unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Unity as SAML proxy - login without user interaction

[D B. <ba...@aw...>]

Hi!

I've set up Unity as a SAML "proxy" (which acts as a SAML IDP towards my
applications but authenticates users with a SAML endpoint at an external
IDP) and that's working fine.

However, when users click "login" in my application, they are first
taken to a unity page (https://unity/saml-idp/saml2idp-web-entry) where
they have to click the "Authenticate" button to be forwarded to the
external IDP (step 1).

After they log in, they get redirected back to unity where they can
select which information to share with the application and they have to
click a button again (step 2).

Is possible to configure unity so that it _doesn't_ display those two
confirmation pages? So that the user doesn't have to click two buttons
during the login process? Ideally, for this usage scenario unity would
be "invisible" to the user.

Cheers,
D.

[Unity-idm-discuss] Map attributes with special signs

[Sander A. <sa....@fz...>]

Hi All,

I want to map external attributes from LDAP. I configured the
translation input profile for it. It works fine except one attribute.
The failing attributes name is 'login;x-ns-lifescienceid-persistent-
shadow'. Can't unity map attributes with special signs in its name? In
that case it would be the ;.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Validity of the email confirmation link

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 19.12.2017 o 16:52, Willem Elbers pisze:
> Hi All,
>
> is there a limit on the validity of the email confirmation link? And if
> so, what is the default limit and how can we configure this limit?
>
That is 48 hours. Link can be re-send by admin, and we have a ticket to 
provide a way for a regular user to resend the link. Adding 
configuration option for the validity is of course not a problem, we can 
easily add this.

Best,
Krzysztof

[Unity-idm-discuss] Validity of the email confirmation link

[Willem E. <wi...@cl...>]

Hi All,

is there a limit on the validity of the email confirmation link? And if
so, what is the default limit and how can we configure this limit?

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth token validation

[Krzysztof B. <kb...@un...>]

W dniu 15.12.2017 o 10:59, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I have a question about Oauth token validation. Let me describe the
> situation first:
>
> We have two services (a and b) which are connected to unity. Both
> services have its own oauth client. Unity does the authentication for
> both services. Service b must query information from service a.
> Service a talk only to authenticated "users". Service b requests an
> access token from unity with its own oauth client and send the token to
> service b.
>
> Is service a allowed to validate the token by unity and request user
> information? Or is it no possible because the token was generated for
> another client?
Yes, it is. a should however check if the presented token was intended 
for b.

Cheers,
Krzysztof

[Unity-idm-discuss] Oauth token validation

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I have a question about Oauth token validation. Let me describe the
situation first:

We have two services (a and b) which are connected to unity. Both
services have its own oauth client. Unity does the authentication for
both services. Service b must query information from service a.
Service a talk only to authenticated "users". Service b requests an
access token from unity with its own oauth client and send the token to
service b.

Is service a allowed to validate the token by unity and request user
information? Or is it no possible because the token was generated for
another client?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem

[Krzysztof B. <kb...@un...>]

Hi Michał,

W dniu 12.12.2017 o 15:39, Michał Jankowski pisze:
> Hi,
> 
> I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured 
> with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I 
> have 2 entities, one local with password credential (userA), the second 
> with remote SAML authentication (userB). Both authenticators work 
> correctly for UserHomeUI, as I can login as the two entities. Both 
> entities are members of /eduGAIN group (the "SAML" entity got the group 
> automatically by translation profile).
> 
> I encounter problem while signing into a test simplesaml portal using 
> Unity and samlWebPSNC authenticator (userB):
> 
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
> 
> Backtrace:
> 0 /var/simplesamlphp/www/module.php:180 (N/A)
> Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_*
> Backtrace:
> 3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
> 2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
> 1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
> 0 /var/simplesamlphp/www/module.php:137 (N/A)
> 
> There is no problem with using pwdWeb (userA) -the portal displays 
> attributes.
> 
> What makes things even more strange, the following sequence also works 
> correctly:
> 
>  1. click authenticate in simplesamlphp
>  2. on Unity login page select password authentication in Unity, provide
>     credentials (userA), click authenticate
>  3. "A remote service has requested ..." page is displayed, click "Login
>     as another user"
>  4. select the SAML IdP on Unity login page
>  5. login to the IdP as userB
>  6. you get back to simplesaml and the attrs of userB are displayed
>     correctly
> 
> Note, that the above fails if you skip 2 and 3.
> 
> Trying to solve the issue I've played with out translation profile 
> trying to manually set "memberOf", but with the same result.
> 
> Unity log in all cases (correct and incorrect) has no error and claims 
> that "memberOf" was set to the groups the user actually belongs. 
> Simplesamlphp logs in case of error contain the mentioned above error 
> message. Still, I expect the problem is on Unity side as the displayed 
> error is basically Unity response.
> 
> I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0).
> 
> What may be wrong?

So to put the problem in a short way memberOf attribute is expected on 
SP but in some cases it is not there? I'd try to enable DEBUG logging on 
unity.server.externaltranslation (and SAML) and check what precisely 
happens.

Cheers,
Krzysztof

[Unity-idm-discuss] simplesamlphp SP - Unity - SAML IdP problem

[Michał J. <jan...@ma...>]

Hi,

I have the Unity with SAMLWebIdP and UserHomeUI endpoints configured 
with 2 authenticators: pwdWeb and samlWebPSNC (some config below). I 
have 2 entities, one local with password credential (userA), the second 
with remote SAML authentication (userB). Both authenticators work 
correctly for UserHomeUI, as I can login as the two entities. Both 
entities are members of /eduGAIN group (the "SAML" entity got the group 
automatically by translation profile).

I encounter problem while signing into a test simplesaml portal using 
Unity and samlWebPSNC authenticator (userB):

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /var/simplesamlphp/www/module.php:180 (N/A)
Caused by: sspmod_saml_Error: Responder:*_attribute type [memberOf] does not exist_*
Backtrace:
3 /var/simplesamlphp/modules/saml/lib/Message.php:392 (sspmod_saml_Message::getResponseError)
2 /var/simplesamlphp/modules/saml/lib/Message.php:499 (sspmod_saml_Message::processResponse)
1 /var/simplesamlphp/modules/saml/www/sp/saml2-acs.php:120 (require)
0 /var/simplesamlphp/www/module.php:137 (N/A)

There is no problem with using pwdWeb (userA) -the portal displays 
attributes.

What makes things even more strange, the following sequence also works 
correctly:

 1. click authenticate in simplesamlphp
 2. on Unity login page select password authentication in Unity, provide
    credentials (userA), click authenticate
 3. "A remote service has requested ..." page is displayed, click "Login
    as another user"
 4. select the SAML IdP on Unity login page
 5. login to the IdP as userB
 6. you get back to simplesaml and the attrs of userB are displayed
    correctly

Note, that the above fails if you skip 2 and 3.

Trying to solve the issue I've played with out translation profile 
trying to manually set "memberOf", but with the same result.

Unity log in all cases (correct and incorrect) has no error and claims 
that "memberOf" was set to the groups the user actually belongs. 
Simplesamlphp logs in case of error contain the mentioned above error 
message. Still, I expect the problem is on Unity side as the displayed 
error is basically Unity response.

I have Unity 2.3.0 (the same happens on 2.1.0 and 2.2.0).

What may be wrong?

Best,
   Michal Jankowski

PS. My config is based on Unity's HOWTO (suggests only a few settings). 
In the contrary to it the manual suggests that some more settings are 
mandatory.



unityServer.conf:

unityServer.core.endpoints.2.endpointType=SAMLWebIdP
unityServer.core.endpoints.2.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
unityServer.core.endpoints.2.contextPath=/saml-idp
unityServer.core.endpoints.2.endpointRealm=defaultRealm
unityServer.core.endpoints.2.endpointName=UNITY SAML web authentication
unityServer.core.endpoints.2.endpointAuthenticators=pwdWeb;certWeb;samlWebPSNC;samlWebIPP


saml-webidp.properties:

unity.saml.issuerURI=https://unity.xxx.psnc.pl
unity.saml.credential=MAIN
unity.saml.defaultGroup=/eduGAIN
unity.saml.spAcceptPolicy=validRequester
unity.saml.acceptedSP.1.entity=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/metadata.php/default-sp
unity.saml.acceptedSP.1.returnURL=https://xxx.psnc.pl/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Re: [Unity-idm-discuss] SAML message intended destination (required by binding) was not present

[D B. <ba...@aw...>]

Hi,

On 20/11/17 22:48, Krzysztof Benedyczak wrote:
> I'll open a ticket to cover this issue.

Thanks! I'll use the HTTP-Redirect binding for now.

>> I'm assuming that the second problem is cause by some SSL/TLS issue -
>> any hints on how to debug or remove it?
> 
> Judging from your response:
> Recipient="http://localhost:8080/MyWebApp/saml/SSO"
> your web page is on plan http. So that is the reason.

Aah, stupid me. Yeah, that makes sense ;-)

Cheers,
D.

Re: [Unity-idm-discuss] Output translation of email attribute

[D B. <ba...@aw...>]

Hi,

On 20/11/17 22:37, Piotr Piernik wrote:
> Try put this as expression
> import com.fasterxml.jackson.databind.ObjectMapper; import
> java.util.HashMap; new ObjectMapper().readValue(attr['email'],
> HashMap.class).get('value')

Thanks a lot, that works!

D.

Re: [Unity-idm-discuss] SAML message intended destination (required by binding) was not present

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 16.11.2017 o 15:55, D Baum pisze:
> Hi,
> 
> after having set up Unity as a SAML SP, I'm now also trying to configure
> it as a SAML IDP for my Spring-based webapp. The webapp uses Spring
> Security SAML (https://projects.spring.io/spring-security-saml/), which
> is based on OpenSAML.
> 
> If I try to log in to the webapp, I get redirected to Unity. There I can
> log in (with password auth) and have to confirm a form, then I get
> redirected back to the webapp. The webapp then reports a SAML error[CUT]
> 
> The response written to the logs indeed doesn't have a Destination tag
> or attribute (see attachment). Also, it's signed because the webapp is
> configured as <md:SPSSODescriptor WantAssertionsSigned="true" ...
> 
> The binding mentioned in the error message seems to be
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
> 
> Unity's autogenerated IDP metadata xml has two bindings:
> 
> <urn:SingleSignOnService
> Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
> 
> <urn:SingleSignOnService
> Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />
> 
> If I remove first one (HTTP-POST) and thus force the webapp to use
> HTTP-Redirect, the error above vanishes.
> 
> Is this a bug or a misconfiguration issue or something else?

Unfortunately a bug. After checking details of the SAML binding spec 
indeed there is a requirement to add Destination attribute whenever the 
response is signed. Went unnoticed as usually only assertions are 
signed, not as in your case both assertion and the wrapping response 
(was is probably an overkill unless you have sophisticated requirements)

I'll open a ticket to cover this issue.

As a workaround you have to use any setup not requiring signed saml 
responses (i.e. the outer protocol wrappings of the signed AuthN assertion)



> 
> In addition, I'm getting a security warning from my browser once I
> confirm the "A remote service has requested your authentication" dialog:
> "The information you have entered on this page will be sent over an
> insecure connection and could be read by a third party.
> Are you sure you want to send this information?"
> 
> I'm assuming that the second problem is cause by some SSL/TLS issue -
> any hints on how to debug or remove it?

Judging from your response:
Recipient="http://localhost:8080/MyWebApp/saml/SSO"
your web page is on plan http. So that is the reason.

HTH,
Krzysztof

Re: [Unity-idm-discuss] Output translation of email attribute

[Piotr P. <pio...@gm...>]

Hi


W dniu 20.11.2017 o 22:31, Krzysztof Benedyczak pisze:
> Hi,
>
> W dniu 20.11.2017 o 19:40, D Baum pisze:
>> Hi,
>>
>> my Unity entities have an "email" attribute, which I'd like to send
>> along in SAML Assertions to my SP (which authenticates against Unity).
>>
>> To do this, I've created an output translation profile which contains
>> this rule:
>>
>> Condition: attr contains 'email'
>> Action: createAttribute
>> Action parameters: attributeName = urn:mace:dir:attribute-def:mail
>> expression = attr['email']
>> mandatory = false
>> attributeDisplayName = urn:mace:dir:attribute-def:mail
>> attributeDescription = email
>>
>>
>> This makes Unity send the following in the
>> urn:mace:dir:attribute-def:mail attribute:
>> {"value":"fo...@ba...","confirmationData":{"[...]
>>
>> How can I change the MVEL expression of the rule to _only_ send the
>> value fo...@ba...? I've tried all combinations of attr['email'].value,
>> attr.email.value, etc, I could think of - but no success.
>>
>> Is there a way to get at only the email string?
>
> First of all you have hit a bug introduced while ago, that we also 
> found very recently and is already fixed - will be included in the 
> next release.
>
> The workaround isn't easy. It can be done with a complex MVEL expr 
> only I guess.
>
> @Piotr: can you share your snippet that you have shown recently to me? 
> Should help here.
>
Try put this as expression
import com.fasterxml.jackson.databind.ObjectMapper; import 
java.util.HashMap; new ObjectMapper().readValue(attr['email'], 
HashMap.class).get('value')

Cheers
Piotr

> Best,
> Krzysztof
>
> ------------------------------------------------------------------------------ 
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] Output translation of email attribute

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 20.11.2017 o 19:40, D Baum pisze:
> Hi,
> 
> my Unity entities have an "email" attribute, which I'd like to send
> along in SAML Assertions to my SP (which authenticates against Unity).
> 
> To do this, I've created an output translation profile which contains
> this rule:
> 
> Condition: attr contains 'email'
> Action: createAttribute
> Action parameters: attributeName = urn:mace:dir:attribute-def:mail
> expression = attr['email']
> mandatory = false
> attributeDisplayName = urn:mace:dir:attribute-def:mail
> attributeDescription = email
> 
> 
> This makes Unity send the following in the
> urn:mace:dir:attribute-def:mail attribute:
> {"value":"fo...@ba...","confirmationData":{"[...]
> 
> How can I change the MVEL expression of the rule to _only_ send the
> value fo...@ba...? I've tried all combinations of attr['email'].value,
> attr.email.value, etc, I could think of - but no success.
> 
> Is there a way to get at only the email string?

First of all you have hit a bug introduced while ago, that we also found 
very recently and is already fixed - will be included in the next release.

The workaround isn't easy. It can be done with a complex MVEL expr only 
I guess.

@Piotr: can you share your snippet that you have shown recently to me? 
Should help here.

Best,
Krzysztof

[Unity-idm-discuss] Output translation of email attribute

[D B. <ba...@aw...>]

Hi,

my Unity entities have an "email" attribute, which I'd like to send
along in SAML Assertions to my SP (which authenticates against Unity).

To do this, I've created an output translation profile which contains
this rule:

Condition: attr contains 'email'
Action: createAttribute
Action parameters: attributeName = urn:mace:dir:attribute-def:mail
expression = attr['email']
mandatory = false
attributeDisplayName = urn:mace:dir:attribute-def:mail
attributeDescription = email


This makes Unity send the following in the
urn:mace:dir:attribute-def:mail attribute:
{"value":"fo...@ba...","confirmationData":{"[...]

How can I change the MVEL expression of the rule to _only_ send the
value fo...@ba...? I've tried all combinations of attr['email'].value,
attr.email.value, etc, I could think of - but no success.

Is there a way to get at only the email string?

Cheers,
D.

[Unity-idm-discuss] SAML message intended destination (required by binding) was not present

[D B. <ba...@aw...>]

Hi,

after having set up Unity as a SAML SP, I'm now also trying to configure
it as a SAML IDP for my Spring-based webapp. The webapp uses Spring
Security SAML (https://projects.spring.io/spring-security-saml/), which
is based on OpenSAML.

If I try to log in to the webapp, I get redirected to Unity. There I can
log in (with password auth) and have to confirm a form, then I get
redirected back to the webapp. The webapp then reports a SAML error:

Caused by: org.opensaml.xml.security.SecurityException: SAML message
intended destination (required by binding) was not present
	at
org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:201)
~[opensaml-2.6.1.jar:?]
	at
org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72)
~[opensaml-2.6.1.jar:?]
	at
org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105)
~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	at
org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172)
~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]
	at
org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80)
~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE]


The response written to the logs indeed doesn't have a Destination tag
or attribute (see attachment). Also, it's signed because the webapp is
configured as <md:SPSSODescriptor WantAssertionsSigned="true" ...

The binding mentioned in the error message seems to be
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

Unity's autogenerated IDP metadata xml has two bindings:

<urn:SingleSignOnService
Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />

<urn:SingleSignOnService
Location="https://192.168.2.2:2443/saml-idp/saml2idp-web"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />

If I remove first one (HTTP-POST) and thus force the webapp to use
HTTP-Redirect, the error above vanishes.

Is this a bug or a misconfiguration issue or something else?



In addition, I'm getting a security warning from my browser once I
confirm the "A remote service has requested your authentication" dialog:
"The information you have entered on this page will be sent over an
insecure connection and could be read by a third party.
Are you sure you want to send this information?"

I'm assuming that the second problem is cause by some SSL/TLS issue -
any hints on how to debug or remove it?

Thanks!
D.

Re: [Unity-idm-discuss] Language Translations

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 13.11.2017 o 16:00, D Baum pisze:
> Hi,
> 
> I noticed that Unity IDM offers not only English but also a Polish as
> configurable language. Are there plans for supporting more languages or
> does this have low priority for the dev team?
> 
> I'm asking because I'm wondering if there's a way to give back to this
> useful project and I thought I could e.g. do a German language
> translation - if that's useful to you.
> 
> Is it useful and would you accept contributions from outside your core team?

Sure - it is open source ;-)

We have already DE flag included, so "only" the messages are missing.

I think a complete translation (i.e. including Admin UI, which has by 
far the largest amount of messages) is not that critical, but end-user 
facing translation would be very welcome. This way the PL translation is 
done, so creating counterparts whenever there are messages_pl.properties 
will be (by far) enough.

Thanks,
Krzysztof


PS: The short list of contributors shown by GitHub is incomplete. After 
migrating to Gihub only people who contributed in the original Assembla 
repo and at the same time have Github account with the same email are 
listed. What means: Bernd.

[Unity-idm-discuss] Language Translations

[D B. <ba...@aw...>]

Hi,

I noticed that Unity IDM offers not only English but also a Polish as
configurable language. Are there plans for supporting more languages or
does this have low priority for the dev team?

I'm asking because I'm wondering if there's a way to give back to this
useful project and I thought I could e.g. do a German language
translation - if that's useful to you.

Is it useful and would you accept contributions from outside your core team?

Cheers,
D.

Re: [Unity-idm-discuss] Get Unity SAML SP to sign AuthnRequests

[D B. <ba...@aw...>]

Hi,

On 06/11/17 22:56, Krzysztof Benedyczak wrote:
>> However, I still can't get Unity to sign the AuthnRequests.
>>
> OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.

Yes

>> unity.saml.requester.defaultSignRequest=true
> -> no problem here but this setting will be used only for IdPs which
> were not configured with metadata. So in your case - never.

OK, good to know - thanks :-)

>> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
> ^ -> this one is Unity's own metadata

Yes

>> unity.saml.requester.requesterEntityId=https://unity-service-provider
>> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
>>
> ^ -> this will be config of your trusted IdP. Is this your Shib's IdP
> metadata?

Yes

>> So I'm configuring both SP and IDP via XML metadata files. The SP
>> metadata xml contains this tag:
>>
>> <md:SPSSODescriptor AuthnRequestsSigned="true"
>> WantAssertionsSigned="true"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>
> This won't configure Unity's SP functioning. This will be only sent as
> your server's metadata and you should ensure that this config is
> consistent with your server.

By server you mean Unity?

I think I'm just not very clear on what parts of unity are configureable
through metadata. I had assumed that Unity would configure its SAML SP
from the SP metadata. But it seems you're saying: SP metadata isn't used
to configure Unity at all but just served at the configured metadata
URL. Is that correct?

So if I have
<SPSSODescriptor WantAssertionsSigned="true" ...>
in my SP metadata, I should also use this configuration parameter?
unity.saml.requester.requireSignedAssertion=true

> Assuming you configure your trusted IdP with metadata then it is covered
> by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity
> that Unity has to sign the request which will be sent to Shib.
> WantAuthnRequestsSigned="true" should be in IDP's descriptor.

Thanks! That helped, now my Unity SAML SP is signing its AuthnRequests! :-)

I guess adding config option for this for the Unity SP would be
considered fluff since signing AuthnRequests is of little use if the IDP
doesn't enforce signed AuthnRequests?

> You can also overwrite this in Unity config, by creating manual entries
> for your Shibboleth IdP.

But in that case I have to configure *everything* about this IDP through
the Unity config (and not with metadata), right?

> In any case make sure to enable DEBUG logging on configuration and saml
> logging facilities. This should help.

Thanks, using DEBUG on configuration is really helpful :-)

Thanks,
D.

Re: [Unity-idm-discuss] Get Unity SAML SP to sign AuthnRequests

[Krzysztof B. <kb...@un...>]

Hi,

This is little bit inconsistent:

W dniu 03.11.2017 o 20:44, D Baum pisze:
> Hi!
> 
> my Unity SAML SP authenticating against a Shibboleth IDP is almost
> working now :-)
> However, I still can't get Unity to sign the AuthnRequests.
> 
OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.

> This is my Unity SAML configuration:
> 
> unity.saml.requester.defaultSignRequest=true
-> no problem here but this setting will be used only for IdPs which 
were not configured with metadata. So in your case - never.

> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
^ -> this one is Unity's own metadata

> unity.saml.requester.requesterEntityId=https://unity-service-provider
> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
^ -> this will be config of your trusted IdP. Is this your Shib's IdP 
metadata?
> unity.saml.requester.metadataSource.umsso.perMetadataTranslationProfile=MySAMLInputProfile
> unity.saml.requester.metadataPath=unity-sp
> unity.saml.requester.requesterCredential=MYCRED
> 
> So I'm configuring both SP and IDP via XML metadata files. The SP
> metadata xml contains this tag:
> 
> <md:SPSSODescriptor AuthnRequestsSigned="true"
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
> 
This won't configure Unity's SP functioning. This will be only sent as 
your server's metadata and you should ensure that this config is 
consistent with your server.


> Because of AuthnRequestsSigned="true", the IDP expects signed
> AuthnRequests - but doesn't seem to get them. It complains in its logs
> when I try to log in:
> 
> Message did not meet security requirements
> org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
> was required to be signed but was not
> 
> How can I switch on AuthnRequest signing for the Unity SAML SP?

Assuming you configure your trusted IdP with metadata then it is covered 
by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity 
that Unity has to sign the request which will be sent to Shib. 
WantAuthnRequestsSigned="true" should be in IDP's descriptor.

You can also overwrite this in Unity config, by creating manual entries 
for your Shibboleth IdP.

In any case make sure to enable DEBUG logging on configuration and saml 
logging facilities. This should help.

HTH,
Krzysztof

[Unity-idm-discuss] Get Unity SAML SP to sign AuthnRequests

[D B. <ba...@aw...>]

Hi!

my Unity SAML SP authenticating against a Shibboleth IDP is almost
working now :-)
However, I still can't get Unity to sign the AuthnRequests.

This is my Unity SAML configuration:

unity.saml.requester.defaultSignRequest=true
unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
unity.saml.requester.requesterEntityId=https://unity-service-provider
unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
unity.saml.requester.metadataSource.umsso.perMetadataTranslationProfile=MySAMLInputProfile
unity.saml.requester.metadataPath=unity-sp
unity.saml.requester.requesterCredential=MYCRED

So I'm configuring both SP and IDP via XML metadata files. The SP
metadata xml contains this tag:

<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

Because of AuthnRequestsSigned="true", the IDP expects signed
AuthnRequests - but doesn't seem to get them. It complains in its logs
when I try to log in:

Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
was required to be signed but was not

How can I switch on AuthnRequest signing for the Unity SAML SP?

Thanks!
D

[Unity-idm-discuss] Unity 2.3.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

A new release was just made available. The biggest innovation of it 
won't be noticeable to you: it was the first fully automated[*] release 
- including only few mouse clicks to have everything updated from source 
repository tag to updated testbed environment. Of course big part of our 
work was focused on already mentioned migration to GitHub and JIRA.

Besides of this big change, the new release brings two significant 
improvements:

- Emails sent from Unity can have content type set to HTML. What is more 
a new type of message template was introduced: generic. Generic 
templates are not sent on their own, but can be included in other 
templates. This way a site wide message templates can be easily managed. 
And yes – Unity comes now with nice HTML emails available out of the box.
- SAML metadata discovery and management subsystem was completely 
rewritten to eliminate the issues which were quite often brought by our 
users. The new implementation is significantly simpler, better tested 
and should be more stable.

Besides there are some smaller improvements as OIDC discovery and PAM 
bugs fixed.



What is more we have already made a big progress on subsequent release 
work. It should be available still in this year and will bring way 
bigger changes greatly simplifying integration with typical external 
IdPs and translation profiles management.

Best regards,
Krzysztof

[*] OK, not fully: this email and web page notifications were not 
bot-generated :-)

Re: [Unity-idm-discuss] Port used by Unity SAML SP

[D B. <ba...@aw...>]

Hi,

thanks!

Setting
unityServer.core.httpServer.advertisedHost=192.168.1.100:2443
in
${CONF}/unityServer.conf
indeed fixed the issue.

Cheers,
D

On 25/10/17 16:43, Krzysztof Benedyczak wrote:
> Hi,
> 
> W dniu 24.10.2017 o 16:21, D Baum pisze:
>> Hi,
>>
>> I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an
>> upstream Shibboleth SAML IdP.
>>
>> I first tried this while running unity on the preconfigured port 2443 -
>> but I noticed that the sp xml configuration file and the AuthnRequests
>> generated by Unity don't specify the port in URLs.
>> After I logged in with the IdP, this led to a timeout when my browser
>> was redirected to unity's AssertionConsumerService - which couldn't be
>> found at the given URL since the port wasn't correct.
>>
>> Is this intentional? If so, can the port of unity's SAML SP consumers be
>> configured and how?
> 
> Most likely you didn't set properly the advertisedHost address in the
> main unityServer.conf. It is used as a base, and Unity can not guess it
> as may be behind proxy/fw.
> 
> HTH
> Krzysztof

Re: [Unity-idm-discuss] Port used by Unity SAML SP

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 24.10.2017 o 16:21, D Baum pisze:
> Hi,
> 
> I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an
> upstream Shibboleth SAML IdP.
> 
> I first tried this while running unity on the preconfigured port 2443 -
> but I noticed that the sp xml configuration file and the AuthnRequests
> generated by Unity don't specify the port in URLs.
> After I logged in with the IdP, this led to a timeout when my browser
> was redirected to unity's AssertionConsumerService - which couldn't be
> found at the given URL since the port wasn't correct.
> 
> Is this intentional? If so, can the port of unity's SAML SP consumers be
> configured and how?

Most likely you didn't set properly the advertisedHost address in the 
main unityServer.conf. It is used as a base, and Unity can not guess it 
as may be behind proxy/fw.

HTH
Krzysztof

[Unity-idm-discuss] Port used by Unity SAML SP

[D B. <ba...@aw...>]

Hi,

I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an
upstream Shibboleth SAML IdP.

I first tried this while running unity on the preconfigured port 2443 -
but I noticed that the sp xml configuration file and the AuthnRequests
generated by Unity don't specify the port in URLs.
After I logged in with the IdP, this led to a timeout when my browser
was redirected to unity's AssertionConsumerService - which couldn't be
found at the given URL since the port wasn't correct.

Is this intentional? If so, can the port of unity's SAML SP consumers be
configured and how?

Example sp metadata xml produced by Unity (no ports in the URLs):

<urn:EntityDescriptor entityID="SomeEntityID"
xmlns:urn="urn:oasis:names:tc:SAML:2.0:metadata">
  <urn:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true" WantAssertionsSigned="true">
    <urn:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://192.168.42.42/unitygw/spSAMLResponseConsumer"
isDefault="true"/>
    <urn:AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://192.168.42.42/unitygw/spSAMLResponseConsumer"
isDefault="false"/>
  </urn:SPSSODescriptor>
</urn:EntityDescriptor>

Example AuthnRequest produced by Unity (no ports in the URL):

<?xml version="1.0" encoding="UTF-8"?>
<urn:AuthnRequest xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"

AssertionConsumerServiceURL="https://192.168.42.42/unitygw/spSAMLResponseConsumer"


Destination="https://my-shibboleth-idp.org:443/idp/profile/SAML2/Redirect/SSO"
    ID="SAMLY2lib_msg_41c326779d8ac2146cfca15dd5ddc6794898f6f9f31ba97d"
    IssueInstant="2017-10-24T14:01:21.103Z"
    Version="2.0">
    <urn1:Issuer xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SomeEntityID</urn1:Issuer>
    <urn:NameIDPolicy AllowCreate="true"/>
</urn:AuthnRequest>

Thanks!
D

[Unity-idm-discuss] Unity travels to GitHub

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

It is time to make this official:

after couple of days of very intensive work Unity was moved to GitHub 
from Assembla which hosted the project for nearly 5 years.

The new source code repository address is:

https://github.com/unity-idm/unity

This change was motivated by the fact that Assembla resigned some time 
ago from providing free hosting for Open Source projects. Unity project 
was not closed (nor there were any treats from Assembla) but there were 
numerous signs that the plan that Unity project was using is deprecated 
if not abandoned. What is more using Assembla for outsiders started to 
be a pain and some of the features stopped to work correctly.

GitHub was a natural choice, as de facto standard hosting provider for 
Open Source community. Hopefully most of you have already GitHub 
accounts so collaboration should not be disturbed.

Currently the wiki is still in the process of being migrated. Eventually 
will land on Github wiki space.

There are no planned changes as of now wrt to this mailing list and SF 
as the distribution point, both work pretty well.

Assembla project will not be closed, but to ensure that it is not 
actively used I'll change all members' permissions to read-only access.

Unity issues tracker was moved to our own JIRA instance. We managed to 
preserve a complete history, loosing only some minimal parts of tickets 
metadata. There is public read only access enabled.

https://dev.unity-idm.eu/jira/projects/UY/issues

The issues tracker is one of the open points. JIRA that we moved too 
provides us with all required features to have a flexible project 
management. However, we have a license with a restricted number of users 
- suitable for the core team. Therefore we plan to collect your feedback 
from this ML and other ML channels that we have established and convert 
it to tickets on our own. We hope this will work out fine. In case a 
more direct collaboration will be required we can consider some 
alternatives, as for instance enabling the simple GitHub tracker as a 
frontend tracker.

Cheers,
Krzysztof