesaml portal using 
> Unity and samlWebPSNC authenticator (userB):
> 
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
> 
> Backtrace:
> 0 /var/simplesamlphp/www/module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_*
> Backtrace:
> 3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
> 2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
> 0 /var/simplesamlphp/www/module.php:137 (N/A)
> 
> There is no problem with using pwdWeb (userA) -the portal displays 
> attributes.
> 
> What makes things even more strange, the following sequence also works 
> correctly:
> 
>  1. click authenticate in simplesamlphp
>  2. on Unity login page select password authentication in Unity, provide
>     credentials (userA), click authenticate
>  3. "A remote service has requested ..." page is displayed, click "Login
>     as another user"
>  4. select the SAML IdP on Unity login page
>  5. login to the IdP as userB
>  6. you get back to simplesaml and the attrs of userB are displayed
>     correctly
> 
> Note, that the above fails if you skip 2 and 3.
> 
> Trying to solve the issue I've played with out translation profile 
> trying to manually set "memberOf", but with the same result.
> 
> Unity log in all cases (correct and incorrect) has no error and claims 
> that "memberOf" was set to the groups the user actually belongs. 
> Simplesamlphp logs in case of error contain the mentioned above error 
> message. Still, I expect the problem is on Unity side as the displayed 
> error is basically Unity response.
> 
> I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0).
> 
> What may be wrong?

So to put the problem in a short way memberOf attribute is expected on 
SP but in some cases it is not there? I'd try to enable DEBUG logging on 
unity.server.externaltranslation (and SAML) and check what precisely 
happens.

Cheers,
Krzysztof

[Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem

[Michał J. <jan...@ma...>]

Hi,

I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured 
with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I 
have 2 entities, one local with password credential (userA), the second 
with remote SAML authentication (userB). Both authenticators work 
correctly for UserHomeUI, as I can login as the two entities. Both 
entities are members of /eduGAIN group (the "SAML" entity got the group 
automatically by translation profile).

I encounter problem while signing into a test simplesaml portal using 
Unity and samlWebPSNC authenticator (userB):

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_*
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

There is no problem with using pwdWeb (userA) -the portal displays 
attributes.

What makes things even more strange, the following sequence also works 
correctly:

 1. click authenticate in simplesamlphp
 2. on Unity login page select password authentication in Unity, provide
    credentials (userA), click authenticate
 3. "A remote service has requested ..." page is displayed, click "Login
    as another user"
 4. select the SAML IdP on Unity login page
 5. login to the IdP as userB
 6. you get back to simplesaml and the attrs of userB are displayed
    correctly

Note, that the above fails if you skip 2 and 3.

Trying to solve the issue I've played with out translation profile 
trying to manually set "memberOf", but with the same result.

Unity log in all cases (correct and incorrect) has no error and claims 
that "memberOf" was set to the groups the user actually belongs. 
Simplesamlphp logs in case of error contain the mentioned above error 
message. Still, I expect the problem is on Unity side as the displayed 
error is basically Unity response.

I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0).

What may be wrong?

Best,
   Michal Jankowski

PS. My config is based on Unity's HOWTO (suggests only a few settings). 
In the contrary to it the manual suggests that some more settings are 
mandatory.



unityServer.conf:

unityServer.core.endpoints.2.endpointType=SAMLWebIdP
unityServer.core.endpoints.2.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
unityServer.core.endpoints.2.contextPath=/saml-idp
unityServer.core.endpoints.2.endpointRealm=defaultRealm
unityServer.core.endpoints.2.endpointName=UNITY SAML web authentication
unityServer.core.endpoints.2.endpointAuthenticators=pwdWeb;certWeb;samlWebPSNC;samlWebIPP


saml-webidp.properties:

unity.saml.issuerURI=https://unity.xxx.psnc.pl
unity.saml.credential=MAIN
unity.saml.defaultGroup=/eduGAIN
unity.saml.spAcceptPolicy=validRequester
unity.saml.acceptedSP.1.entity=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/metadata.php/default-sp
unity.saml.acceptedSP.1.returnURL=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Re: [Unity-idm-discuss] SAML message intended destination (required by binding) was not present

[D B. <ba...@aw...>]

Hi,

On 20/11/17 22:48, Krzysztof Benedyczak wrote:
> I'll open a ticket to cover this issue.

Thanks! I'll use the HTTP-Redirect binding for now.

>> I'm assuming that the second problem is cause by some SSL/TLS issue -
>> any hints on how to debug or remove it?
> 
> Judging from your response:
> Recipient="http://localhost:8080/MyWebApp/saml/SSO"
> your web page is on plan http. So that is the reason.

Aah, stupid me. Yeah, that makes sense ;-)

Cheers,
D.

Re: [Unity-idm-discuss] Output translation of email attribute

[D B. <ba...@aw...>]

Hi,

On 20/11/17 22:37, Piotr Piernik wrote:
> Try put this as expression
> import com.fasterxml.jackson.databind.ObjectMapper; import
> java.util.HashMap; new ObjectMapper().readValue(attr['email'],
> HashMap.class).get('value')

Thanks a lot, that works!

D.

Re: [Unity-idm-discuss] SAML message intended destination (required by binding) was not present

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.11.2017 o 15:55, D Baum pisze:
> Hi,
> 
> after having set up Unity as a SAML SP, I'm now also trying to configure
> it as a SAML IDP for my Spring-based webapp. The webapp uses Spring
> Security SAML (https://projects.spring.io/spring-security-saml/), which
> is based on OpenSAML.
> 
> If I try to log in to the webapp, I get redirected to Unity. There I can
> log in (with password auth) and have to confirm a form, then I get
> redirected back to the webapp. The webapp then reports a SAML error[CUT]
> 
> The response written to the logs indeed doesn't have a Destination tag
> or attribute (see attachment). Also, it's signed because the webapp is
> configured as <md:SPSSODescriptor WantAssertionsSigned="true" ...
> 
> The binding mentioned in the error message seems to be
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
> 
> Unity's autogenerated IDP metadata xml has two bindings:
> 
> <urn:SingleSignOnService
> Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
> 
> <urn:SingleSignOnService
> Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />
> 
> If I remove first one (HTTP-POST) and thus force the webapp to use
> HTTP-Redirect, the error above vanishes.
> 
> Is this a bug or a misconfiguration issue or something else?

Unfortunately a bug. After checking details of the SAML binding spec 
indeed there is a requirement to add Destination attribute whenever the 
response is signed. Went unnoticed as usually only assertions are 
signed, not as in your case both assertion and the wrapping response 
(was is probably an overkill unless you have sophisticated requirements)

I'll open a ticket to cover this issue.

As a workaround you have to use any setup not requiring signed saml 
responses (i.e. the outer protocol wrappings of the signed AuthN assertion)



> 
> In addition, I'm getting a security warning from my browser once I
> confirm the "A remote service has requested your authentication" dialog:
> "The information you have entered on this page will be sent over an
> insecure connection and could be read by a third party.
> Are you sure you want to send this information?"
> 
> I'm assuming that the second problem is cause by some SSL/TLS issue -
> any hints on how to debug or remove it?

Judging from your response:
Recipient="http://localhost:8080/MyWebApp/saml/SSO"
your web page is on plan http. So that is the reason.

HTH,
Krzysztof

Re: [Unity-idm-discuss] Output translation of email attribute

[Piotr P. <pio...@gm...>]

Hi


W dniu 20.11.2017 o 22:31, Krzysztof Benedyczak pisze:
> Hi,
>
> W dniu 20.11.2017 o 19:40, D Baum pisze:
>> Hi,
>>
>> my Unity entities have an "email" attribute, which I'd like to send
>> along in SAML Assertions to my SP (which authenticates against Unity).
>>
>> To do this, I've created an output translation profile which contains
>> this rule:
>>
>> Condition: attr contains 'email'
>> Action: createAttribute
>> Action parameters: attributeName = urn:mace:dir:attribute-def:mail
>> expression = attr['email']
>> mandatory = false
>> attributeDisplayName = urn:mace:dir:attribute-def:mail
>> attributeDescription = email
>>
>>
>> This makes Unity send the following in the
>> urn:mace:dir:attribute-def:mail attribute:
>> {"value":"fo...@ba...","confirmationData":{"[...]
>>
>> How can I change the MVEL expression of the rule to _only_ send the
>> value fo...@ba...? I've tried all combinations of attr['email'].value,
>> attr.email.value, etc, I could think of - but no success.
>>
>> Is there a way to get at only the email string?
>
> First of all you have hit a bug introduced while ago, that we also 
> found very recently and is already fixed - will be included in the 
> next release.
>
> The workaround isn't easy. It can be done with a complex MVEL expr 
> only I guess.
>
> @Piotr: can you share your snippet that you have shown recently to me? 
> Should help here.
>
Try put this as expression
import com.fasterxml.jackson.databind.ObjectMapper; import 
java.util.HashMap; new ObjectMapper().readValue(attr['email'], 
HashMap.class).get('value')

Cheers
Piotr

> Best,
> Krzysztof
>
> ------------------------------------------------------------------------------ 
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] Output translation of email attribute

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 20.11.2017 o 19:40, D Baum pisze:
> Hi,
> 
> my Unity entities have an "email" attribute, which I'd like to send
> along in SAML Assertions to my SP (which authenticates against Unity).
> 
> To do this, I've created an output translation profile which contains
> this rule:
> 
> Condition: attr contains 'email'
> Action: createAttribute
> Action parameters: attributeName = urn:mace:dir:attribute-def:mail
> expression = attr['email']
> mandatory = false
> attributeDisplayName = urn:mace:dir:attribute-def:mail
> attributeDescription = email
> 
> 
> This makes Unity send the following in the
> urn:mace:dir:attribute-def:mail attribute:
> {"value":"fo...@ba...","confirmationData":{"[...]
> 
> How can I change the MVEL expression of the rule to _only_ send the
> value fo...@ba...? I've tried all combinations of attr['email'].value,
> attr.email.value, etc, I could think of - but no success.
> 
> Is there a way to get at only the email string?

First of all you have hit a bug introduced while ago, that we also found 
very recently and is already fixed - will be included in the next release.

The workaround isn't easy. It can be done with a complex MVEL expr only 
I guess.

@Piotr: can you share your snippet that you have shown recently to me? 
Should help here.

Best,
Krzysztof