unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Output profile issue introduced in 1.9.6

[Krzysztof B. <kb...@un...>]

Dear All,

Unfortunately the release 1.9.6 introduced a problem related to loading 
of certain output profiles which were created with earlier versions.

A loud error is logged if you are affected, similar to this one:

ERROR unity.server.TranslationActionInstance - Can not load action 
createAttribute with parameters: [.....]. This action will be ignored 
during profile's execution. Fix the action definition.

Fixing the issue in the majority of cases is very simple:
1) Open Admin UI, go to Server Management->Translation profiles->Output 
profiles
2) Open each of your output profiles for editing (Edit option) and 
simply save if just after opening (OK button)


Note that there is one case where you have to actually fix one thing 
manually in the profile's definition. If you use the *create persisted 
attribute* action, then for each such action please verify the *group* 
for the persisted attribute. By default it will be reset to '/'.

I'm sorry for the inconvenience. At the same time thanks to Shiraz for 
noticing this issue.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Willem E. <wi...@cl...>]

Hi Krzysztof, Shiraz,

+1 for toggle behavior. An alternative could be to show a popup with the
full text.

If toggle behavior is added, a toggle all option might also be useful.

Best,

Willem


On 05/05/2017 16:55, Shiraz Memon wrote:
> Krzysztof,
>
> On Thu, May 4, 2017 at 8:54 PM, Krzysztof Benedyczak <kb...@un...
> <mailto:kb...@un...>> wrote:
>
>     Willem, Shiraz,
>
>     W dniu 01.05.2017 o 13:03, Willem Elbers pisze:
>     > Dear Krzysztof,
>     >
>     > we have noticed that for one of our attributes (unlimited free
>     text),
>     > supplied via a registration form, the content is truncated
>     "[...]" in
>     > the accept registration window.
>     >
>     > Is there any way to view the full content of the attribute, before
>     > accepting the request from the UI?
>
>
>     Right, this is something to be improved.
>     We have a special reusable component used to display attribute with
>     values. It truncates the values, in different ways to fit to the UI
>     without cluttering it.
>
>     What I can propose:
>     a) currently attribute's type description (if present) is added as a
>     tooltip for all the values. We can assign it to the attribute name
>     only
>     and on values add the full text representation.
>
>     b) in selected cases (as those two that you mentioned) we can
>     change the
>     UI to put the full representation.
>
>
> With proposal a (if I understand it correctly) users have to go
> through multiple truncated attributes (if there are many) one by one
> and wait for the tooltip to appear, I'd prefer proposal b instead to
> show the whole attribute value(s), ideally without cluttering.
>
>
>     If you have any better ideas please write,
>
>
> Perhaps enhanced b with toggle behavior, that is, expanding the value
> by clicking the [...] or [>] or [+] and hide back after the second
> mouse click, do you think it make sense and/or technically feasible.
> However, other ideas from the subscribers of this list are most welcome. 
>
> Cheers,
> Shiraz
>  
>
>     Krzystof
>
>     ------------------------------------------------------------------------------
>     Check out the vibrant tech community on one of the world's most
>     engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>     <http://sdm.link/slashdot>
>     _______________________________________________
>     Unity-idm-discuss mailing list
>     Uni...@li...
>     <mailto:Uni...@li...>
>     https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>     <https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss>
>
>
>
>
> -- 
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899
> Fax:     +49 2461 61 6656
>
>
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------------------
>

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth-RP problem

[Krzysztof B. <kb...@un...>]

Hi Tim,

W dniu 05.05.2017 o 10:14, Tim Kreuzer pisze:
> Hi Krzysztof,
>
> Sander and I are working together on this.
>
>
> We send a Bearer access-token to UNICORE, which includes the user
> informations (tested by a manual HTTP Get-Request to /oauth2/tokeninfo
> and /oauth2/userinfo). We assume UNICORE is forwarding this token
> properly to unity (based on attached log - line 229), but we'll take a
> closer look at it. I updated the log4j.properties file to
>
> ...
> log4j.logger.unity.server=DEBUG
> log4j.logger.unity.server.oauth=TRACE
> log4j.logger.unity.server.rest=TRACE
> log4j.logger.unity.server.ws=TRACE
> ...
>
> and attached the result. This test was done with
>
> ...
> unity.oauth2-rp.verificationProtocol=internal
> ...
>
> and no defined unity.oauth2-rp.profileEndpoint (see attached log - line
> 230).

Yeah, this is clear now.

What is happening:
1) your token is sent by Unicore, and is validated fine
2) as you wrote the token verification is not using any profile URL. The 
result is that the data you associate with OAuth access token (using 
output profile) is never used. The only input OAuth verificator gets is 
the access token (it is verified).
3) Identity of the access token owner is an extra data provided out of 
the box by the internal token validator after it validates successfully 
the access token.
4) your input translation profile tries to match the obtained data about 
access token owner assuming that you have the x500Name attribute. But 
this attribute is absent - as said in (3) you have only the token's 
owner identity, nothing more.

So the harder way to fix this scenario is to configure getting the 
owner's data from the tokeninfo endpoint, i.e. the data associated with 
the access token by use of output profile. However this is an overkill 
in this situation: it would be useful if the token verification would be 
done remotely.
As verification is done on the same server that issued the tokenyou can 
simplify: your intput profile can reuse the owner's identifier to match 
the remote person to the local one (as in this scenario the remote 
person is also the local one so the matching is trivial). And at this 
point you have everything you need - a complete entity.

Action: mapIdentity
unityIdentityType: identifier
expression: id
(and you don't need the _CREATE flag, as this match will always work 
besides the case when the access token issuer is deleted between UNICORE 
manages to submit the request)

Also the output profile is not necessary then as you have the local 
access to all attributes.

Then UNICORE call is both authenticated as done by the original issuer 
and the answer (SOAP) will have the data for that principal.

HTH,
Krzysztof

Re: [Unity-idm-discuss] javascript bootstrap load error (v1.9.6)

[Shiraz M. <a....@fz...>]

Hi,

On Fri, May 5, 2017 at 5:18 PM, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Hi,

W dniu 05.05.2017<tel:05.05.2017> o 15:11, Shiraz Memon pisze:
Hi Krzysztof,

I have configured unity to redirect to home ui, if the uri/context-path
is set to /, below is the config

unityServer.core.endpoints.4.endpointType=UserHomeUI
unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/userhome.properties

unityServer.core.endpoints.4.contextPath=/
...

Now, with / and /home uri unity redirects to the home ui without issues,
however /home/home leads to the following bootstrap error, which is
upsetting our existing users who are still not aware of the new uri.

Inline image 1

Is it an intended behavior. Contrarily /admin and /admin/admin works
without any issues whatsoever, might be the admin ui is not configured
for the root / path.

No, Unity won't work if you set contextPath of an endpoint to '/'. This creates unsolvable routing and cookie issues.

If you want to have home attached to the root address you can configure the new redirect option (unityServer.core.defaultWebPath), so that user entering
https://unity.example.com
will be redirected automatically to
https://unity.example.com/home

Great, setting the context & default Web path correctly has actually solved both:logo and javascript loading issues.

Many thanks,
Shiraz



Cheers,
Krzysztof



--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] javascript bootstrap load error (v1.9.6)

[Krzysztof B. <kb...@un...>]

Hi,

W dniu 05.05.2017 o 15:11, Shiraz Memon pisze:
> Hi Krzysztof,
>
> I have configured unity to redirect to home ui, if the uri/context-path
> is set to /, below is the config
>
> unityServer.core.endpoints.4.endpointType=UserHomeUI
> unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/userhome.properties
>
> unityServer.core.endpoints.4.contextPath=/
> ...
>
> Now, with / and /home uri unity redirects to the home ui without issues,
> however /home/home leads to the following bootstrap error, which is
> upsetting our existing users who are still not aware of the new uri.
>
> Inline image 1
>
> Is it an intended behavior. Contrarily /admin and /admin/admin works
> without any issues whatsoever, might be the admin ui is not configured
> for the root / path.

No, Unity won't work if you set contextPath of an endpoint to '/'. This 
creates unsolvable routing and cookie issues.

If you want to have home attached to the root address you can configure 
the new redirect option (unityServer.core.defaultWebPath), so that user 
entering
https://unity.example.com
will be redirected automatically to
https://unity.example.com/home

Cheers,
Krzysztof

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Shiraz M. <a....@fz...>]

Krzysztof,

On Thu, May 4, 2017 at 8:54 PM, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Willem, Shiraz,

W dniu 01.05.2017 o 13:03, Willem Elbers pisze:
> Dear Krzysztof,
>
> we have noticed that for one of our attributes (unlimited free text),
> supplied via a registration form, the content is truncated "[...]" in
> the accept registration window.
>
> Is there any way to view the full content of the attribute, before
> accepting the request from the UI?


Right, this is something to be improved.
We have a special reusable component used to display attribute with
values. It truncates the values, in different ways to fit to the UI
without cluttering it.

What I can propose:
a) currently attribute's type description (if present) is added as a
tooltip for all the values. We can assign it to the attribute name only
and on values add the full text representation.

b) in selected cases (as those two that you mentioned) we can change the
UI to put the full representation.

With proposal a (if I understand it correctly) users have to go through multiple truncated attributes (if there are many) one by one and wait for the tooltip to appear, I'd prefer proposal b instead to show the whole attribute value(s), ideally without cluttering.


If you have any better ideas please write,

Perhaps enhanced b with toggle behavior, that is, expanding the value by clicking the [...] or [>] or [+] and hide back after the second mouse click, do you think it make sense and/or technically feasible. However, other ideas from the subscribers of this list are most welcome.

Cheers,
Shiraz

Krzystof

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss



--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] Custom logo disappeared (v1.9.6)

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

Our custom logo has disappeared after updating from v1.9.5 to v1.9.6, I had replaced the later's webContents directory with the former distribution during the update process. Is there anything I should add/change to bring back the logo?

v1.9.5
[Inline image 1]

v1.9.6
[Inline image 2]

Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] javascript bootstrap load error (v1.9.6)

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

I have configured unity to redirect to home ui, if the uri/context-path is set to /, below is the config

unityServer.core.endpoints.4.endpointType=UserHomeUI
unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/userhome.properties
unityServer.core.endpoints.4.contextPath=/
...

Now, with / and /home uri unity redirects to the home ui without issues, however /home/home leads to the following bootstrap error, which is upsetting our existing users who are still not aware of the new uri.

[Inline image 1]

Is it an intended behavior. Contrarily /admin and /admin/admin works without any issues whatsoever, might be the admin ui is not configured for the root / path.

Cheers,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Oauth-RP problem

[Tim K. <t.k...@fz...>]

Hi Krzysztof,

Sander and I are working together on this.


On 04.05.2017 20:35, Krzysztof Benedyczak wrote:
> hi Sander,
>
> W dniu 04.05.2017 o 15:22, Sander Apweiler pisze:
>> Hi Krzysztof,
>>
>> we want to start unicore jobs by jupyterhub server authenticated by
>> unity.
> Sounds interesting :-)
>
>> The users signs into jupytherhub by unity (with oauth
>> authorization server). This authentication works fine. The generated
>> token is transferred to unicore. Unicore should use this token to
>> request user attributes from unity. While this request unity throws an
>> AuthenticationException because of an anonymous principal.
> Are you sure that UNICORE part does this job properly and the *access
> token* is indeed added to the HTTP Auth header properly? If this is the
> case can you enable TRACE logging (on the rest (the first stage -
> picking up the token from the request) and oauth (actual verification)
> loggers plus maybe also ws) and check whether this token is picked up by
> Unity at all and then checked? We should know at which stage the
> authentication of UNIORE request fails.

We send a Bearer access-token to UNICORE, which includes the user 
informations (tested by a manual HTTP Get-Request to /oauth2/tokeninfo 
and /oauth2/userinfo). We assume UNICORE is forwarding this token 
properly to unity (based on attached log - line 229), but we'll take a 
closer look at it. I updated the log4j.properties file to

...
log4j.logger.unity.server=DEBUG
log4j.logger.unity.server.oauth=TRACE
log4j.logger.unity.server.rest=TRACE
log4j.logger.unity.server.ws=TRACE
...

and attached the result. This test was done with

...
unity.oauth2-rp.verificationProtocol=internal
...

and no defined unity.oauth2-rp.profileEndpoint (see attached log - line 
230).

>
> [CUT]
>
>> Why do we need an input translation profile for internal oauth resource
>> provider?
> This is a generic feature - Unity isolates endpoints and authenticators,
> so internal verification is separate part to what you map the client to.
> But yes - for this special case when unity validates a token issued by
> itself so is both OAuth AS and RP we may think about some simplified
> config - i.e. map to the owner of the access token and do not perform
> any modification.
>
>
>> If we define the userinfo endpoint to unity itself, unity
>> rejects the request because it does not trust his own demo certificate.
>> (SunCertPathBuilderException: unable to find valid certification path to
>> requested target)
>> Do you have any hint for us?
> I'm sure what do you precisely mean by "define the userinfo endpoint to
> unity itself" but in general when not using the internal verification
> (which uses the internal API call) but any other mean then the network
> connection is made and true - you can get any sort of TLS error.
> Authenticator's truststore (httpClientTruststore property) needs to
> include CA certificate of the unity server certificate (which is used by
> the oauth endpoint).
>
> Best
> Krzysztof
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Thanks and best regards,
Tim Kreuzer

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Krzysztof B. <kb...@un...>]

Willem, Shiraz,

W dniu 01.05.2017 o 13:03, Willem Elbers pisze:
> Dear Krzysztof,
>
> we have noticed that for one of our attributes (unlimited free text),
> supplied via a registration form, the content is truncated "[...]" in
> the accept registration window.
>
> Is there any way to view the full content of the attribute, before
> accepting the request from the UI?


Right, this is something to be improved.
We have a special reusable component used to display attribute with 
values. It truncates the values, in different ways to fit to the UI 
without cluttering it.

What I can propose:
a) currently attribute's type description (if present) is added as a 
tooltip for all the values. We can assign it to the attribute name only 
and on values add the full text representation.

b) in selected cases (as those two that you mentioned) we can change the 
UI to put the full representation.

If you have any better ideas please write,
Krzystof

Re: [Unity-idm-discuss] Oauth-RP problem

[Krzysztof B. <kb...@un...>]

hi Sander,

W dniu 04.05.2017 o 15:22, Sander Apweiler pisze:
> Hi Krzysztof,
>
> we want to start unicore jobs by jupyterhub server authenticated by
> unity.

Sounds interesting :-)

> The users signs into jupytherhub by unity (with oauth
> authorization server). This authentication works fine. The generated
> token is transferred to unicore. Unicore should use this token to
> request user attributes from unity. While this request unity throws an
> AuthenticationException because of an anonymous principal.
Are you sure that UNICORE part does this job properly and the *access 
token* is indeed added to the HTTP Auth header properly? If this is the 
case can you enable TRACE logging (on the rest (the first stage - 
picking up the token from the request) and oauth (actual verification) 
loggers plus maybe also ws) and check whether this token is picked up by 
Unity at all and then checked? We should know at which stage the 
authentication of UNIORE request fails.

[CUT]

> Why do we need an input translation profile for internal oauth resource
> provider?
This is a generic feature - Unity isolates endpoints and authenticators, 
so internal verification is separate part to what you map the client to. 
But yes - for this special case when unity validates a token issued by 
itself so is both OAuth AS and RP we may think about some simplified 
config - i.e. map to the owner of the access token and do not perform 
any modification.


> If we define the userinfo endpoint to unity itself, unity
> rejects the request because it does not trust his own demo certificate.
> (SunCertPathBuilderException: unable to find valid certification path to
> requested target)
> Do you have any hint for us?

I'm sure what do you precisely mean by "define the userinfo endpoint to 
unity itself" but in general when not using the internal verification 
(which uses the internal API call) but any other mean then the network 
connection is made and true - you can get any sort of TLS error. 
Authenticator's truststore (httpClientTruststore property) needs to 
include CA certificate of the unity server certificate (which is used by 
the oauth endpoint).

Best
Krzysztof

[Unity-idm-discuss] Oauth-RP problem

[Sander A. <sa....@fz...>]

Hi Krzysztof,
we want to start unicore jobs by jupyterhub server authenticated by
unity. The users signs into jupytherhub by unity (with oauth
authorization server). This authentication works fine. The generated
token is transferred to unicore. Unicore should use this token to
request user attributes from unity. While this request unity throws an
AuthenticationException because of an anonymous principal.
Our configurations are:oauth-rp
authenticator:unityServer.core.authenticators.6.authenticatorName=oauth
RP-cxfunityServer.core.authenticators.6.authenticatorType=oauth-rp with
cxf-oauth-
bearerunityServer.core.authenticators.6.retrievalConfigurationFile=conf
/authenticators/empty.jsonunityServer.core.authenticators.6.verificator
ConfigurationFile=conf/authenticators/internalOAuthRP.properties
internalOAuthRP.properties:unity.oauth2-
rp.verificationProtocol=internalunity.oauth2-
rp.translationProfile=inputProfileOAuthunity.oauth2-
rp.clientSecret=bogusunity.oauth2-rp.httpClientHostnameChecking=WARN
SAML Unicore
endpoint:unityServer.core.endpoints.11.endpointType=SAMLUnicoreSoapIdPu
nityServer.core.endpoints.11.endpointConfigurationFile=conf/endpoints/s
aml-
webidp.propertiesunityServer.core.endpoints.11.contextPath=/unicore-
soapidp-
oidcunityServer.core.endpoints.11.endpointRealm=defaultRealmunityServer
.core.endpoints.11.endpointName=UNITY UNICORE OIDC SOAP SAML
serviceunityServer.core.endpoints.11.endpointAuthenticators=oauthRP-cxf

output translation profile for oauth authorization server:
1: condition true
Action: createAttribute
attribute name: urn:jupyterhub:username
expression: idsByType['userName']

2: condition true
Action: createAttribute
attribute name: userName
expression: idsByType['userName']

3: condition true
Action: createAttribute
attribute name: x500Name
expression: idsByType['x500Name']

Input translation profile for oauth-rp:
1: condition true
Action: mapIdentity
unityIdentityType: x500Name
expression: attr['x500Name']
credential requirement: Password requirement
effect: CREATE_OR_MATCH

Why do we need an input translation profile for internal oauth resource
provider? If we define the userinfo endpoint to unity itself, unity
rejects the request because it does not trust his own demo certificate.
(SunCertPathBuilderException: unable to find valid certification path
to requested target)
Do you have any hint for us?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Shiraz M. <a....@fz...>]

Hi Krzysztof / Willem,

Similar behavior has been observed when a user consent screen is shown, see second last row in the snapshot below.

[Inline image 1]

Cheers,
Shiraz

On Mon, May 1, 2017 at 1:03 PM, Willem Elbers <wi...@cl...<mailto:wi...@cl...>> wrote:
Dear Krzysztof,

we have noticed that for one of our attributes (unlimited free text),
supplied via a registration form, the content is truncated "[...]" in
the accept registration window.

Is there any way to view the full content of the attribute, before
accepting the request from the UI?

Best,

Willem


--
Willem Elbers
CLARIN ERIC
www.clarin.eu<http://www.clarin.eu> | tel: +31-(0)85-0091277<tel:%2B31-%280%2985-0091277> | skype: wjm.elbers


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss



--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899<tel:02461%20616899>
Fax:     +49 2461 61 6656<tel:02461%20616656>


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] Text truncated for free text attribute in accept registration screen

[Willem E. <wi...@cl...>]

Dear Krzysztof,

we have noticed that for one of our attributes (unlimited free text),
supplied via a registration form, the content is truncated "[...]" in
the accept registration window.

Is there any way to view the full content of the attribute, before
accepting the request from the UI?

Best,

Willem


-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Translation profile errors (v1.9.6)

[Roman K. <rkr...@gm...>]

Hi Shiraz,

I'm glad that the problem was solved. I'll open the ticket to investigate
this, so this is not forgotten.

Thank you,
Roman

On Thu, Apr 27, 2017 at 6:34 PM, Shiraz Memon <a....@fz...> wrote:

> Hi Krzysztof,
>
> The problems have been resolved by deleting the unused translation
> profiles. But still wonder why did that happen.
>
> Cheers,
> Shiraz
>
> On Thu, Apr 27, 2017 at 6:09 PM, Shiraz Memon <a....@fz...>
> wrote:
>
>> Hi Krzyzstof,
>>
>> I have seen a number of errors in log file, they are mostly related to
>> (output(?)) translation profile. This happens when I had started the unity
>> server after upgrading from v1.9.5.
>>
>> 2017-04-27 17:58:45,973 [qtp8633103-38] ERROR
>> unity.server.TranslationActionInstance  - Can not load action
>> createAttribute with parameters: [urn:oid:2.5.4.49,
>> '/C=DE/L=Juelich/O=FZJ/OU=JSC/CN=' + idsByType['persistent'][0] +
>> '/CN='+attr['cn']]. This action will be ignor
>> ed during profile's execution. Fix the action definition. This problem
>> can occur after system reconfiguration when action definition becomes
>> obsolete (e.g. using not existing attribute)
>> java.lang.IllegalArgumentException: Action requires min 3 parameters
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory$CreateAttributeAction.setParameters(CreateAttribute
>> ActionFactory.java:124)
>> ...
>>
>> 2017-04-27 18:01:01,994 [qtp8633103-38] ERROR
>> unity.server.TranslationActionInstance  - Can not load action
>> createAttribute with parameters: [urn:oid:1.3.6.1.4.1.5923.1.1.1.13,
>> idsByType['persistent']]. This action will be ignored during profile's
>> execution. Fix the acti
>> on definition. This problem can occur after system reconfiguration when
>> action definition becomes obsolete (e.g. using not existing attribute)
>> java.lang.IllegalArgumentException: Action requires min 3 parameters
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
>>
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
>>
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory.getInstance(CreateAttributeActionFactory.java:68)
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory.getInstance(CreateAttributeActionFactory.java:35)
>>        at pl.edu.icm.unity.server.translation.TranslationProfileInstan
>> ce.loadAction(TranslationProfileInstance.java:80)
>>        at pl.edu.icm.unity.server.translation.TranslationProfileInstan
>> ce.initInstance(TranslationProfileInstance.java:66)
>>        at pl.edu.icm.unity.server.translation.TranslationProfileInstan
>> ce.<init>(TranslationProfileInstance.java:39)
>>        at pl.edu.icm.unity.server.translation.out.OutputTranslationPro
>> file.<init>(OutputTranslationProfile.java:53)
>>        at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.
>> makeInstance(TranslationProfileManagementImpl.java:135)
>>        at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.
>> listProfiles(TranslationProfileManagementImpl.java:121)
>>        at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.
>> listOutputProfiles(TranslationProfileManagementImpl.java:107)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>>        at java.lang.reflect.Method.invoke(Method.java:498)
>> ....
>>
>> 2017-04-27 18:01:01,994 [qtp8633103-38] ERROR
>> unity.server.TranslationActionInstance  - Can not load action
>> createAttribute with parameters: [memberOf, groups]. This action will be
>> ignored during profile's execution. Fix the action definition. This problem
>> can occur afte
>> r system reconfiguration when action definition becomes obsolete (e.g.
>> using not existing attribute)
>> java.lang.IllegalArgumentException: Action requires min 3 parameters
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
>>
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
>>
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory.getInstance(CreateAttributeActionFactory.java:68)
>>        at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActio
>> nFactory.getInstance(CreateAttributeActionFactory.java:35)
>> ...
>> many more
>>
>> May be I have forgotten something while upgrading the release? Do you
>> have any hints how to resolve them?
>>
>> Best,
>> Shiraz
>> --
>> Shiraz Memon
>> Federated Systems and Data
>> Jülich Supercomputing Centre (JSC)
>>
>> Phone: +49 2461 61 6899 <02461%20616899>
>> Fax:     +49 2461 61 6656 <02461%20616656>
>>
>
>
>
> --
> Shiraz Memon
> Federated Systems and Data
> Jülich Supercomputing Centre (JSC)
>
> Phone: +49 2461 61 6899 <+49%202461%20616899>
> Fax:     +49 2461 61 6656 <+49%202461%20616656>
>
>
> ------------------------------------------------------------
> ------------------------------------
> ------------------------------------------------------------
> ------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------------------------------------
> ------------------------------------
> ------------------------------------------------------------
> ------------------------------------
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>
>


-- 
Roman

Nothing is impossible; impossible itself says "I m possible"...

Re: [Unity-idm-discuss] Translation profile errors (v1.9.6)

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

The problems have been resolved by deleting the unused translation profiles. But still wonder why did that happen.

Cheers,
Shiraz

On Thu, Apr 27, 2017 at 6:09 PM, Shiraz Memon <a....@fz...<mailto:a....@fz...>> wrote:
Hi Krzyzstof,

I have seen a number of errors in log file, they are mostly related to (output(?)) translation profile. This happens when I had started the unity server after upgrading from v1.9.5.

2017-04-27 17:58:45,973 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [urn:oid:2.5.4.49, '/C=DE/L=Juelich/O=FZJ/OU=JSC/CN=' + idsByType['persistent'][0] + '/CN='+attr['cn']]. This action will be ignor
ed during profile's execution. Fix the action definition. This problem can occur after system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
...

2017-04-27 18:01:01,994 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [urn:oid:1.3.6.1.4.1.5923.1.1.1.13, idsByType['persistent']]. This action will be ignored during profile's execution. Fix the acti
on definition. This problem can occur after system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:68)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:35)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.loadAction(TranslationProfileInstance.java:80)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.initInstance(TranslationProfileInstance.java:66)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.<init>(TranslationProfileInstance.java:39)
       at pl.edu.icm.unity.server.translation.out.OutputTranslationProfile.<init>(OutputTranslationProfile.java:53)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.makeInstance(TranslationProfileManagementImpl.java:135)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.listProfiles(TranslationProfileManagementImpl.java:121)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.listOutputProfiles(TranslationProfileManagementImpl.java:107)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
....

2017-04-27 18:01:01,994 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [memberOf, groups]. This action will be ignored during profile's execution. Fix the action definition. This problem can occur afte
r system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:68)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:35)
...
many more

May be I have forgotten something while upgrading the release? Do you have any hints how to resolve them?

Best,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899<tel:02461%20616899>
Fax:     +49 2461 61 6656<tel:02461%20616656>



--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

[Unity-idm-discuss] Translation profile errors (v1.9.6)

[Shiraz M. <a....@fz...>]

Hi Krzyzstof,

I have seen a number of errors in log file, they are mostly related to (output(?)) translation profile. This happens when I had started the unity server after upgrading from v1.9.5.

2017-04-27 17:58:45,973 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [urn:oid:2.5.4.49, '/C=DE/L=Juelich/O=FZJ/OU=JSC/CN=' + idsByType['persistent'][0] + '/CN='+attr['cn']]. This action will be ignor
ed during profile's execution. Fix the action definition. This problem can occur after system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
...

2017-04-27 18:01:01,994 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [urn:oid:1.3.6.1.4.1.5923.1.1.1.13, idsByType['persistent']]. This action will be ignored during profile's execution. Fix the acti
on definition. This problem can occur after system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:68)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:35)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.loadAction(TranslationProfileInstance.java:80)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.initInstance(TranslationProfileInstance.java:66)
       at pl.edu.icm.unity.server.translation.TranslationProfileInstance.<init>(TranslationProfileInstance.java:39)
       at pl.edu.icm.unity.server.translation.out.OutputTranslationProfile.<init>(OutputTranslationProfile.java:53)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.makeInstance(TranslationProfileManagementImpl.java:135)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.listProfiles(TranslationProfileManagementImpl.java:121)
       at pl.edu.icm.unity.engine.TranslationProfileManagementImpl.listOutputProfiles(TranslationProfileManagementImpl.java:107)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
....

2017-04-27 18:01:01,994 [qtp8633103-38] ERROR unity.server.TranslationActionInstance  - Can not load action createAttribute with parameters: [memberOf, groups]. This action will be ignored during profile's execution. Fix the action definition. This problem can occur afte
r system reconfiguration when action definition becomes obsolete (e.g. using not existing attribute)
java.lang.IllegalArgumentException: Action requires min 3 parameters
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.setParameters(CreateAttributeActionFactory.java:124)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory$CreateAttributeAction.<init>(CreateAttributeActionFactory.java:83)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:68)
       at pl.edu.icm.unity.stdext.translation.out.CreateAttributeActionFactory.getInstance(CreateAttributeActionFactory.java:35)
...
many more

May be I have forgotten something while upgrading the release? Do you have any hints how to resolve them?

Best,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] IdP metadata are not reloaded correct

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thank you for your efforts. The IdP was from CSC. If it appears again,
I will contact you again.

Best regards,
Sander


Am Dienstag, den 25.04.2017, 21:45 +0200 schrieb Krzysztof Benedyczak:
> Hi Sander,
> 
> W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze:
> > Hi Sander,
> > 
> > W dniu 19.04.2017 o 11:34, Sander Apweiler pisze:
> > > Hi Krzysztof,
> > > 
> > > I got a problem report by an user about broken login with his
> > > home IdP.
> > > The IdP changed his certificate and it was not trusted by unity.
> > > 
> > > [2017-04-19 07:32:47,210 [qtp304966690-1742]
> > > WARN  unity.server.saml.SAMLRetrievalUI  - SAML response
> > > verification or
> > > processing failed
> > > pl.edu.icm.unity.server.authn.AuthenticationException: The SAML
> > > response
> > > is either invalid or is issued by an untrusted identity
> > > provider.]
> > > 
> > > This IdP comes with eduGain metadata. The Metadata URL is updated
> > > once
> > > per hour. Reloading SAML authenticator did not solve the problem.
> > > A
> > > restart solved the problem. But restarts during the the working
> > > time are
> > > not very welcome. Is there another solution to solve this
> > > problem?
> > 
> > I'll look into it - likely some cache is not purged after metadata
> > reload.
> 
> I've run quite a few tests and unfortunately I can not reproduce
> this 
> issue. All cases that I tried (e.g. with changed certificate DN in 
> update or without DN change) worked fine - immediately after
> metadata 
> reload a new certificate was used.
> 
> I've found however another nasty problem related to SAML metadata 
> reloading (#601 in tracker). While this other problem alone is
> rather 
> not related with your case, its fix could also solve your issue: a
> small 
> refactoring was applied to the overal process of metadata reloading
> - 
> which should be now simplified and more stable.
> 
> All in all if you notice such issue again please let us know,
> providing 
> as much of context as possible. Especially what was the IdP. I have
> some 
> saved eduGAIN metadata dumps so chances are that I'll be able to 
> reproduce the setup before and after update.
> 
> Best
> Krzysztof
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Release 1.9.6

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

Subsequent Unity revision - 1.9.6 - is available for download.

Release includes six bugfixes, including the the fix for the default 
Facebook external authentication.

Among new features there is a possibility to trigger resend of 
confirmation emails directly from the Admin UI (for both e-mail 
identities and attributes).

Web endpoints got their default paths, so you can access AdminUI or 
HomeUI directly under the endpoint's path (in default setup this would 
be /admin instead of /admin/admin). It is also possible to setup default 
address of the whole server.

Finally there were numerous improvements related to consent screen - 
admin can now control which attributes are mandatory and their 
presentation is improved.

Download links and detailed list of changes is available at:
http://www.unity-idm.eu/site/downloads

Best regards,
Krzysztof

Re: [Unity-idm-discuss] IdP metadata are not reloaded correct

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.04.2017 o 12:22, Krzysztof Benedyczak pisze:
> Hi Sander,
>
> W dniu 19.04.2017 o 11:34, Sander Apweiler pisze:
>> Hi Krzysztof,
>>
>> I got a problem report by an user about broken login with his home IdP.
>> The IdP changed his certificate and it was not trusted by unity.
>>
>> [2017-04-19 07:32:47,210 [qtp304966690-1742]
>> WARN  unity.server.saml.SAMLRetrievalUI  - SAML response verification or
>> processing failed
>> pl.edu.icm.unity.server.authn.AuthenticationException: The SAML response
>> is either invalid or is issued by an untrusted identity provider.]
>>
>> This IdP comes with eduGain metadata. The Metadata URL is updated once
>> per hour. Reloading SAML authenticator did not solve the problem. A
>> restart solved the problem. But restarts during the the working time are
>> not very welcome. Is there another solution to solve this problem?
>
> I'll look into it - likely some cache is not purged after metadata reload.

I've run quite a few tests and unfortunately I can not reproduce this 
issue. All cases that I tried (e.g. with changed certificate DN in 
update or without DN change) worked fine - immediately after metadata 
reload a new certificate was used.

I've found however another nasty problem related to SAML metadata 
reloading (#601 in tracker). While this other problem alone is rather 
not related with your case, its fix could also solve your issue: a small 
refactoring was applied to the overal process of metadata reloading - 
which should be now simplified and more stable.

All in all if you notice such issue again please let us know, providing 
as much of context as possible. Especially what was the IdP. I have some 
saved eduGAIN metadata dumps so chances are that I'll be able to 
reproduce the setup before and after update.

Best
Krzysztof

Re: [Unity-idm-discuss] Requesting group memberships

[Krzysztof B. <kb...@un...>]

Shiraz,

W dniu 24.04.2017 o 14:17, Shiraz Memon pisze:
> On Mon, Apr 24, 2017 at 1:44 PM, Krzysztof Benedyczak <kb...@un...
> <mailto:kb...@un...>> wrote:
>
>     Hi Shiraz,
>
>     W dniu 24.04.2017 o 13:24, Shiraz Memon pisze:
>
>         Hi Krzysztof,
>
>         Is it possible for the non-privileged users to request
>         membership in an
>         existing group they are "not" members of (e.g. through their
>         unity home
>         page)? and subsequently notify and let the admins of the requested
>         group(s) to approve/disapprove the membership.
>
>         I think we have discussed about this in the past and not really sure
>         whether the feature has already been included in the latest stable
>         release and how to enable it, if provided.
>
>
>     Yes, you can create a non-mandatory enquiry form allowing to request
>     any group membership. So far there is no support for activating this
>     on the HomeUI (we can work on it of course), but enquiry gets its
>     own URL, so you can give it to your users.
>
>
> I think enquiry form is a good fit for the purpose (atleast for the time
> being), but can a link to the form be shown to our users under home UI
> (like other attribute value pairs) in a neat way? I know this can be
> achieved by creating a special attribute for every user having the link
> as a value and then display it under the home UI (not very elegant though).


As I wrote this is not possible currently. If you want to have such 
feature implemented please fill a request (or write) with details, how 
do you envision this.
Maybe an additional "big" button on the left side of the profile UI 
(below credentials)? Or rather more lightweight solution and additional 
section on the main info screen below or under attributes?

Thanks,
Krzysztof

Re: [Unity-idm-discuss] Requesting group memberships

[Shiraz M. <a....@fz...>]

On Mon, Apr 24, 2017 at 1:44 PM, Krzysztof Benedyczak <kb...@un...<mailto:kb...@un...>> wrote:
Hi Shiraz,

W dniu 24.04.2017 o 13:24, Shiraz Memon pisze:
Hi Krzysztof,

Is it possible for the non-privileged users to request membership in an
existing group they are "not" members of (e.g. through their unity home
page)? and subsequently notify and let the admins of the requested
group(s) to approve/disapprove the membership.

I think we have discussed about this in the past and not really sure
whether the feature has already been included in the latest stable
release and how to enable it, if provided.

Yes, you can create a non-mandatory enquiry form allowing to request any group membership. So far there is no support for activating this on the HomeUI (we can work on it of course), but enquiry gets its own URL, so you can give it to your users.

I think enquiry form is a good fit for the purpose (atleast for the time being), but can a link to the form be shown to our users under home UI (like other attribute value pairs) in a neat way? I know this can be achieved by creating a special attribute for every user having the link as a value and then display it under the home UI (not very elegant though).

Thanks,
Shiraz


HTH,
Krzysztof



--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Requesting group memberships

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 24.04.2017 o 13:24, Shiraz Memon pisze:
> Hi Krzysztof,
>
> Is it possible for the non-privileged users to request membership in an
> existing group they are "not" members of (e.g. through their unity home
> page)? and subsequently notify and let the admins of the requested
> group(s) to approve/disapprove the membership.
>
> I think we have discussed about this in the past and not really sure
> whether the feature has already been included in the latest stable
> release and how to enable it, if provided.

Yes, you can create a non-mandatory enquiry form allowing to request any 
group membership. So far there is no support for activating this on the 
HomeUI (we can work on it of course), but enquiry gets its own URL, so 
you can give it to your users.

HTH,
Krzysztof

[Unity-idm-discuss] Requesting group memberships

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

Is it possible for the non-privileged users to request membership in an existing group they are "not" members of (e.g. through their unity home page)? and subsequently notify and let the admins of the requested group(s) to approve/disapprove the membership.

I think we have discussed about this in the past and not really sure whether the feature has already been included in the latest stable release and how to enable it, if provided.

Best,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] Facebook authentication failing

[Shiraz M. <a....@fz...>]

Hi Krzysztof,

the custom configuration worked - thanks!

Best,
Shiraz

On Fri, Apr 21, 2017 at 10:24 PM, Krzysztof Benedyczak <kb...@un...>
wrote:

> Hi Shiraz,
>
>
> W dniu 21.04.2017 o 10:42, Shiraz Memon pisze:
>
>> Hi Krzysztof,
>>
>> I (and also other users) am unable to authenticate myself using my
>> facebook id. Can you check whether facebook has changed something lately
>> in their flow.
>>
>
>
> Yeah - they changed the access token format.
>
> Workaround: instead of builit in type facebook use custom with the
> following settings (the additional ones after the empty line should be good
> without any change - maybe besides the 'fb' in key):
>
> unity.oauth2.client.providers.fb.type=custom
> unity.oauth2.client.providers.fb.clientId=YOURID
> unity.oauth2.client.providers.fb.clientSecret=YOUR SECRET
> unity.oauth2.client.providers.fb.translationProfile=YOURPROFILE
>
> unity.oauth2.client.providers.fb.name=Facebook
> unity.oauth2.client.providers.fb.authEndpoint=https://www.fa
> cebook.com/dialog/oauth
> unity.oauth2.client.providers.fb.accessTokenEndpoint=https:/
> /graph.facebook.com/oauth/access_token
> unity.oauth2.client.providers.fb.profileEndpoint=https://gra
> ph.facebook.com/me/
> unity.oauth2.client.providers.fb.accessTokenFormat=standard
> unity.oauth2.client.providers.fb.scopes=email
> unity.oauth2.client.providers.fb.iconUrl=file:../common/img/
> external/FB-small.png
> unity.oauth2.client.providers.fb.clientAuthenticationMode=secretPost
>
>
>
> The standard config will be fixed in the next release.
>
> Thanks
> Krzysztof
>
>
>
>> Inline image 1
>>
>> logs:
>>
>> 2017-04-21 10:38:38,725 [qtp1655072591-1752] DEBUG
>> unity.server.oauth.RedirectRequestHandler  - Starting OAuth redirection
>> to OAuth provider
>> https://www.facebook.com/dialog/oauth?response_type=code&
>> client_id=xxxx66787708245&redirect_uri=https%3A%2F%
>> 2Funity.eudat-aai.fz-juelich.de%3A8443%2Funitygw%2Foauth2Re
>> sponseConsumer&scope=email&state=5d2049a5-9aa1-4d43-b5e6-103b90c349cb
>>
>> 2017-04-21 10:38:38,973 [qtp1655072591-1757] DEBUG
>> unity.server.oauth.ResponseConsumerServlet  - Received OAuth response
>> with valid state 5d2049a5-9aa1-4d43-b5e6-103b90c349cb, redirecting to
>> /admin/admin
>> 2017-04-21 10:38:39,138 [qtp1655072591-1758] DEBUG
>> unity.server.oauth.OAuth2RetrievalUI  - RetrievalUI received OAuth
>> response
>> 2017-04-21 10:38:39,139 [qtp1655072591-1758] DEBUG
>> unity.server.oauth.OAuth2Verificator  - Exchanging authorization code
>> for access token with request to:
>> https://graph.facebook.com/oauth/access_token
>> 2017-04-21 10:38:39,685 [qtp1655072591-1758] DEBUG
>> unity.server.oauth.OAuth2Verificator  - Received answer: 200
>> 2017-04-21 10:38:39,685 [qtp1655072591-1758] DEBUG
>> unity.server.oauth.OAuth2RetrievalUI  - OAuth2 authorization code
>> verification or processing failed
>> pl.edu.icm.unity.server.authn.AuthenticationException: Problem during
>> user information retrieval
>>        at
>> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyA
>> uthenticatedInput(OAuth2Verificator.java:244)
>>
>>        at
>> pl.edu.icm.unity.oauth.client.OAuth2Verificator.verifyOAuthA
>> uthzResponse(OAuth2Verificator.java:209)
>>
>>        at
>> pl.edu.icm.unity.oauth.client.web.OAuth2RetrievalUI.onAuthzA
>> nswer(OAuth2RetrievalUI.java:268)
>>
>>        at
>> pl.edu.icm.unity.oauth.client.web.OAuth2RetrievalUI.refresh(
>> OAuth2RetrievalUI.java:329)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.SelectedAuthNPanel$PrimaryAuthe
>> nticationResultCallbackImpl.refresh(SelectedAuthNPanel.java:432)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.SelectedAuthNPanel.refresh(Sele
>> ctedAuthNPanel.java:500)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.AuthenticationUI.refresh(Authen
>> ticationUI.java:364)
>>
>>        at com.vaadin.ui.UI.doRefresh(UI.java:731)
>>        at
>> com.vaadin.server.communication.UIInitHandler.reinitUI(
>> UIInitHandler.java:261)
>>
>>        at
>> com.vaadin.server.communication.UIInitHandler.getBrowserDeta
>> ilsUI(UIInitHandler.java:168)
>>
>>        at
>> com.vaadin.server.communication.UIInitHandler.synchronizedHa
>> ndleRequest(UIInitHandler.java:74)
>>
>>        at
>> com.vaadin.server.SynchronizedRequestHandler.handleRequest(S
>> ynchronizedRequestHandler.java:41)
>>
>>        at
>> com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1409)
>>        at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:364)
>>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>        at
>> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:848)
>>        at
>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilte
>> r(ServletHandler.java:1772)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.InvocationContextSetupFilter.do
>> Filter(InvocationContextSetupFilter.java:73)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilte
>> r(ServletHandler.java:1759)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.AuthenticationFilter.gotoNotPro
>> tectedResource(AuthenticationFilter.java:190)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(A
>> uthenticationFilter.java:78)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilte
>> r(ServletHandler.java:1759)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan
>> dler.java:582)
>>        at
>> org.eclipse.jetty.server.session.SessionHandler.doHandle(
>> SessionHandler.java:224)
>>
>>        at
>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(
>> ContextHandler.java:1180)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
>>        at
>> org.eclipse.jetty.server.session.SessionHandler.doScope(
>> SessionHandler.java:185)
>>
>>        at
>> org.eclipse.jetty.server.handler.ContextHandler.doScope(
>> ContextHandler.java:1112)
>>
>>        at
>> org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>> Handler.java:141)
>>
>>        at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:
>> 199)
>>        at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:74)
>>        at
>> pl.edu.icm.unity.webui.authn.AuthenticationFilter.forwardtoA
>> uthn(AuthenticationFilter.java:173)
>>
>>        at
>> pl.edu.icm.unity.webui.authn.AuthenticationFilter.doFilter(A
>> uthenticationFilter.java:124)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilte
>> r(ServletHandler.java:1759)
>>
>>        at
>> pl.edu.icm.unity.server.utils.HiddenResourcesFilter.doFilter
>> (HiddenResourcesFilter.java:49)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilte
>> r(ServletHandler.java:1759)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan
>> dler.java:582)
>>        at
>> org.eclipse.jetty.server.session.SessionHandler.doHandle(
>> SessionHandler.java:224)
>>
>>        at
>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(
>> ContextHandler.java:1180)
>>
>>        at
>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
>>        at
>> org.eclipse.jetty.server.session.SessionHandler.doScope(
>> SessionHandler.java:185)
>>
>>        at
>> org.eclipse.jetty.server.handler.ContextHandler.doScope(
>> ContextHandler.java:1112)
>>
>>        at
>> org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped
>> Handler.java:141)
>>
>>        at
>> org.eclipse.jetty.server.handler.ContextHandlerCollection.ha
>> ndle(ContextHandlerCollection.java:213)
>>
>>        at
>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:134)
>>
>>        at
>> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(Rewr
>> iteHandler.java:335)
>>
>>        at
>> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(
>> GzipHandler.java:426)
>>
>>        at
>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl
>> erWrapper.java:134)
>>
>>        at org.eclipse.jetty.server.Server.handle(Server.java:534)
>>        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.
>> java:320)
>>        at
>> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne
>> ction.java:251)
>>        at
>> org.eclipse.jetty.io.AbstractConnection$ReadCallback.
>> succeeded(AbstractConnection.java:283)
>>
>>        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.
>> java:110)
>>        at
>> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:220)
>>        at
>> org.eclipse.jetty.io.AbstractConnection$ReadCallback.
>> succeeded(AbstractConnection.java:283)
>>
>>        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.
>> java:110)
>>        at
>> org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChann
>> elEndPoint.java:93)
>>
>>        at
>> org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume
>> .executeProduceConsume(ExecuteProduceConsume.java:303)
>>
>>        at
>> org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume
>> .produceConsume(ExecuteProduceConsume.java:148)
>>
>>        at
>> org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume
>> .run(ExecuteProduceConsume.java:136)
>>
>>        at
>> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued
>> ThreadPool.java:671)
>>
>>        at
>> org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedT
>> hreadPool.java:589)
>>
>>        at java.lang.Thread.run(Thread.java:745)
>> Caused by: pl.edu.icm.unity.server.authn.AuthenticationException: Access
>> token answer received doesn't contain 'access_token' parameter.
>>        at
>> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getAccessTok
>> enAndProfilePlain(OAuth2Verificator.java:404)
>>
>>        at
>> pl.edu.icm.unity.oauth.client.OAuth2Verificator.getRemotelyA
>> uthenticatedInput(OAuth2Verificator.java:241)
>>
>>        ... 62 more
>> Cheers,
>> Shiraz
>> --
>> Shiraz Memon
>> Federated Systems and Data
>> Jülich Supercomputing Centre (JSC)
>>
>> Phone: +49 2461 61 6899
>> Fax:     +49 2461 61 6656
>>
>>
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>> Forschungszentrum Juelich GmbH
>> 52425 Juelich
>> Sitz der Gesellschaft: Juelich
>> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
>> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
>> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
>> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
>> Prof. Dr. Sebastian M. Schmidt
>> ------------------------------------------------------------
>> ------------------------------------
>> ------------------------------------------------------------
>> ------------------------------------
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Unity-idm-discuss mailing list
>> Uni...@li...
>> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>>
>>
>


-- 
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656