unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Custom account activation

[Krzysztof B. <kb...@un...>]

Hi Willem,

W dniu 17.02.2017 o 15:35, Willem Elbers pisze:
> Hi Krzyztof,
>
> is it possible to create entities via the unity REST api without
> automatically sending an activation email, but instead retrieve the
> activation link and send it in a separate email (manually)?
>
> An alternative could be if we can send a custom activation email when
> creating entities via the REST api (instead of using the registration form).
>
> I would be happy to hear if (and how) any of these approaches is possible.

I'm not sure what you refer to when writing "activation email" and 
"creating entities"?

If you mean email verification email then you can only disable sending 
of confirmations.

However there is another mechanism which can help: invitations. By using 
invitations you can control sending of email (including manual sending 
of such email, or activated by REST API). As invitation is received by 
email, and contains unique one time code you can use it as a proof that 
the user controls the account. And so you can auto-accept an invited 
person without any further actions.

Cheers
Krzysztof

[Unity-idm-discuss] Custom account activation

[Willem E. <wi...@cl...>]

Hi Krzyztof,

is it possible to create entities via the unity REST api without
automatically sending an activation email, but instead retrieve the
activation link and send it in a separate email (manually)?

An alternative could be if we can send a custom activation email when
creating entities via the REST api (instead of using the registration form).

I would be happy to hear if (and how) any of these approaches is possible.

Best,

Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Fix names for translation profile copies

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 13.02.2017 o 16:10, Sander Apweiler pisze:
> Hi Krzysztof, all,
>
> I want to copy a translation profile and adopt it for a new IdP,
> because it is faster/easier than creating a new one. But I'm not able
> to change the name of the new translation profile while I'm able to
> change all other settings. The name is fix with "Copy of xyz". Is that
> behaviour intended? Or is there another way to change the name of new
> translation profile while copying it from an existing one?


Yes, I can confirm this - that's UI regression. Should be easy to fix.

Thanks for the report
KB

[Unity-idm-discuss] Fix names for translation profile copies

[Sander A. <sa....@fz...>]

Hi Krzysztof, all,

I want to copy a translation profile and adopt it for a new IdP,
because it is faster/easier than creating a new one. But I'm not able
to change the name of the new translation profile while I'm able to
change all other settings. The name is fix with "Copy of xyz". Is that
behaviour intended? Or is there another way to change the name of new
translation profile while copying it from an existing one?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enquiry forms

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thank you very much.

Best regards,
Sander

Am Freitag, den 27.01.2017, 23:18 +0100 schrieb Krzysztof Benedyczak:
> Sander,
> 
> follow on:
> the bug with required identity was trivial, already fixed will be in
> the 
> next revision release.
> 
> Best,
> Krzysztof
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enquiry forms

[Krzysztof B. <kb...@un...>]

Sander,

follow on:
the bug with required identity was trivial, already fixed will be in the 
next revision release.

Best,
Krzysztof

Re: [Unity-idm-discuss] Enquiry forms

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 27.01.2017 o 10:43, Sander Apweiler pisze:
> Hi Krzysztof,
>
> We decided to "upgrade" the CN attribute from optional to mandatory. So
> we need to collect the CN from existing users. I want to use an enquiry
> form for it, because it seems to be perfect for it.
>
> On my test instance I created a very simple enquiry form. It is
> mandatory for users in root group. It has no email settings. CN is
> collected as mandatory attribute. There are no further settings in the
> form.
>
> By testing the form I got the following two issues:
>
> 1. Users with CN attribute, got this enquiry too. Is it possible to
> prevent users with requested attribute from this enquiry?

Not directly. Currently you need to create some auxiliary group in 
Unity, manually drag all users without CN to it and use this group as 
enquiry base group.

We can think about some automation related to this aspect if the above 
approach is not acceptable for you.

> 2. After submitting the CN via enquiry form the user still has no CN
> attribute. My test users got the sys:FilledEnquires attribute but no CN
> attribute. Did I something wrong or should there no CN attribute?

The enquiry request needs to be accepted. Either manually or you can 
configure your enquiry form to auto-accept requests. The later is 
configured in form's -> 'automatically assigned settings' tab. Add 
'autoProcess' action with 'accept' parameter.

Note that I just found one bug around this scenario: enquiry without any 
identity won't be accepted. I'm working on a fix.

Best,
Krzysztof

[Unity-idm-discuss] Enquiry forms

[Sander A. <sa....@fz...>]

Hi Krzysztof,

We decided to "upgrade" the CN attribute from optional to mandatory. So
we need to collect the CN from existing users. I want to use an enquiry
form for it, because it seems to be perfect for it.

On my test instance I created a very simple enquiry form. It is
mandatory for users in root group. It has no email settings. CN is
collected as mandatory attribute. There are no further settings in the
form.

By testing the form I got the following two issues:

1. Users with CN attribute, got this enquiry too. Is it possible to
prevent users with requested attribute from this enquiry?

2. After submitting the CN via enquiry form the user still has no CN
attribute. My test users got the sys:FilledEnquires attribute but no CN
attribute. Did I something wrong or should there no CN attribute?

Both issues occured in unity 1.9.2 and 1.9.4.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Skip registration form selection list

[Willem E. <wi...@cl...>]

Hi,

thanks for the quick reply. This is confirmed to solve the question.

Best,

Willem


On 19/01/17 10:07, Krzysztof Benedyczak wrote:
> Dear Willem,
>
> W dniu 19.01.2017 o 10:02, Willem Elbers pisze:
>> Dear Krzysztof,
>>
>> is it possible to skip the list of registration forms when clicking the
>> "Register new account" link in "/home/home"?
>>
>> We would like to have multiple registration forms, however the "register
>> new account" link should always open one form and the other forms will
>> be managed via invitations or by distributing public links.
>
> Yes, it is easily possible. See 13.1 section in documentation,
> i.e. in endpoint config you will need something like:
>
> unity.endpoint.web.enabledRegistrationForms.1=yourEnabledForm
>
> If there is only one allowed form for endpoint, then there shouldn't
> be the selector dialog - immediatelly the only available registration
> should pop up.
>
> HTH
> Krzysztof

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Skip registration form selection list

[Krzysztof B. <kb...@un...>]

Dear Willem,

W dniu 19.01.2017 o 10:02, Willem Elbers pisze:
> Dear Krzysztof,
>
> is it possible to skip the list of registration forms when clicking the
> "Register new account" link in "/home/home"?
>
> We would like to have multiple registration forms, however the "register
> new account" link should always open one form and the other forms will
> be managed via invitations or by distributing public links.

Yes, it is easily possible. See 13.1 section in documentation,
i.e. in endpoint config you will need something like:

unity.endpoint.web.enabledRegistrationForms.1=yourEnabledForm

If there is only one allowed form for endpoint, then there shouldn't be 
the selector dialog - immediatelly the only available registration 
should pop up.

HTH
Krzysztof

[Unity-idm-discuss] Skip registration form selection list

[Willem E. <wi...@cl...>]

Dear Krzysztof,

is it possible to skip the list of registration forms when clicking the
"Register new account" link in "/home/home"?

We would like to have multiple registration forms, however the "register
new account" link should always open one form and the other forms will
be managed via invitations or by distributing public links.

Best,

Willem


-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Long response time with remote IdP from Metadata source

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 16.01.2017 o 08:47, Sander Apweiler pisze:
> Good morning,
>
> I recognised a longer response time if I browse to unity with remote
> IdPs loaded from eduGain Metadata file. Last week I had some time to
> investigate this "problem". Instance with eduGain IdPs has response
> times between five and ten seconds.
>
> I investigated the communication with network tools from browser. The
> POST call, where the browser sends some client information, causes this
> delay. Some further investigation with tcpdump and wireshark at server
> site shows that there is only traffic between client (browser) and
> server (unity). Unity sends some keepalive packages.
>
> The long response time is on both instances with eduGain IdPs. There is
> no delay on two instances without eduGain IdPs. But activating DFN IdPs
> (loaded from metadata file) on one of them let increase the time for
> POST method from 40ms to 400ms.
>
> Are there some Options to speed up the server?
>

Looked a bit into it. Unfortunately during authN UI preparation, there 
are two operations performed, both are roughly speaking of O(n^2) 
complexity, where n is the number of configured IdPs. As eduGain has ca 
2100 IdPs it gets in fact way too slow.

I've opened a ticket to track this with more details, we will need some 
rather complicated caching to have proper speed.

https://app.assembla.com/spaces/unity-public/tickets/580

Let's move this thread to the ticket.


Best,
Krzysztof

[Unity-idm-discuss] Long response time with remote IdP from Metadata source

[Sander A. <sa....@fz...>]

Good morning,

I recognised a longer response time if I browse to unity with remote
IdPs loaded from eduGain Metadata file. Last week I had some time to
investigate this "problem". Instance with eduGain IdPs has response
times between five and ten seconds.

I investigated the communication with network tools from browser. The
POST call, where the browser sends some client information, causes this
delay. Some further investigation with tcpdump and wireshark at server
site shows that there is only traffic between client (browser) and
server (unity). Unity sends some keepalive packages.

The long response time is on both instances with eduGain IdPs. There is
no delay on two instances without eduGain IdPs. But activating DFN IdPs
(loaded from metadata file) on one of them let increase the time for
POST method from 40ms to 400ms.

Are there some Options to speed up the server?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Krzysztof B. <kb...@un...>]

Hi Jan,

W dniu 10.01.2017 o 13:15, Jan Wielemaker pisze:
> Hi Krzysztof,
>
> Thanks for the answer.  Lots of things came in between, but I now got it
> working.  See below.

Good to hear that :-)

> The flow I have in mind is this:
>
>   - User logs in to service using Unity and wants to access resource R.
>   - Services asks ABAC (Attribute Based Access Control) whether "sub"
>     is allowed to access R given a set of policies.
>   - ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
>     for service)
>   - ABAC applies policies on CERIF data for CfPersID
>   - ABAC replies access "granted/denied" for R.
>
> So, I think what we need is a (web) API call from the ABAC component
> that is trusted by the Unity server and that can be used to retrieve the
> CfPersID attribute from Unity based on the anonymous identity Unity has
> provided to the service.
>
> Note that we do not want to expose CfPersID to the service as that
> reveals the true identity of the user.
>
> Is this possible, i.e., is there an API that can be used to get info
> about a Unity user based on the anonymous id provided to some service?

Sure, we use similar scenario quite often, e.g. when mixing OAuth authN 
for regular services with a special admin service which provides domain 
specific UI leveraging Unity as users backend DB.

To solve this simply you need to:
1) create an identity with credential (username&pass or certificate) to 
represent your ABAC service
2) authorize ABAC to have global read permission
3) then ABAC will be able to use Unity REST Admin endpoint in RO mode to 
obtain the CfPersID.

In the step 3 you will need to perform 2 calls to REST endpoint (results 
of the first one can be safely cached):
a) resolve Oauth id from sub claim (or other claim if you put it to 
OAuth claimset) to "entityId" which is internal unity id of logical 
person (entity) and is used in API calls.
b) get the attributes

You will have to authenticate this REST call of ABAC service the same 
way as you created entity for ABAC in point (1).

And finally there is one very important thing to remember. With default 
settings of OAuth endpoint, unity puts "targetedPersistent" identity 
into sub claim. As you can read in docs (section 7.1) such identity is 
persistent, anonymous and *targeted at particular client*. So won't be 
visible (at least easily) for the ABAC client. Therefore change your 
OAuth config, so that it puts *global* persistent identity into sub claim:

unity.oauth2.as.identityTypeForSubject=persistent

HTH,
Krzysztof

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

Thanks for the answer.  Lots of things came in between, but I now got it
working.  See below.

On 28/12/16 10:26, Krzysztof Benedyczak wrote:
> W dniu 22.12.2016 o 11:36, Jan Wielemaker pisze:

>> I think that means there is something wrong with the config, but I
>> have no clue what.
>
> There are two things to check:
> 1) whether you added the attribute email and cn for jan in group '/A'?
> Or in '/'? See in adminUI whether those are shown in /A group.

So, cn and email were defined in /A.  After moving these to /, all works
as expected.  For now that is enough for me.

> 2) make sure that you have proper authZ setup. User jan must have read
> rights in Unity. See Authorization section in documentation.
>
> And there is also 3rd, unlikely option: you can configure attribute type
> as "local" - then I think it is not visible in HomeUI (but I'd need to
> recheck this).

This was all ok :)

Now for something different. A particular (oauth2) client gets an
anonymous identity for my user as "sub". I understand that. Now we want
to implement attribute based access control based on the CERIF research
data model. This means we need a component that is called by service and
tell the service the user with "sub" identifier wants to access resource
R.

The flow I have in mind is this:

  - User logs in to service using Unity and wants to access resource R.
  - Services asks ABAC (Attribute Based Access Control) whether "sub"
    is allowed to access R given a set of policies.
  - ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
    for service)
  - ABAC applies policies on CERIF data for CfPersID
  - ABAC replies access "granted/denied" for R.

So, I think what we need is a (web) API call from the ABAC component
that is trusted by the Unity server and that can be used to retrieve the
CfPersID attribute from Unity based on the anonymous identity Unity has
provided to the service.

Note that we do not want to expose CfPersID to the service as that
reveals the true identity of the user.

Is this possible, i.e., is there an API that can be used to get info
about a Unity user based on the anonymous id provided to some service?

	Thanks --- Jan

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Krzysztof B. <kb...@un...>]

W dniu 22.12.2016 o 11:36, Jan Wielemaker pisze:
> Hi Krzysztof,
>
> On 20/12/16 23:45, Krzysztof Benedyczak wrote:
>
> It seems my issue is with attribute management in general and not so
> much with oauth.
>
>>> P.s.    Possibly related, I added the email and cn attributes to the
>>>     user through the admin/admin interface.  After login as the
>>>     test user I had expected to see these attributes, but nope.
>>>     Is that expected?
>>
>> The question is about what you see in the Home (profile) endpoint?
>> If so, you have to set what attributes are shown in the HomeUI. You can
>> do this in endpoint's config, e.g.:
>>
>> unity.userhome.attributes.1.attribute=cn
>> unity.userhome.attributes.1.group=/
>> unity.userhome.attributes.1.showGroup=true
>> unity.userhome.attributes.1.editable=true
>>
>> note that the editable=true will work only for attributes which are
>> globally set (attribute type settings) as self modifiable.
>
> I'm not yet doing much.  I just started the default config, with the
> default userhome.properties.  That contains e.g.,
>
> unity.userhome.attributes.2.attribute=email
> unity.userhome.attributes.2.group=/
> unity.userhome.attributes.2.showGroup=false
> unity.userhome.attributes.2.editable=true
>
> I added (as admin) a user "jan" with identity type userName to group /A.
> Using the admin/admin endpoint I added the attributes "cn" and "email" for
> "jan".  Attribute classes and Attribute statements are empty.
>
> I expect the email and common name to show up in /home/home for jan, but
> they are not there.  It shows just this:
>
> Displayed name: [4]
> Credentials status: Password credential: correct
> Groups membership:
> /
> /A
> Anonymous identifier :81533a69-3ef9-402d-947e-2c6ae69c2884
> User name: jan
>
> I think that means there is something wrong with the config, but I
> have no clue what.

There are two things to check:
1) whether you added the attribute email and cn for jan in group '/A'? 
Or in '/'? See in adminUI whether those are shown in /A group.
2) make sure that you have proper authZ setup. User jan must have read 
rights in Unity. See Authorization section in documentation.

And there is also 3rd, unlikely option: you can configure attribute type 
as "local" - then I think it is not visible in HomeUI (but I'd need to 
recheck this).

HTH,
Krzysztof

Re: [Unity-idm-discuss] Broken link

[Krzysztof B. <kb...@un...>]

W dniu 22.12.2016 o 11:04, Jan Wielemaker pisze:
> Small thingy:  in the manual we find a link to
> https://en.wikisource.org/wiki/MVEL_Language_Guide.  This link is dead.
> Probably needs to go to
> https://en.wikibooks.org/wiki/Transwiki:MVEL_Language_Guide
>
> 	Cheers --- Jan
>
> P.s.	Please indicate if you want such issues reported elsewhere.


Of course such information is very welcome!

Thanks, will fix this.
KB

[Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

On 20/12/16 23:45, Krzysztof Benedyczak wrote:

It seems my issue is with attribute management in general and not so
much with oauth.

>> P.s.    Possibly related, I added the email and cn attributes to the
>>     user through the admin/admin interface.  After login as the
>>     test user I had expected to see these attributes, but nope.
>>     Is that expected?
>
> The question is about what you see in the Home (profile) endpoint?
> If so, you have to set what attributes are shown in the HomeUI. You can
> do this in endpoint's config, e.g.:
>
> unity.userhome.attributes.1.attribute=cn
> unity.userhome.attributes.1.group=/
> unity.userhome.attributes.1.showGroup=true
> unity.userhome.attributes.1.editable=true
>
> note that the editable=true will work only for attributes which are
> globally set (attribute type settings) as self modifiable.

I'm not yet doing much.  I just started the default config, with the
default userhome.properties.  That contains e.g.,

unity.userhome.attributes.2.attribute=email
unity.userhome.attributes.2.group=/
unity.userhome.attributes.2.showGroup=false
unity.userhome.attributes.2.editable=true

I added (as admin) a user "jan" with identity type userName to group /A.
Using the admin/admin endpoint I added the attributes "cn" and "email" for
"jan".  Attribute classes and Attribute statements are empty.

I expect the email and common name to show up in /home/home for jan, but
they are not there.  It shows just this:

Displayed name: [4]
Credentials status: Password credential: correct
Groups membership:
/
/A
Anonymous identifier :81533a69-3ef9-402d-947e-2c6ae69c2884
User name: jan

I think that means there is something wrong with the config, but I
have no clue what.

	Cheers --- Jan

[Unity-idm-discuss] Broken link

[Jan W. <J.W...@cw...>]

Small thingy:  in the manual we find a link to
https://en.wikisource.org/wiki/MVEL_Language_Guide.  This link is dead.
Probably needs to go to
https://en.wikibooks.org/wiki/Transwiki:MVEL_Language_Guide

	Cheers --- Jan

P.s.	Please indicate if you want such issues reported elsewhere.

Re: [Unity-idm-discuss] Use smtp server with TLS enabled

[Willem E. <wi...@cl...>]

Hi Krzysztof,

that property was indeed the missing piece. Email is now working.

Thanks for the support.

Willem Elbers


On 20/12/16 23:32, Krzysztof Benedyczak wrote:
> Dear Willem,
>
> W dniu 19.12.2016 o 17:15, Willem Elbers pisze:
>> Dear Krzysztof,
>>
>> recently we've switched from mail provider and our smtp settings changed
>> from STARTTLS to an TLS enabled smtp server.
>>
>> Does unity support TLS only smtp servers? I keep getting the following
>> errors:
> [CUT]
>> Smtp settings:
>>
>> Server: smtp.transip.email
>> Port: 465
>> SSL: Enabled
>> Username:
>> Password:
>>
>> Any help is appreciated.
>
> Unity uses JavaMail, which does support smpts. What config settings in
> Unity are you using? The most important is to turn off start tls and
> to turn on ssl:
>
> mail.smtp.starttls.enable=false (or commented out)
> mail.smtp.ssl.enable=true
>
> From the error you get I'd suspect that some of those settings are
> wrong as you get an early connection error.
>
> See
> http://www.oracle.com/technetwork/java/javamail145sslnotes-1562622.html
>
> Best,
> Krzysztof

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Krzysztof B. <kb...@un...>]

Jan,

W dniu 20.12.2016 o 15:45, Jan Wielemaker pisze:
> I see how it works now.  The docs give "Endpoint type", you can look
> that up in conf/unityServer.conf and then you add the "exposed paths".
> Great.
Correct.

>
> I get through the `code' flow now.  But ...  Despite I ask for the
> `profile` scope, I configured that and set cn and email for the test
> user, I get no scope attributes :(  I get
>
> from POST /oauth2/token:
>
>   - access_token: ...
>   - token_type: "Bearer"
>
> From GET /oauth2/userinfo:
>
>   - sub: ...

There is couple of things that you could misconfigure. The most common 
problem at beginning is the fact that Unity has group-scoped attributes. 
Therefore when you cofigure OAuth scopes for your endpoint, make sure 
that you define the attributes for users in the group which is set as 
users group in the OAuth endpoint configuration. The key config settings:

unity.oauth2.as.usersGroup=/someGroup

unity.oauth2.as.scopes.1.name=foo
unity.oauth2.as.scopes.1.description=Provides access to foo info
unity.oauth2.as.scopes.1.attributes.1=cn
unity.oauth2.as.scopes.1.attributes.2=o

With the above config you have to set cn and o attributes in the group 
/someGroup for each user. Otherwise the attributes won't be exposed by 
the endpoint.



>
> If I login with google, the token endpoint gives me an attribute
> token_id, which is a JWT string that gives me the scope attributes.
>
> Almost there (I think) ...
>
> 	Thanks --- Jan
>
> P.s.	Possibly related, I added the email and cn attributes to the
> 	user through the admin/admin interface.  After login as the
> 	test user I had expected to see these attributes, but nope.
> 	Is that expected?

The question is about what you see in the Home (profile) endpoint?
If so, you have to set what attributes are shown in the HomeUI. You can 
do this in endpoint's config, e.g.:

unity.userhome.attributes.1.attribute=cn
unity.userhome.attributes.1.group=/
unity.userhome.attributes.1.showGroup=true
unity.userhome.attributes.1.editable=true

note that the editable=true will work only for attributes which are 
globally set (attribute type settings) as self modifiable.

Best,
Krzysztof

Re: [Unity-idm-discuss] Use smtp server with TLS enabled

[Krzysztof B. <kb...@un...>]

Dear Willem,

W dniu 19.12.2016 o 17:15, Willem Elbers pisze:
> Dear Krzysztof,
>
> recently we've switched from mail provider and our smtp settings changed
> from STARTTLS to an TLS enabled smtp server.
>
> Does unity support TLS only smtp servers? I keep getting the following
> errors:
[CUT]
> Smtp settings:
>
> Server: smtp.transip.email
> Port: 465
> SSL: Enabled
> Username:
> Password:
>
> Any help is appreciated.

Unity uses JavaMail, which does support smpts. What config settings in 
Unity are you using? The most important is to turn off start tls and to 
turn on ssl:

mail.smtp.starttls.enable=false (or commented out)
mail.smtp.ssl.enable=true

 From the error you get I'd suspect that some of those settings are 
wrong as you get an early connection error.

See http://www.oracle.com/technetwork/java/javamail145sslnotes-1562622.html

Best,
Krzysztof

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

On 15/12/16 16:12, Krzysztof Benedyczak wrote:

>> What am I missing?
> 
> Context address of the endpoint is root part of the path (which you
> control) - /oauth2-as in your case. Under it there are typically some
> fixed paths which are internal detail of the endpoint in question.
> Docs provide info on those paths.
> 
> So in this case you need to append .../oauth2-authz in the request. path.

I see how it works now.  The docs give "Endpoint type", you can look
that up in conf/unityServer.conf and then you add the "exposed paths".
Great.

I get through the `code' flow now.  But ...  Despite I ask for the
`profile` scope, I configured that and set cn and email for the test
user, I get no scope attributes :(  I get

from POST /oauth2/token:

  - access_token: ...
  - token_type: "Bearer"

>From GET /oauth2/userinfo:

  - sub: ...

If I login with google, the token endpoint gives me an attribute
token_id, which is a JWT string that gives me the scope attributes.

Almost there (I think) ...

	Thanks --- Jan

P.s.	Possibly related, I added the email and cn attributes to the
	user through the admin/admin interface.  After login as the
	test user I had expected to see these attributes, but nope.
	Is that expected?

> 
> HTH,
> Krzysztof
> 
> 
> 

[Unity-idm-discuss] Use smtp server with TLS enabled

[Willem E. <wi...@cl...>]

Dear Krzysztof,

recently we've switched from mail provider and our smtp settings changed
from STARTTLS to an TLS enabled smtp server.

Does unity support TLS only smtp servers? I keep getting the following
errors:

unity-idm_1      | javax.mail.MessagingException: Could not connect to
SMTP host: smtp.transip.email, port: 465, response: -1
unity-idm_1      |     at
com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1949)
unity-idm_1      |     at
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:317)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:176)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:125)
unity-idm_1      |     at javax.mail.Transport.send0(Transport.java:194)
unity-idm_1      |     at javax.mail.Transport.send(Transport.java:124)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel.sendEmail(EmailFacility.java:322)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel.access$100(EmailFacility.java:248)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel$1.run(EmailFacility.java:303)
unity-idm_1      |     at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
unity-idm_1      |     at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
unity-idm_1      |     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
unity-idm_1      |     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
unity-idm_1      |     at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
unity-idm_1      |     at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
unity-idm_1      |     at java.lang.Thread.run(Thread.java:745)
unity-idm_1      | E-mail notification failed

Smtp settings:

Server: smtp.transip.email
Port: 465
SSL: Enabled
Username:
Password:

Any help is appreciated.

Best,
Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Krzysztof B. <kb...@un...>]

Hi Jan,

W dniu 15.12.2016 o 15:50, Jan Wielemaker pisze:
> Hi,
>
> I'm completely new to Unity. I'm trying to setup an experimental server,
> first using an oauth2 client. Setting up Unity itself is easy :)
>
> I minimally edited oauth2-as.properties, changed issuerUri and
> usersGroup:
>
> unity.oauth2.as.issuerUri=https://woezel.ia.cwi.nl:2443/oauth2
> unity.oauth2.as.usersGroup=/
>
> I have added a client to /oauth-clients as a new entity using
> 'identifier' "swish@turin", adding attributes
>
> sys:oauth:groupForClient=/
> sys:oauth:allowedReturnURI=https://turin.ia.cwi.nl:1443/oauth2-reply
> sys:oauth:allowedGrantFlows=authorizationCode
>
> According to "Server management" tab, UNITY OAuth2 Authorization Server:
> Context address: /oauth2-as
>
> So, I redirect to
> https://woezel.ia.cwi.nl:2443/oauth2-as?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile
>
> This causes the browser to redirect to (not the "as/")
> https://woezel.ia.cwi.nl:2443/oauth2-as/?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile
>
> which returns 404 :(
>
> Note that both Unity and the target client use self-signed SSL
> certificates (although
> I don't think that matters).
>
> What am I missing?

Context address of the endpoint is root part of the path (which you 
control) - /oauth2-as in your case. Under it there are typically some 
fixed paths which are internal detail of the endpoint in question.
Docs provide info on those paths.

So in this case you need to append .../oauth2-authz in the request. path.

HTH,
Krzysztof