Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: André M. <an...@cl...> - 2017-06-30 15:53:59
|
Hi Krzysztof, thank you very much for your answer. Based on the suggestions I ran some tests while setting the logging to TRACE but the results puzzled me even further. So when I set unity.saml.refreshInterval to a value <=358 , the auto refresh works just fine. If I set it to anything >358 it stops working. The logs still show the refresh action and the various entityIDs being updated but it behaves as if no changes were made to the metadata source. For this test I added one new entityID to the metadata source, wait for the refresh and test the login. Also tried in the opposite direction i.e. removing one entityID, but with the same results. Regards, ---- André Moreira CLARIN ERIC https://www.clarin.eu > On 30 Jun 2017, at 10:12, Krzysztof Benedyczak <kb...@un...> wrote: > > Hi, > > W dniu 28.06.2017 o 15:29, André Moreira pisze: >> Hi, >> >> We are seeing a problem at CLARIN where the SP metadata is not being >> updated automatically despite the option “unity.saml.refreshInterval” >> being set. Currently the only way for us to force unity to reload the >> metadata is to restart it. > > Strange. Can you tell what does the log say? Try to set SAML subsystem logging to the DEBUG level (or even TRACE), decrease refreshInterval to to say 30s and check what happens around refresh. Having this information should help to diagnose problem. > > Best, > Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-06-30 08:13:06
|
Hi, W dniu 28.06.2017 o 15:29, André Moreira pisze: > Hi, > > We are seeing a problem at CLARIN where the SP metadata is not being > updated automatically despite the option “unity.saml.refreshInterval” > being set. Currently the only way for us to force unity to reload the > metadata is to restart it. Strange. Can you tell what does the log say? Try to set SAML subsystem logging to the DEBUG level (or even TRACE), decrease refreshInterval to to say 30s and check what happens around refresh. Having this information should help to diagnose problem. Best, Krzysztof |
|
From: André M. <an...@cl...> - 2017-06-28 13:29:18
|
Hi, We are seeing a problem at CLARIN where the SP metadata is not being updated automatically despite the option “unity.saml.refreshInterval” being set. Currently the only way for us to force unity to reload the metadata is to restart it. In our IdP configuration (conf/endpoints/saml-webidp.properties) we have: ... unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://someserver.tld/somepath/agreegated_SP_md_feed.xml unity.saml.refreshInterval=3600 unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Any ideas? We are currently using unity v1.9.6 Thank you very much, ---- André Moreira CLARIN ERIC https://www.clarin.eu |
|
From: Krzysztof B. <kb...@un...> - 2017-06-26 09:33:17
|
Dear All, We are very happy to announce the final release of Unity 2. After extensive testing and fixing all bugs that were found in the release candidate published 2 months ago, finally the 2.0.0 stable release is available for you. If you tested the RC, a lot was improved since: -) there were many bugs related to attributes handling, especially in case of emails. Those were fixed systematically by introducing a better generic solutions internally -) there were quite a few bugs in the UI code -) also 2 problems related to upgrade were solved. See http://www.unity-idm.eu/downloads page to read the full release notes. Note that upgrade is possible only from 1.9.x releases, and it will involve bit of your manual work, so please read the upgrade documentation carefully. While we may release some further 1.9.x minor releases, our focus is now on the 2.0 series. Best regards, Krzysztof |
|
From: Krzysztof B. <kb...@un...> - 2017-06-20 08:01:14
|
Hi, W dniu 19.06.2017 o 16:52, Gonçalo Barata pisze: > Hi > > > > Im trying to create a *OAuth 2.0 client*(For those who are familiar with > eudat –im trying to make B2SHARE automatically communicate with B2ACCESS ). > > How to I get the *secret key* ? (like its done in google or facebook), > and the *CONSUMER KEY ?*, do have to create a user on the *group > oauth-client* ? where do I put the *return URL*? > Yes, you have to create each authorized client as an entity in Unity, most likely with a username identity, assign it a password and add to the group of ouauth clients as configured for your endpoint. You can also use other authN as TLS authN. Return URL and other client settings (as allowed grants, logo) are configured as OAuth-specific attribtues of that entity. Note: those attributes must be set in the oauth clients group, not in '/'. Best Krzysztof |
|
From: Gonçalo B. <gon...@fc...> - 2017-06-19 14:52:18
|
Hi Im trying to create a OAuth 2.0 client (For those who are familiar with eudat im trying to make B2SHARE automatically communicate with B2ACCESS ). How to I get the secret key ? (like its done in google or facebook), and the CONSUMER KEY ?, do have to create a user on the group oauth-client ? where do I put the return URL? Im looking for some tips on how to achieve this. I already enabled this two endpoints. unityServer.core.endpoints.8.endpointType=OAuth2Authz unityServer.core.endpoints.8.endpointConfigurationFile=conf/endpoints/oauth2 -as.properties unityServer.core.endpoints.8.contextPath=/oauth2-as unityServer.core.endpoints.8.endpointName=UNITY OAuth2 Authorization Server unityServer.core.endpoints.8.endpointRealm=defaultRealm unityServer.core.endpoints.8.endpointAuthenticators=pwdWeb;certWeb unityServer.core.endpoints.9.endpointType=OAuth2Token unityServer.core.endpoints.9.endpointConfigurationFile=conf/endpoints/oauth2 -as.properties unityServer.core.endpoints.9.contextPath=/oauth2 unityServer.core.endpoints.9.endpointName=UNITY OAuth2 Token endpoint unityServer.core.endpoints.9.endpointRealm=defaultRealm unityServer.core.endpoints.9.endpointAuthenticators=pwdRest Thank you Fundação para a Ciência e a Tecnologia Unidade FCCN Computação Científica Nacional Av. do Brasil, 101 1700-066 Lisboa | Portugal Email: <mailto:gon...@fc...> gon...@fc... <http://www.fccn.pt/> http://www.fccn.pt Aviso de Confidencialidade Esta mensagem é exclusivamente destinada ao seu destinatário, podendo conter informação CONFIDENCIAL, cuja divulgação está expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218440100 devendo apagar o seu conteúdo de imediato. |
|
From: Krzysztof B. <kb...@un...> - 2017-06-15 11:11:43
|
Hi Willem, OK, so everything is clear now. The key parts are: W dniu 14.06.2017 o 13:41, Willem Elbers pisze: > 9: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10 > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > 10: Condition: > true > Action: > createAttribute > Action parameters: > attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID > expression = idsByType['targetedPersistent'][0] > mandatory = false > attributeDisplayName = > attributeDescription = > together with: > The SAML request from SP -> IdP: ... > <samlp:NameIDPolicy > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > AllowCreate="false" > /> So the client is requesting a transient identity (i.e. that after authentication of a user, Unity should return it a response assertion with an identity of the user of 'transient' type). The transient identity by definition is session&requester scoped: so that any other SP should get a different transient identifier for the same user and (!) this particular SP should get a different identifier for the same user in the next session (so after logout). At the same time SP sets AllowCreate=false, what tells Unity that it should not create any new identifier for the user - only some already existing can be returned. So this has no sense together. This request can be only served when the user was previously authenticated *to the same SP and in the same SSO session*. The first authentication from this SP to Unity will never work as a new transient identity needs to be generated exactly then. The error you get is from profile: 'targetedPersistent' identity is also not created for this user as AllowCreate=false prevents it too. This can be fixed with a proper condition. However the request won't be served anyway as after profile processing unity won't have the transient identity to be put into response. Shortly speaking: AllowCreate should be true or Format changed to some fixed identity. And fix the profile as it shouldn't assume that some dynamic identity is always present. Best Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-06-14 11:42:10
|
The translation profile we use:
Name:
SAML-Attributes
Description:
The set of CLARIN attributes release to service providers
Rules:
1: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.6
expression = idsByType['email'][0].replaceAll('@', '_') + '@clarin.eu'
mandatory = false
attributeDisplayName =
attributeDescription =
2: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.10
expression = 'CLARIN'
mandatory = false
attributeDisplayName =
attributeDescription =
3: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.9
expression = 'me...@cl...'
mandatory = false
attributeDisplayName =
attributeDescription =
4: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.16.840.1.113730.3.1.241
expression = attr['clarin-full-name']
mandatory = false
attributeDisplayName =
attributeDescription =
5: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:0.9.2342.19200300.100.1.3
expression = idsByType['email'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
6: Condition:
groups contains '/clarin/academic'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/academic'
mandatory = false
attributeDisplayName =
attributeDescription =
7: Condition:
groups contains '/clarin/normal'
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.7
expression = 'http://www.clarin.eu/entitlement/none'
mandatory = false
attributeDisplayName =
attributeDescription =
8: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:2.5.4.3
expression = attr['cn']
mandatory = false
attributeDisplayName =
attributeDescription =
9: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:oid:1.3.6.1.4.1.5923.1.1.1.10
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
10: Condition:
true
Action:
createAttribute
Action parameters:
attributeName = urn:mace:dir:attribute-def:eduPersonTargetedID
expression = idsByType['targetedPersistent'][0]
mandatory = false
attributeDisplayName =
attributeDescription =
The SAML request from SP -> IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_AE13D5C8472D79640CE19B291E2442E8"
Version="2.0"
IssueInstant="2017-06-14T11:39:04Z"
Destination="https://idm.clarin.eu/saml-idp/saml2idp-web"
ForceAuthn="false"
IsPassive="false"
>
<saml:Issuer>https://clarino.uib.no/</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="false"
/>
</samlp:AuthnRequest>
The SAML response from IdP -> SP:
<urn:Response IssueInstant="2017-06-14T11:39:22.163Z"
ID="SAMLY2lib_msg_8632ac33e351d8f2ba9316addaacff9bbba3e403cf02e3e"
Version="2.0"
InResponseTo="_AE13D5C8472D79640CE19B291E2442E8"
xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol"
>
<urn1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idm.clarin.eu</urn1:Issuer>
<urn:Status>
<urn:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
<urn:StatusMessage>[Error: null pointer:
idsByType['targetedPersistent'][0]]
[Near : {... idsByType['targetedPersistent' ....}]
^
[Line: 1, Column: 1]</urn:StatusMessage>
</urn:Status>
</urn:Response>
Hope this helps.
Best,
Willem
On 13/06/2017 11:27, Krzysztof Benedyczak wrote:
> Hi Willem,
>
> W dniu 13.06.2017 o 11:05, Willem Elbers pisze:
>> Forgot to include the mailing list...
>
> Actually same here - the last time...
>
>>
>> Hi Krzystof,
>>
>> apologies for the delay, I became father again which took most of my
>> focus :)
>
> Huge congratulations!
>
>>
>> After increasing the translation profile logging I can see the following
>> for my identity:
>>
>> Working login:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a
>> - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://sp.catalog.clarin.eu
>>
>> Failed login with problematic SP:
>>
>> Entity 261:
>> - [email] wi...@cl...
>> - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd
>> In group: /clarin
>> Groups: [/clarin/developer, /clarin-admin, /clarin/normal,
>> /clarin/academic, /clarin, /]
>> Requester: https://clarino.uib.no/
>>
>> As you can see from the log, for the problematic SP the
>> [targetedPersistent] and [transient] identities are missing, hence the
>> error.
>>
>> The SAML configuration is as follows:
>>
>> unity.saml.issuerURI=https://idm.clarin.eu
>> unity.saml.credential=IDP
>> unity.saml.defaultGroup=/clarin
>> unity.saml.spAcceptPolicy=validRequester
>> unity.saml.signResponses=asRequest
>> unity.saml.validityPeriod=3600
>> unity.saml.requestValidityPeriod=600
>> unity.saml.authenticationTimeout=20
>> unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml
>>
>> unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml
>>
>> unity.saml.refreshInterval=3600
>> unity.saml.translationProfile=SAML-Attributes
>> unity.saml.skipConsent=true
>>
>> Please let me know if you need more info.
>
> Yes, the critical part is your translation profile. Also can you
> describe the flow? I guess you have saml login to unity, correct? If
> so - the request would be helpful too.
>
> Best
> Krzysztof
>
>
--
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers
|
|
From: Krzysztof B. <kb...@un...> - 2017-06-13 09:27:49
|
Hi Willem, W dniu 13.06.2017 o 11:05, Willem Elbers pisze: > Forgot to include the mailing list... Actually same here - the last time... > > Hi Krzystof, > > apologies for the delay, I became father again which took most of my > focus :) Huge congratulations! > > After increasing the translation profile logging I can see the following > for my identity: > > Working login: > > Entity 261: > - [email] wi...@cl... > - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd > - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a > - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991 > In group: /clarin > Groups: [/clarin/developer, /clarin-admin, /clarin/normal, > /clarin/academic, /clarin, /] > Requester: https://sp.catalog.clarin.eu > > Failed login with problematic SP: > > Entity 261: > - [email] wi...@cl... > - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd > In group: /clarin > Groups: [/clarin/developer, /clarin-admin, /clarin/normal, > /clarin/academic, /clarin, /] > Requester: https://clarino.uib.no/ > > As you can see from the log, for the problematic SP the > [targetedPersistent] and [transient] identities are missing, hence the > error. > > The SAML configuration is as follows: > > unity.saml.issuerURI=https://idm.clarin.eu > unity.saml.credential=IDP > unity.saml.defaultGroup=/clarin > unity.saml.spAcceptPolicy=validRequester > unity.saml.signResponses=asRequest > unity.saml.validityPeriod=3600 > unity.saml.requestValidityPeriod=600 > unity.saml.authenticationTimeout=20 > unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml > unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml > unity.saml.refreshInterval=3600 > unity.saml.translationProfile=SAML-Attributes > unity.saml.skipConsent=true > > Please let me know if you need more info. Yes, the critical part is your translation profile. Also can you describe the flow? I guess you have saml login to unity, correct? If so - the request would be helpful too. Best Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-06-13 09:05:40
|
Forgot to include the mailing list... -------- Forwarded Message -------- Subject: Re: [Unity-idm-discuss] Nullpointer when SP tries to access IDP Date: Mon, 12 Jun 2017 13:34:48 +0200 From: Willem Elbers <wi...@cl...> Reply-To: wi...@cl... Organization: CLARIN ERIC To: Krzysztof Benedyczak <kb...@un...> Hi Krzystof, apologies for the delay, I became father again which took most of my focus :) After increasing the translation profile logging I can see the following for my identity: Working login: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd - [targetedPersistent] 838bb7e5-dda6-4952-996e-6c25807e348a - [transient] a5f7ef17-19b5-4d1f-9ed7-b48573ed3991 In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://sp.catalog.clarin.eu Failed login with problematic SP: Entity 261: - [email] wi...@cl... - [persistent] 20940047-d9c3-4796-b43b-ebe7f399b2bd In group: /clarin Groups: [/clarin/developer, /clarin-admin, /clarin/normal, /clarin/academic, /clarin, /] Requester: https://clarino.uib.no/ As you can see from the log, for the problematic SP the [targetedPersistent] and [transient] identities are missing, hence the error. The SAML configuration is as follows: unity.saml.issuerURI=https://idm.clarin.eu unity.saml.credential=IDP unity.saml.defaultGroup=/clarin unity.saml.spAcceptPolicy=validRequester unity.saml.signResponses=asRequest unity.saml.validityPeriod=3600 unity.saml.requestValidityPeriod=600 unity.saml.authenticationTimeout=20 unity.saml.acceptedSPMetadataSource.1.url=https://infra.clarin.eu/aai/md_about_spf_sps.xml unity.saml.acceptedSPMetadataSource.2.url=file:///opt/dev-sp.clarin.eu.xml unity.saml.refreshInterval=3600 unity.saml.translationProfile=SAML-Attributes unity.saml.skipConsent=true Please let me know if you need more info. Best, Willem On 23/05/2017 10:14, Krzysztof Benedyczak wrote: > Dear Willem, > > W dniu 19.05.2017 o 13:32, Willem Elbers pisze: >> Dear Krzysztof, >> >> this issue seems to fixed in 1.9.6, but now we are observing the >> following behavior. >> >> In unity log file we see to following (I've redacted all sensitive >> information): >> >> ========== >> Routing request to DEFAULT destination /saml2idp-web-consentdecider >> Unprocessed data from local database: >> Entity 261: >> - [email] ...@clarin.eu >> - [persistent] 20...-....-....-....-.....bd >> In group: /... >> Groups: [/.../..., /...., /..../...., /..../...., /...., /] >> Requester: https://clarino.uib.no/ >> Protocol: SAML2:urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST >> Condition OK >> Returning SSO Authentication error response SAMLResponse with HTTP POST >> binding to https://clarino.uib.no/feide/assertion-consumer >> ========== >> >> There seems to be an SSO Authentication error response. When looking at >> the SAML going over the wire, the following is send from unity to the SP >> and no attributes are released. The entity does have an persistent id >> and works with other (shibboleth) SPs: >> >> ========== >> <urn:Response IssueInstant="2017-05-19T11:27:28.332Z" >> >> ID="SAMLY2lib_msg_b7bba6ead014cb17b3652b00fbf2bfbb1b1720afc62aa64d" >> Version="2.0" >> InResponseTo="_AB05AE52C8A42786AE8FEA16DD59576D" >> xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol" >> > >> <urn1:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion" >> >https://idm.clarin.eu</urn1:Issuer> >> <urn:Status> >> <urn:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> >> <urn:StatusMessage>[Error: null pointer: >> idsByType['targetedPersistent'][0]] >> [Near : {... idsByType['targetedPersistent' ....}] >> ^ >> [Line: 1, Column: 1]</urn:StatusMessage> >> </urn:Status> >> </urn:Response> >> ========== >> >> I'm using the following log settings: >> >> ========== >> log4j.logger.unity.server=TRACE >> log4j.logger.unity.server.saml=TRACE >> ========== >> >> The amount of SAML related log message is quite minimal. >> >> Two questions: >> >> 1. Any suggestions on how to resolve the SAML issue for this SP? > > I guess in your profile you have idsByType['tagetedPersistent'][0] and > from what you have shown in your log there is no such identity type > extracted from SAML request. So I guess all you need is to change > tergetedPersistent to persistent, which is what you profile gets. > > [Side note: you have not shown you saml config and the request so it > is hard to say why you have persistent, instead of standard one] > >> >> 2. How can we increase the logging of SAML related messages? > > For this case translation profile logging set to TRACE may show more. > However the cause in this case is rather clear. > > Best, > Krzysztof > > -- Willem Elbers CLARIN ERIC www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers |
|
From: Krzysztof B. <kb...@un...> - 2017-06-07 07:43:59
|
W dniu 06.06.2017 o 13:36, Shiraz Memon pisze: > Hi, > > The vulnerability has been resolved. The main issue was the incorrect > cipher suite name. Although the ssllabs server test mentions the > TLS_RSA_WITH_3DES_EDE_CBC_SHA, alas the correct name > is SSL_RSA_WITH_3DES_EDE_CBC_SHA and I have guessed that from > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites - > there is no such TLS_RSA.... cipher suite supported in JDK8. Yeah - the naming of those ciphersuites is very tricky. Good that this was solved. Cheers KB |
|
From: Shiraz M. <a....@fz...> - 2017-06-06 11:36:49
|
Hi, The vulnerability has been resolved. The main issue was the incorrect cipher suite name. Although the ssllabs server test mentions the TLS_RSA_WITH_3DES_EDE_CBC_SHA, alas the correct name is SSL_RSA_WITH_3DES_EDE_CBC_SHA and I have guessed that from http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites - there is no such TLS_RSA.... cipher suite supported in JDK8. Cheers, Shiraz On Fri, Jun 2, 2017 at 2:16 PM, Shiraz Memon <a....@fz...<mailto:a....@fz...>> wrote: Hi Krzysztof, Unity v1.9.6 (probably underlying jetty) cannot disable the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite despite of being declared inside the unityServer.conf, see below, the conf snippet and the ssl test screenshot: unityServer.core.httpServer.disabledCipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_ WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_A ES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA [Inline image 1] Our network dept. is also complaining about this too. Can you guide me how to disable the given cipher? Thanks, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899<tel:02461%20616899> Fax: +49 2461 61 6656<tel:02461%20616656> -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Shiraz M. <a....@fz...> - 2017-06-02 12:16:55
|
Hi Krzysztof, Unity v1.9.6 (probably underlying jetty) cannot disable the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite despite of being declared inside the unityServer.conf, see below, the conf snippet and the ssl test screenshot: unityServer.core.httpServer.disabledCipherSuites=TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_ WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_A ES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA [Inline image 1] Our network dept. is also complaining about this too. Can you guide me how to disable the given cipher? Thanks, Shiraz -- Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Sander A. <sa....@fz...> - 2017-06-01 05:27:14
|
Hi Krzysztof, Am Dienstag, den 30.05.2017, 08:55 +0200 schrieb Krzysztof Benedyczak: > Hi Sander, > > W dniu 29.05.2017 o 12:26, Sander Apweiler pisze: > > Hi Krzysztof, > > > > I want to limit the number of logiles. I know there is an option > > log4j.appender.NAME.MaxBackupIndex for RollingFileAppender. I > > tested > > with log4j.appender.LOGFILE.MaxBackupIndex=30 but it didn't work. > > Is > > the another option to limit the number of logfiles? > > Another option is cron ;-) Sure cron would be an option. > > Regarding MaxBackupIndex - what appender do you use precisely? > org.apache.log4j.RollingFileAppender or > org.apache.log4j.rolling.RollingFileAppender? > > From what I recall (but used it looong ago) MaxBakupIndex was only > working on the first one. 2nd is from log4j-extras (also included in > Unity). I use the second one. Now I know why it did not work. Thanks for your answer, Sander > > HTH, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2017-05-31 05:51:20
|
Hi Goncalo, W dniu 31.05.2017 o 07:26, Sander Apweiler pisze: > Hi Goncalo, > > We configured eduGain with an Metadata URL. We got the Metadata URL from > our NREN where we requested the eduGain membership as SP. Our > configuration in remoteSamlAuth.properties looks like this: > > unity.saml.requester.metadataSource.edugain.url=METADATAURL > unity.saml.requester.metadataSource.edugain.perMetadataTranslationProfile=YOUR_TRANSLATION_PROFILE > unity.saml.requester.metadataSource.edugain.signaturVerification=require > unity.saml.requester.metadataSource.edugain.signatureVerificationCertificate=YOUR_CERT_FROM_PKI_PROPERTIES > unity.saml.requester.metadataSource.edugain.perMetadataRegistrationForm=YOUR_REGISTRATION_FORM > A small supplement to what Sander wrote: -) regarding endpoint: at first you can add the saml authenticator to any of internal Unity endpoints, so its access will be protected by federated login. So you can test the Unity->eduGAIN part alone and the above example config covers this aprt. After you have this done, you can work on configuring your own SP(s) to authenticate using Unity. Then you will need an edpoint or endpoints in Unity to enable remote authN SP->Unity. Here you won't be forced to use SAML, you can also use OAuth. -) translation profile configures your mapping of data coming from edugain IdPs to your desired format (you can filter, modify values, names of attributes etc). Typically this is the most difficult part of configuration and most often changed. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2017-05-31 05:26:45
|
Hi Goncalo, We configured eduGain with an Metadata URL. We got the Metadata URL from our NREN where we requested the eduGain membership as SP. Our configuration in remoteSamlAuth.properties looks like this: unity.saml.requester.metadataSource.edugain.url=METADATAURLunity.saml.r equester.metadataSource.edugain.perMetadataTranslationProfile=YOUR_TRAN SLATION_PROFILEunity.saml.requester.metadataSource.edugain.signaturVeri fication=requireunity.saml.requester.metadataSource.edugain.signatureVe rificationCertificate=YOUR_CERT_FROM_PKI_PROPERTIESunity.saml.requester .metadataSource.edugain.perMetadataRegistrationForm=YOUR_REGISTRATION_F ORM Best regards,Sander P.S. I'm going to close your EUDAT ticket and refer to this mailing list. Am Dienstag, den 30.05.2017, 11:58 +0100 schrieb Gonçalo Barata: > Hi > > Im trying to implement the federated authentication (EDUGAIN), like > in the documentation, but I’m struggling for days. > From what I understand I know I need to do this through SAML HTTP- > POST and HTTP-Redirect bindings.. And I know I must have 2 files > (SAML Endpoint, SAML Authenticator ), and I know I must enable this > on unityServer.conf. Can someone point me to the right direction? > > > > Best Regards Gonçalo Barata > > Fundação para a Ciência e a Tecnologia Unidade FCCN – Computação > Científica Nacional > Av. do Brasil, 101 > 1700-066 Lisboa | Portugal > Email: gon...@fc... > http://www.fccn.pt > Aviso de Confidencialidade > > Esta mensagem é exclusivamente destinada ao seu destinatário, podendo > conter informação CONFIDENCIAL, cuja divulgação está expressamente > vedada nos termos da lei. Caso tenha recepcionado indevidamente esta > mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta > via ou para o telefone +351 218440100 devendo apagar o seu conteúdo > de imediato. > > ------------------------------------------------------------------- > ----------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Gonçalo B. <gon...@fc...> - 2017-05-30 11:18:05
|
Hi Im trying to implement the federated authentication (EDUGAIN), like in the documentation, but Im struggling for days. >From what I understand I know I need to do this through SAML HTTP-POST and HTTP-Redirect bindings.. And I know I must have 2 files (SAML Endpoint, SAML Authenticator ), and I know I must enable this on unityServer.conf. Can someone point me to the right direction? Best Regards Gonçalo Barata Fundação para a Ciência e a Tecnologia Unidade FCCN Computação Científica Nacional Av. do Brasil, 101 1700-066 Lisboa | Portugal Email: <mailto:gon...@fc...> gon...@fc... <http://www.fccn.pt/> http://www.fccn.pt Aviso de Confidencialidade Esta mensagem é exclusivamente destinada ao seu destinatário, podendo conter informação CONFIDENCIAL, cuja divulgação está expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218440100 devendo apagar o seu conteúdo de imediato. |
|
From: Krzysztof B. <kb...@un...> - 2017-05-30 06:55:27
|
Hi Sander, W dniu 29.05.2017 o 12:26, Sander Apweiler pisze: > Hi Krzysztof, > > I want to limit the number of logiles. I know there is an option > log4j.appender.NAME.MaxBackupIndex for RollingFileAppender. I tested > with log4j.appender.LOGFILE.MaxBackupIndex=30 but it didn't work. Is > the another option to limit the number of logfiles? Another option is cron ;-) Regarding MaxBackupIndex - what appender do you use precisely? org.apache.log4j.RollingFileAppender or org.apache.log4j.rolling.RollingFileAppender? From what I recall (but used it looong ago) MaxBakupIndex was only working on the first one. 2nd is from log4j-extras (also included in Unity). HTH, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2017-05-29 10:26:56
|
Hi Krzysztof, I want to limit the number of logiles. I know there is an option log4j.appender.NAME.MaxBackupIndex for RollingFileAppender. I tested with log4j.appender.LOGFILE.MaxBackupIndex=30 but it didn't work. Is the another option to limit the number of logfiles? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2017-05-17 06:59:26
|
Hi Krysztof, sorry for the delay. Thank a lot for your feedback. I don't think that we need a bulk action for adding attributes. Best regards, Sander Am Freitag, den 12.05.2017, 08:22 +0200 schrieb Krzysztof Benedyczak: > Sander, > > W dniu 11.05.2017 o 11:15, Sander Apweiler pisze: > > Hi Krzysztof, > > > > we want to change the type of our email attribute from string into > > verifiableEmail. We created a new attribute and want to copy the > > values > > from the old one to the new one. Because of vacations, business > > travels > > and other possible reasons, we do not prefer a copy with rest api. > > > > We want to do the mapping with an enquiry form. But in our test the > > enquiry form did not create a new attribute. The enquiry form has > > two > > automatically assigned settings. > > 1. Auto acceptance of the form > > 2. Add Attribute mail with expression: attr['email'] (condition: > > true) > > > > I guess the new attribute is not created because attr['email'] is > > not > > present. The same setting in registration from works. But in > > registration form the user enters the attribute 'email'. > > > > Is there a way to use existing user attributes in enquiry forms? > > Yes, you are guessing correctly: attr is not holding existing user > attributes, rather those requested. We wold need to add existing > attributes to the enquiry MVEL context for this purpose what sounds > as > anyway good idea. Though I think rather in Unity 2 branch where this > will be easier. > > That said, I don't think that enquiry form is the best choice for > this > use case. For automation of user-related tasks we have the bulk > entity > operations feature. So what this call for is an action set attribute > - > what is bit of work but shouldn't be too difficult. In context of > Unity > 2 we should add even more powerful feature that will be ultimate > solution (even if bit harder to use): groovy entity processor. Then > we > will have an opportunity to do just everything. > > So if you want we can open a ticket for addAttribute bulk action. > Anyway > I'll open 2 tickets for U2: groovy bulk action and adding existing > attributes to enquiry automation context. > > Best > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Willem E. <wi...@cl...> - 2017-05-16 06:51:24
|
Hi Krzysztof, On 16/05/2017 08:39, Krzysztof Benedyczak wrote: > Hi Willem, > > W dniu 15.05.2017 o 16:13, Willem Elbers pisze: >> Hello Krzysztof, >> >> can we customize the date format for dates shown in the UI? Currently >> they are yy/mm/dd and we would like to have them shown as dd/mm/yy(yy). > > Hard to say - as this depends on which dates you are referring to. > Besides few exceptions, in general Unity uses default format for the > locale you use on the server. You can either change it for the server > or overwrite for Unity only with options > Yes I was not very specific but meant the date format in general. Overwriting with JVM options should be sufficient. I will test this. > -Duser.country=CA -Duser.language=fr > (in startup.properties, the OPTS variable) > > We can rather easily give a possibility to configure date format, > however this would need rather complex setup. Sometimes we display > only "short" date, sometime short date+time, sometimes full date+time > etc. > I expect the global format to be sufficient for our needs. If not I'll come back to you. > Best, > Krzysztof Best, Willem -- Willem Elbers CLARIN ERIC www.clarin.eu | skype: wjm.elbers |
|
From: Krzysztof B. <kb...@un...> - 2017-05-16 06:39:30
|
Hi Willem, W dniu 15.05.2017 o 16:13, Willem Elbers pisze: > Hello Krzysztof, > > can we customize the date format for dates shown in the UI? Currently > they are yy/mm/dd and we would like to have them shown as dd/mm/yy(yy). Hard to say - as this depends on which dates you are referring to. Besides few exceptions, in general Unity uses default format for the locale you use on the server. You can either change it for the server or overwrite for Unity only with options -Duser.country=CA -Duser.language=fr (in startup.properties, the OPTS variable) We can rather easily give a possibility to configure date format, however this would need rather complex setup. Sometimes we display only "short" date, sometime short date+time, sometimes full date+time etc. Best, Krzysztof |
|
From: Willem E. <wi...@cl...> - 2017-05-15 14:13:16
|
Hello Krzysztof, can we customize the date format for dates shown in the UI? Currently they are yy/mm/dd and we would like to have them shown as dd/mm/yy(yy). Best, Willem -- Willem Elbers CLARIN ERIC www.clarin.eu | skype: wjm.elbers |
|
From: Krzysztof B. <kb...@un...> - 2017-05-12 06:22:23
|
Sander, W dniu 11.05.2017 o 11:15, Sander Apweiler pisze: > Hi Krzysztof, > > we want to change the type of our email attribute from string into > verifiableEmail. We created a new attribute and want to copy the values > from the old one to the new one. Because of vacations, business travels > and other possible reasons, we do not prefer a copy with rest api. > > We want to do the mapping with an enquiry form. But in our test the > enquiry form did not create a new attribute. The enquiry form has two > automatically assigned settings. > 1. Auto acceptance of the form > 2. Add Attribute mail with expression: attr['email'] (condition: true) > > I guess the new attribute is not created because attr['email'] is not > present. The same setting in registration from works. But in > registration form the user enters the attribute 'email'. > > Is there a way to use existing user attributes in enquiry forms? Yes, you are guessing correctly: attr is not holding existing user attributes, rather those requested. We wold need to add existing attributes to the enquiry MVEL context for this purpose what sounds as anyway good idea. Though I think rather in Unity 2 branch where this will be easier. That said, I don't think that enquiry form is the best choice for this use case. For automation of user-related tasks we have the bulk entity operations feature. So what this call for is an action set attribute - what is bit of work but shouldn't be too difficult. In context of Unity 2 we should add even more powerful feature that will be ultimate solution (even if bit harder to use): groovy entity processor. Then we will have an opportunity to do just everything. So if you want we can open a ticket for addAttribute bulk action. Anyway I'll open 2 tickets for U2: groovy bulk action and adding existing attributes to enquiry automation context. Best Krzysztof |
|
From: Sander A. <sa....@fz...> - 2017-05-11 09:15:45
|
Hi Krzysztof, we want to change the type of our email attribute from string into verifiableEmail. We created a new attribute and want to copy the values from the old one to the new one. Because of vacations, business travels and other possible reasons, we do not prefer a copy with rest api. We want to do the mapping with an enquiry form. But in our test the enquiry form did not create a new attribute. The enquiry form has two automatically assigned settings. 1. Auto acceptance of the form 2. Add Attribute mail with expression: attr['email'] (condition: true) I guess the new attribute is not created because attr['email'] is not present. The same setting in registration from works. But in registration form the user enters the attribute 'email'. Is there a way to use existing user attributes in enquiry forms? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
