Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: D B. <ba...@aw...> - 2017-11-20 18:40:47
|
Hi,
my Unity entities have an "email" attribute, which I'd like to send
along in SAML Assertions to my SP (which authenticates against Unity).
To do this, I've created an output translation profile which contains
this rule:
Condition: attr contains 'email'
Action: createAttribute
Action parameters: attributeName = urn:mace:dir:attribute-def:mail
expression = attr['email']
mandatory = false
attributeDisplayName = urn:mace:dir:attribute-def:mail
attributeDescription = email
This makes Unity send the following in the
urn:mace:dir:attribute-def:mail attribute:
{"value":"fo...@ba...","confirmationData":{"[...]
How can I change the MVEL expression of the rule to _only_ send the
value fo...@ba...? I've tried all combinations of attr['email'].value,
attr.email.value, etc, I could think of - but no success.
Is there a way to get at only the email string?
Cheers,
D.
|
|
From: D B. <ba...@aw...> - 2017-11-16 14:55:41
|
Hi, after having set up Unity as a SAML SP, I'm now also trying to configure it as a SAML IDP for my Spring-based webapp. The webapp uses Spring Security SAML (https://projects.spring.io/spring-security-saml/), which is based on OpenSAML. If I try to log in to the webapp, I get redirected to Unity. There I can log in (with password auth) and have to confirm a form, then I get redirected back to the webapp. The webapp then reports a SAML error: Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination (required by binding) was not present at org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder.checkEndpointURI(BaseSAMLMessageDecoder.java:201) ~[opensaml-2.6.1.jar:?] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:72) ~[opensaml-2.6.1.jar:?] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:80) ~[spring-security-saml2-core-1.0.2.RELEASE.jar:1.0.2.RELEASE] The response written to the logs indeed doesn't have a Destination tag or attribute (see attachment). Also, it's signed because the webapp is configured as <md:SPSSODescriptor WantAssertionsSigned="true" ... The binding mentioned in the error message seems to be urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST. Unity's autogenerated IDP metadata xml has two bindings: <urn:SingleSignOnService Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" /> <urn:SingleSignOnService Location="https://192.168.2.2:2443/saml-idp/saml2idp-web" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" /> If I remove first one (HTTP-POST) and thus force the webapp to use HTTP-Redirect, the error above vanishes. Is this a bug or a misconfiguration issue or something else? In addition, I'm getting a security warning from my browser once I confirm the "A remote service has requested your authentication" dialog: "The information you have entered on this page will be sent over an insecure connection and could be read by a third party. Are you sure you want to send this information?" I'm assuming that the second problem is cause by some SSL/TLS issue - any hints on how to debug or remove it? Thanks! D. |
|
From: Krzysztof B. <kb...@un...> - 2017-11-13 19:15:53
|
Hi, W dniu 13.11.2017 o 16:00, D Baum pisze: > Hi, > > I noticed that Unity IDM offers not only English but also a Polish as > configurable language. Are there plans for supporting more languages or > does this have low priority for the dev team? > > I'm asking because I'm wondering if there's a way to give back to this > useful project and I thought I could e.g. do a German language > translation - if that's useful to you. > > Is it useful and would you accept contributions from outside your core team? Sure - it is open source ;-) We have already DE flag included, so "only" the messages are missing. I think a complete translation (i.e. including Admin UI, which has by far the largest amount of messages) is not that critical, but end-user facing translation would be very welcome. This way the PL translation is done, so creating counterparts whenever there are messages_pl.properties will be (by far) enough. Thanks, Krzysztof PS: The short list of contributors shown by GitHub is incomplete. After migrating to Gihub only people who contributed in the original Assembla repo and at the same time have Github account with the same email are listed. What means: Bernd. |
|
From: D B. <ba...@aw...> - 2017-11-13 15:00:41
|
Hi, I noticed that Unity IDM offers not only English but also a Polish as configurable language. Are there plans for supporting more languages or does this have low priority for the dev team? I'm asking because I'm wondering if there's a way to give back to this useful project and I thought I could e.g. do a German language translation - if that's useful to you. Is it useful and would you accept contributions from outside your core team? Cheers, D. |
|
From: D B. <ba...@aw...> - 2017-11-07 14:12:00
|
Hi,
On 06/11/17 22:56, Krzysztof Benedyczak wrote:
>> However, I still can't get Unity to sign the AuthnRequests.
>>
> OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.
Yes
>> unity.saml.requester.defaultSignRequest=true
> -> no problem here but this setting will be used only for IdPs which
> were not configured with metadata. So in your case - never.
OK, good to know - thanks :-)
>> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
> ^ -> this one is Unity's own metadata
Yes
>> unity.saml.requester.requesterEntityId=https://unity-service-provider
>> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
>>
> ^ -> this will be config of your trusted IdP. Is this your Shib's IdP
> metadata?
Yes
>> So I'm configuring both SP and IDP via XML metadata files. The SP
>> metadata xml contains this tag:
>>
>> <md:SPSSODescriptor AuthnRequestsSigned="true"
>> WantAssertionsSigned="true"
>> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>
> This won't configure Unity's SP functioning. This will be only sent as
> your server's metadata and you should ensure that this config is
> consistent with your server.
By server you mean Unity?
I think I'm just not very clear on what parts of unity are configureable
through metadata. I had assumed that Unity would configure its SAML SP
from the SP metadata. But it seems you're saying: SP metadata isn't used
to configure Unity at all but just served at the configured metadata
URL. Is that correct?
So if I have
<SPSSODescriptor WantAssertionsSigned="true" ...>
in my SP metadata, I should also use this configuration parameter?
unity.saml.requester.requireSignedAssertion=true
> Assuming you configure your trusted IdP with metadata then it is covered
> by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity
> that Unity has to sign the request which will be sent to Shib.
> WantAuthnRequestsSigned="true" should be in IDP's descriptor.
Thanks! That helped, now my Unity SAML SP is signing its AuthnRequests! :-)
I guess adding config option for this for the Unity SP would be
considered fluff since signing AuthnRequests is of little use if the IDP
doesn't enforce signed AuthnRequests?
> You can also overwrite this in Unity config, by creating manual entries
> for your Shibboleth IdP.
But in that case I have to configure *everything* about this IDP through
the Unity config (and not with metadata), right?
> In any case make sure to enable DEBUG logging on configuration and saml
> logging facilities. This should help.
Thanks, using DEBUG on configuration is really helpful :-)
Thanks,
D.
|
|
From: Krzysztof B. <kb...@un...> - 2017-11-06 21:56:19
|
Hi,
This is little bit inconsistent:
W dniu 03.11.2017 o 20:44, D Baum pisze:
> Hi!
>
> my Unity SAML SP authenticating against a Shibboleth IDP is almost
> working now :-)
> However, I still can't get Unity to sign the AuthnRequests.
>
OK, so Unity is using Shib IdP. From Shib PoV Unity is an *SP*.
> This is my Unity SAML configuration:
>
> unity.saml.requester.defaultSignRequest=true
-> no problem here but this setting will be used only for IdPs which
were not configured with metadata. So in your case - never.
> unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
^ -> this one is Unity's own metadata
> unity.saml.requester.requesterEntityId=https://unity-service-provider
> unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
^ -> this will be config of your trusted IdP. Is this your Shib's IdP
metadata?
> unity.saml.requester.metadataSource.umsso.perMetadataTranslationProfile=MySAMLInputProfile
> unity.saml.requester.metadataPath=unity-sp
> unity.saml.requester.requesterCredential=MYCRED
>
> So I'm configuring both SP and IDP via XML metadata files. The SP
> metadata xml contains this tag:
>
> <md:SPSSODescriptor AuthnRequestsSigned="true"
> WantAssertionsSigned="true"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
This won't configure Unity's SP functioning. This will be only sent as
your server's metadata and you should ensure that this config is
consistent with your server.
> Because of AuthnRequestsSigned="true", the IDP expects signed
> AuthnRequests - but doesn't seem to get them. It complains in its logs
> when I try to log in:
>
> Message did not meet security requirements
> org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
> was required to be signed but was not
>
> How can I switch on AuthnRequest signing for the Unity SAML SP?
Assuming you configure your trusted IdP with metadata then it is covered
by its SAML metadata. I.e. Shibboleth IdP metadata should tell Unity
that Unity has to sign the request which will be sent to Shib.
WantAuthnRequestsSigned="true" should be in IDP's descriptor.
You can also overwrite this in Unity config, by creating manual entries
for your Shibboleth IdP.
In any case make sure to enable DEBUG logging on configuration and saml
logging facilities. This should help.
HTH,
Krzysztof
|
|
From: D B. <ba...@aw...> - 2017-11-03 19:44:11
|
Hi!
my Unity SAML SP authenticating against a Shibboleth IDP is almost
working now :-)
However, I still can't get Unity to sign the AuthnRequests.
This is my Unity SAML configuration:
unity.saml.requester.defaultSignRequest=true
unity.saml.requester.metadataSource=${CONF}/sp-metadata.xml
unity.saml.requester.requesterEntityId=https://unity-service-provider
unity.saml.requester.metadataSource.umsso.url=file:///etc/unity-idm/idp-metadata.xml
unity.saml.requester.metadataSource.umsso.perMetadataTranslationProfile=MySAMLInputProfile
unity.saml.requester.metadataPath=unity-sp
unity.saml.requester.requesterCredential=MYCRED
So I'm configuring both SP and IDP via XML metadata files. The SP
metadata xml contains this tag:
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
Because of AuthnRequestsSigned="true", the IDP expects signed
AuthnRequests - but doesn't seem to get them. It complains in its logs
when I try to log in:
Message did not meet security requirements
org.opensaml.ws.security.SecurityPolicyException: Inbound AuthnRequest
was required to be signed but was not
How can I switch on AuthnRequest signing for the Unity SAML SP?
Thanks!
D
|
|
From: Krzysztof B. <kb...@un...> - 2017-11-03 10:10:42
|
Dear Subscribers, A new release was just made available. The biggest innovation of it won't be noticeable to you: it was the first fully automated[*] release - including only few mouse clicks to have everything updated from source repository tag to updated testbed environment. Of course big part of our work was focused on already mentioned migration to GitHub and JIRA. Besides of this big change, the new release brings two significant improvements: - Emails sent from Unity can have content type set to HTML. What is more a new type of message template was introduced: generic. Generic templates are not sent on their own, but can be included in other templates. This way a site wide message templates can be easily managed. And yes – Unity comes now with nice HTML emails available out of the box. - SAML metadata discovery and management subsystem was completely rewritten to eliminate the issues which were quite often brought by our users. The new implementation is significantly simpler, better tested and should be more stable. Besides there are some smaller improvements as OIDC discovery and PAM bugs fixed. What is more we have already made a big progress on subsequent release work. It should be available still in this year and will bring way bigger changes greatly simplifying integration with typical external IdPs and translation profiles management. Best regards, Krzysztof [*] OK, not fully: this email and web page notifications were not bot-generated :-) |
|
From: D B. <ba...@aw...> - 2017-11-03 09:36:33
|
Hi,
thanks!
Setting
unityServer.core.httpServer.advertisedHost=192.168.1.100:2443
in
${CONF}/unityServer.conf
indeed fixed the issue.
Cheers,
D
On 25/10/17 16:43, Krzysztof Benedyczak wrote:
> Hi,
>
> W dniu 24.10.2017 o 16:21, D Baum pisze:
>> Hi,
>>
>> I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an
>> upstream Shibboleth SAML IdP.
>>
>> I first tried this while running unity on the preconfigured port 2443 -
>> but I noticed that the sp xml configuration file and the AuthnRequests
>> generated by Unity don't specify the port in URLs.
>> After I logged in with the IdP, this led to a timeout when my browser
>> was redirected to unity's AssertionConsumerService - which couldn't be
>> found at the given URL since the port wasn't correct.
>>
>> Is this intentional? If so, can the port of unity's SAML SP consumers be
>> configured and how?
>
> Most likely you didn't set properly the advertisedHost address in the
> main unityServer.conf. It is used as a base, and Unity can not guess it
> as may be behind proxy/fw.
>
> HTH
> Krzysztof
|
|
From: Krzysztof B. <kb...@un...> - 2017-10-25 14:43:27
|
Hi, W dniu 24.10.2017 o 16:21, D Baum pisze: > Hi, > > I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an > upstream Shibboleth SAML IdP. > > I first tried this while running unity on the preconfigured port 2443 - > but I noticed that the sp xml configuration file and the AuthnRequests > generated by Unity don't specify the port in URLs. > After I logged in with the IdP, this led to a timeout when my browser > was redirected to unity's AssertionConsumerService - which couldn't be > found at the given URL since the port wasn't correct. > > Is this intentional? If so, can the port of unity's SAML SP consumers be > configured and how? Most likely you didn't set properly the advertisedHost address in the main unityServer.conf. It is used as a base, and Unity can not guess it as may be behind proxy/fw. HTH Krzysztof |
|
From: D B. <ba...@aw...> - 2017-10-24 14:22:03
|
Hi,
I'm trying to setup up Unity as a SAML hub/bridge by connecting it to an
upstream Shibboleth SAML IdP.
I first tried this while running unity on the preconfigured port 2443 -
but I noticed that the sp xml configuration file and the AuthnRequests
generated by Unity don't specify the port in URLs.
After I logged in with the IdP, this led to a timeout when my browser
was redirected to unity's AssertionConsumerService - which couldn't be
found at the given URL since the port wasn't correct.
Is this intentional? If so, can the port of unity's SAML SP consumers be
configured and how?
Example sp metadata xml produced by Unity (no ports in the URLs):
<urn:EntityDescriptor entityID="SomeEntityID"
xmlns:urn="urn:oasis:names:tc:SAML:2.0:metadata">
<urn:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true" WantAssertionsSigned="true">
<urn:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://192.168.42.42/unitygw/spSAMLResponseConsumer"
isDefault="true"/>
<urn:AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://192.168.42.42/unitygw/spSAMLResponseConsumer"
isDefault="false"/>
</urn:SPSSODescriptor>
</urn:EntityDescriptor>
Example AuthnRequest produced by Unity (no ports in the URL):
<?xml version="1.0" encoding="UTF-8"?>
<urn:AuthnRequest xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://192.168.42.42/unitygw/spSAMLResponseConsumer"
Destination="https://my-shibboleth-idp.org:443/idp/profile/SAML2/Redirect/SSO"
ID="SAMLY2lib_msg_41c326779d8ac2146cfca15dd5ddc6794898f6f9f31ba97d"
IssueInstant="2017-10-24T14:01:21.103Z"
Version="2.0">
<urn1:Issuer xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SomeEntityID</urn1:Issuer>
<urn:NameIDPolicy AllowCreate="true"/>
</urn:AuthnRequest>
Thanks!
D
|
|
From: Krzysztof B. <kb...@un...> - 2017-10-18 20:39:33
|
Dear Subscribers, It is time to make this official: after couple of days of very intensive work Unity was moved to GitHub from Assembla which hosted the project for nearly 5 years. The new source code repository address is: https://github.com/unity-idm/unity This change was motivated by the fact that Assembla resigned some time ago from providing free hosting for Open Source projects. Unity project was not closed (nor there were any treats from Assembla) but there were numerous signs that the plan that Unity project was using is deprecated if not abandoned. What is more using Assembla for outsiders started to be a pain and some of the features stopped to work correctly. GitHub was a natural choice, as de facto standard hosting provider for Open Source community. Hopefully most of you have already GitHub accounts so collaboration should not be disturbed. Currently the wiki is still in the process of being migrated. Eventually will land on Github wiki space. There are no planned changes as of now wrt to this mailing list and SF as the distribution point, both work pretty well. Assembla project will not be closed, but to ensure that it is not actively used I'll change all members' permissions to read-only access. Unity issues tracker was moved to our own JIRA instance. We managed to preserve a complete history, loosing only some minimal parts of tickets metadata. There is public read only access enabled. https://dev.unity-idm.eu/jira/projects/UY/issues The issues tracker is one of the open points. JIRA that we moved too provides us with all required features to have a flexible project management. However, we have a license with a restricted number of users - suitable for the core team. Therefore we plan to collect your feedback from this ML and other ML channels that we have established and convert it to tickets on our own. We hope this will work out fine. In case a more direct collaboration will be required we can consider some alternatives, as for instance enabling the simple GitHub tracker as a frontend tracker. Cheers, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-10-18 15:15:42
|
Hi, W dniu 13.10.2017 o 16:49, D Baum pisze: > Hi! > > I'm a first-time unity user and I'm excited to try it out for the > project I'm working on. Thanks for putting in all the work to create and > maintain unity! :-) > > One quick bit of feedback: It would have been really helpful to me as > new user to have the default URL of the admin interface > (https://localhost:2443/admin/) mentioned in the Quick Start Guide. > (http://www.unity-idm.eu/documentation/unity-2.2.0/manual.html#quick_start) > The admin interface is mentioned - but there's no hint how to get there > until chapter 7. Good suggest, will be added Thanks, Krzysztof |
|
From: D B. <ba...@aw...> - 2017-10-13 15:07:37
|
Hi! I'm a first-time unity user and I'm excited to try it out for the project I'm working on. Thanks for putting in all the work to create and maintain unity! :-) One quick bit of feedback: It would have been really helpful to me as new user to have the default URL of the admin interface (https://localhost:2443/admin/) mentioned in the Quick Start Guide. (http://www.unity-idm.eu/documentation/unity-2.2.0/manual.html#quick_start) The admin interface is mentioned - but there's no hint how to get there until chapter 7. Thanks D |
|
From: Shiraz M. <a....@fz...> - 2017-10-07 12:45:53
|
Hi, I have a remote OIDC server, which is configured in unity v2.2.0 as a custom provider, with the following settings: unity.oauth2.client.providers.eduteams.type=custom unity.oauth2.client.providers.eduteams.name<http://unity.oauth2.client.providers.eduteams.name>=eduteams unity.oauth2.client.providers.eduteams.clientId=b2access_client unity.oauth2.client.providers.eduteams.clientSecret=<SECRET> unity.oauth2.client.providers.eduteams.scopes=openid unity.oauth2.client.providers.eduteams.translationProfile=googleProfile unity.oauth2.client.providers.eduteams.registrationFormForUnknown=Google Registration Form #unity.oauth2.client.providers.eduteams.iconUrl=eduteams_logo.jpg unity.oauth2.client.providers.eduteams.enableAccountAssociation=false unity.oauth2.client.providers.eduteams.openIdConnect=true #unity.oauth2.client.providers.eduteams.openIdConnectDiscoveryEndpoint=https://oidc.test.registry.eduteams.org/.well-known/openid-configuration unity.oauth2.client.providers.eduteams.openIdConnectDiscoveryEndpoint=https://oidc.test.registry.eduteams.org unity.oauth2.client.providers.eduteams.clientAuthenticationMode=secretBasic unity.oauth2.client.providers.eduteams.authEndpoint=https://oidc.test.registry.eduteams.org/Saml2/OIDC/authorization unity.oauth2.client.providers.eduteams.accessTokenEndpoint=https://oidc.test.registry.eduteams.org/OIDC/token unity.oauth2.client.providers.eduteams.profileEndpoint=https://oidc.test.registry.eduteams.org/OIDC/userinfo #unity.oauth2.client.providers.eduteams.accessTokenFormat=standard all the necessary information about the provider endpoints are under: https://oidc.test.registry.eduteams.org/.well-known/openid-configuration finally the error trace: 2017-10-07T14:35:38,199 [qtp1417851690-862] DEBUG unity.server.oauth.RedirectRequestHandler: Starting OAuth redirection to OAuth provider https://oidc.test.registry.eduteams.org/Saml2/OIDC/author ization?response_type=code&client_id=b2access_client&redirect_uri=https%3A%2F%2Funity.eudat-aai.fz-juelich.de<http://2Funity.eudat-aai.fz-juelich.de>%2Funitygw%2Foauth2ResponseConsumer&scope=openid&state=88dd2319-6ede-403e-934a-9e7d682 2c129 2017-10-07T14:35:47,445 [qtp1417851690-863] DEBUG unity.server.oauth.ResponseConsumerServlet: Received OAuth response with valid state 88dd2319-6ede-403e-934a-9e7d6822c129, redirecting to /admin/ 2017-10-07T14:35:47,587 [qtp1417851690-859] DEBUG unity.server.oauth.OAuth2RetrievalUI: RetrievalUI received OAuth response 2017-10-07T14:35:47,747 [qtp1417851690-859] DEBUG unity.server.oauth.OAuth2RetrievalUI: OAuth2 authorization code verification or processing failed pl.edu.icm.unity.engine.api.authn.AuthenticationException: Problem during user information retrieval at pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyAuthenticatedInput(OAuth2Verificator.java:261) ~[unity-server-oauth-2.2.0.jar:?] at pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthAuthzResponse(OAuth2Verificator.java:226) ~[unity-server-oauth-2.2.0.jar:?] at pl.edu.icm.unity.oauth.client.web.OAuth2RetrievalUI.onAuthzAnswer(OAuth2RetrievalUI.java:268) [unity-server-oauth-2.2.0.jar:?] at pl.edu.icm.unity.oauth.client.web.OAuth2RetrievalUI.refresh(OAuth2RetrievalUI.java:329) [unity-server-oauth-2.2.0.jar:?] at pl.edu.icm.unity.webui.authn.SelectedAuthNPanel$PrimaryAuthenticationResultCallbackImpl.refresh(SelectedAuthNPanel.java:443) [unity-server-web-common-2.2.0.jar:?] at pl.edu.icm.unity.webui.authn.SelectedAuthNPanel.refresh(SelectedAuthNPanel.java:511) [unity-server-web-common-2.2.0.jar:?] at pl.edu.icm.unity.webui.authn.AuthenticationUI.refresh(AuthenticationUI.java:393) [unity-server-web-common-2.2.0.jar:?] at com.vaadin.ui.UI.doRefresh(UI.java:731) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.communication.UIInitHandler.reinitUI(UIInitHandler.java:261) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.communication.UIInitHandler.getBrowserDetailsUI(UIInitHandler.java:168) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.communication.UIInitHandler.synchronizedHandleRequest(UIInitHandler.java:74) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:41) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1409) [vaadin-server-7.6.4.jar:7.6.4] at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:364) [vaadin-server-7.6.4.jar:7.6.4] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at pl.edu.icm.unity.webui.authn.InvocationContextSetupFilter.doFilter(InvocationContextSetupFilter.java:73) [unity-server-web-common-2.2.0.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at pl.edu.icm.unity.webui.authn.AuthenticationFilter.gotoNotProtectedResource(AuthenticationFilter.java:190) [unity-server-web-common-2.2.0.jar:?] at pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(AuthenticationFilter.java:77) [unity-server-web-common-2.2.0.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:203) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:73) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at pl.edu.icm.unity.webui.authn.AuthenticationFilter.forwardtoAuthn(AuthenticationFilter.java:173) [unity-server-web-common-2.2.0.jar:?] at pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(AuthenticationFilter.java:124) [unity-server-web-common-2.2.0.jar:?] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) [jetty-servlet-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:203) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:73) [jetty-server-9.4.6.v20170531.jar:9.4.6.v20170531] at pl.edu.icm.unity.webui.VaadinEndpoint$ForwadSerlvet.service(VaadinEndpoint.java:319) [unity-server-web-common-2.2.0.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api-3.1.0.jar:3.1.0] Any ideas how to configure it correctly? thanks in advance, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <kb...@un...> - 2017-09-18 07:05:39
|
Hi Tim, W dniu 08.09.2017 o 08:45, Tim Kreuzer pisze: > Hi Krzysztof, > > we're using Unity version 1.9.6 with external SAML IdP authentication. > > The data online were updated at the 4th of September. All files in > data/workspace/downloadedMetadata were last updated at 24th of August. > When Unity updates the Metadata online the log says: > > "2017-09-08 00:06:47,710 [pool-1-thread-1] TRACE > unity.server.saml.MetaDownloadManager - Locally cached metadata file is > fresh, skipping downloading https://...metadata.xml" > > The file on the website has an entity which is not part of the > downloaded data and because of this the MetaToSPConfigConverter does not > add the new Entity. > > Do i have to manually trust the new entity? Where do i have to do this? > Or is there a way to force Unity to download the metadata? I've looked a bit at this topic and it is rather not related to other reported SAML problems (which I couldn't reproduce as well). First of all please ensure that your installation is not corrupted as it seems from your other email. Then, if this re-appears please: -)check and provide all the timestapms of the locally downloaded metadata files from your workspace -)provide what metadata refresh interval do you use -)provide log entries covering at least two subsequent refreshes -) write how many SAML related endpoints and authenticators do you have (actually endpoints and authenticators using SAML metadata), and what is the setup. Best Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-09-17 19:30:50
|
Hi Willem, W dniu 14.09.2017 o 14:20, Willem Elbers pisze: > Hello Krzysztof, > > does unity (we are still on version 1.9.6) support multiple assertion > consumer (ACS) endpoints (with different hostnames) for a single SAML SP? > > We have integrated a SAML SP with a separate ACS for each application > they host via that SP, as described in the shibboleth documentation [1] > under 'Applications'. See the attached metadata for an example. > > None of these locations seems to work and throw a > "eu.unicore.samly2.exceptions.SAMLRequesterException: > AssertionConsumerServiceURL in request > (https://registries.clarin-dariah.eu/Shibboleth.sso/SAML2/POST) is not > among trusted endpoints of the issuer." error. > > There is no information in the unity log file (log level = DEBUG) > indicating any issue with this SP > (entityID="https://clarin.oeaw.ac.at/shibboleth"). > > Any help to fix this issue is greatly appreciated. Please let me know if > you need more information. Unfortunately as of now we support only one endpoint per each type of endpoint for trusted SP (i.e. one HTTP Web-SSO, one HTTP SLO-Redirect, ...). The first one from metadata is taken. If you need support for multiple endpoints please write or open a ticket directly. Best, Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-09-14 12:40:04
|
Hello Krzysztof, does unity (we are still on version 1.9.6) support multiple assertion consumer (ACS) endpoints (with different hostnames) for a single SAML SP? We have integrated a SAML SP with a separate ACS for each application they host via that SP, as described in the shibboleth documentation [1] under 'Applications'. See the attached metadata for an example. None of these locations seems to work and throw a "eu.unicore.samly2.exceptions.SAMLRequesterException: AssertionConsumerServiceURL in request (https://registries.clarin-dariah.eu/Shibboleth.sso/SAML2/POST) is not among trusted endpoints of the issuer." error. There is no information in the unity log file (log level = DEBUG) indicating any issue with this SP (entityID="https://clarin.oeaw.ac.at/shibboleth"). Any help to fix this issue is greatly appreciated. Please let me know if you need more information. Best, Willem [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationModel -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
|
From: Krzysztof B. <kb...@un...> - 2017-09-13 07:59:01
|
Hi Tim, W dniu 13.09.2017 o 09:37, Tim Kreuzer pisze: > Hi Krzysztof, > > on an Unity-Server version 1.9.6 i deleted an entity in the WebAdminUI. > Since that time WebUI cannot list the entitys in the groups, where the > deleted entity was a member. This includes, obviously, the Root group. > For example the "oauth-clients" group is not affected by this. > > When clicking one an affected group the WebAdminUI shows the Error > message "Problem retrieving group members: > java.lang.ArrayIndexOutOfBoundsException: 0". The log shows the same > message "ERROR unity.server.web.IdentitiesComponent - Problem > retrieving group contents of / > java.lang.ArrayIndexOutOfBoundsException: 0". In such cases sharing the rest of the log entry (i.e. the stack trace) is super useful... Thanks Krzysztof |
|
From: Tim K. <t.k...@fz...> - 2017-09-13 07:39:13
|
Hi Krzysztof, on an Unity-Server version 1.9.6 i deleted an entity in the WebAdminUI. Since that time WebUI cannot list the entitys in the groups, where the deleted entity was a member. This includes, obviously, the Root group. For example the "oauth-clients" group is not affected by this. When clicking one an affected group the WebAdminUI shows the Error message "Problem retrieving group members: java.lang.ArrayIndexOutOfBoundsException: 0". The log shows the same message "ERROR unity.server.web.IdentitiesComponent - Problem retrieving group contents of / java.lang.ArrayIndexOutOfBoundsException: 0". I didn't find any issue like this in the archive of the mailing list. Best regards, Tim Kreuzer -- M.Sc. Tim Kreuzer Federated Systems and Data Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 2461 61-1583 ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2017-09-10 18:08:39
|
Hi Sander, W dniu 30.08.2017 o 12:37, Sander Apweiler pisze: > Hi Krzysztof, > > sorry for the late reply. I'll try to explain it with an bigger > example. > > We have the following services: > - A: external IdP > - B: unity as proxy IdP > - C: additional attribute service > - D: some other service > > We have the following user: > - 1: admin of C > - 2: normal user, wants to use D > > Workflow: > - Any user logged in into C or D is authenticated by B > - C uses only attributes provided from B or A (through B) > - 1 can create additional attributes or role for 2 in C, > - B consumes and stores the additional attributes about 2 from C > - if 2 uses D uses attributes provided by B and C (through B) > > Or with an more concrete example. > Within C user 1 creates a quota for user 2. This quota is a storage > limitation for Nextcloud (D). Unity get this additional attribute from > C. If 2 sing in into Nextcloud unity provides the following attributes: > - unity persisten identifier > - email (provided from home IdP to unity) > - CN (provided from home IdP to unity or entered during the > registration) > - quota (provided from additional attribute source to unity) > > Hopefully it is more understandable. If not let me know and I try to > find another explanation after my holidays. OK, now I can follow the scenario :-) So in this case Unity don't have any special mean to import attributes from C which comes to my mind. You can implement this in one of two ways: A) (suggested, easiest, natural direction) use Unity's REST API and push your quota attribute from C. B) (questionable, slower, more complex maintenance) write a custom import module for Unity (we have LDAP and Host OS so far) which will fetch this information from C in JiT style (== when user logins). Best, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-09-08 07:26:17
|
Hi Tim, W dniu 08.09.2017 o 08:45, Tim Kreuzer pisze: > Hi Krzysztof, > > we're using Unity version 1.9.6 with external SAML IdP authentication. > > The data online were updated at the 4th of September. All files in > data/workspace/downloadedMetadata were last updated at 24th of August. > When Unity updates the Metadata online the log says: > > "2017-09-08 00:06:47,710 [pool-1-thread-1] TRACE > unity.server.saml.MetaDownloadManager - Locally cached metadata file is > fresh, skipping downloading https://...metadata.xml" > > The file on the website has an entity which is not part of the > downloaded data and because of this the MetaToSPConfigConverter does not > add the new Entity. > > Do i have to manually trust the new entity? Where do i have to do this? > Or is there a way to force Unity to download the metadata? We have a bug report (or even two) around this - we should have this fixed in the next release. You can remove the locally cached metadata file what should trigger download on the next refresh. It is in your workspace directory (configurable in unityServer.conf) in downloadedMetadata subfolder. HTH, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-09-08 07:21:15
|
Hi Shiraz, W dniu 07.09.2017 o 11:37, Shiraz Memon pisze: > Hi, > > Does unity support OIDC implicit flow[1], if acting as an OIDC Client? > if yes, how can I enable it? No it is not possible and not on a roadmap. Implicit flow is intended for JS public apps, and has many undesired consequences. Unity is not a case here so can use the secure and way more popular authz code flow. Best, Krzysztof |
|
From: Tim K. <t.k...@fz...> - 2017-09-08 06:45:33
|
Hi Krzysztof, we're using Unity version 1.9.6 with external SAML IdP authentication. The data online were updated at the 4th of September. All files in data/workspace/downloadedMetadata were last updated at 24th of August. When Unity updates the Metadata online the log says: "2017-09-08 00:06:47,710 [pool-1-thread-1] TRACE unity.server.saml.MetaDownloadManager - Locally cached metadata file is fresh, skipping downloading https://...metadata.xml" The file on the website has an entity which is not part of the downloaded data and because of this the MetaToSPConfigConverter does not add the new Entity. Do i have to manually trust the new entity? Where do i have to do this? Or is there a way to force Unity to download the metadata? Thanks and best regards, Tim Kreuzer -- M.Sc. Tim Kreuzer Federated Systems and Data Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc Phone: +49 2461 61-1583 ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Shiraz M. <a....@fz...> - 2017-09-07 09:38:46
|
Hi, Does unity support OIDC implicit flow[1], if acting as an OIDC Client? if yes, how can I enable it? Thanks, Shiraz 1. https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
