unity-idm-discuss — Unity discussion and support

[Unity-idm-discuss] Long response time with remote IdP from Metadata source

[Sander A. <sa....@fz...>]

Good morning,

I recognised a longer response time if I browse to unity with remote
IdPs loaded from eduGain Metadata file. Last week I had some time to
investigate this "problem". Instance with eduGain IdPs has response
times between five and ten seconds.

I investigated the communication with network tools from browser. The
POST call, where the browser sends some client information, causes this
delay. Some further investigation with tcpdump and wireshark at server
site shows that there is only traffic between client (browser) and
server (unity). Unity sends some keepalive packages.

The long response time is on both instances with eduGain IdPs. There is
no delay on two instances without eduGain IdPs. But activating DFN IdPs
(loaded from metadata file) on one of them let increase the time for
POST method from 40ms to 400ms.

Are there some Options to speed up the server?

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Krzysztof B. <kb...@un...>]

Hi Jan,

W dniu 10.01.2017 o 13:15, Jan Wielemaker pisze:
> Hi Krzysztof,
>
> Thanks for the answer.  Lots of things came in between, but I now got it
> working.  See below.

Good to hear that :-)

> The flow I have in mind is this:
>
>   - User logs in to service using Unity and wants to access resource R.
>   - Services asks ABAC (Attribute Based Access Control) whether "sub"
>     is allowed to access R given a set of policies.
>   - ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
>     for service)
>   - ABAC applies policies on CERIF data for CfPersID
>   - ABAC replies access "granted/denied" for R.
>
> So, I think what we need is a (web) API call from the ABAC component
> that is trusted by the Unity server and that can be used to retrieve the
> CfPersID attribute from Unity based on the anonymous identity Unity has
> provided to the service.
>
> Note that we do not want to expose CfPersID to the service as that
> reveals the true identity of the user.
>
> Is this possible, i.e., is there an API that can be used to get info
> about a Unity user based on the anonymous id provided to some service?

Sure, we use similar scenario quite often, e.g. when mixing OAuth authN 
for regular services with a special admin service which provides domain 
specific UI leveraging Unity as users backend DB.

To solve this simply you need to:
1) create an identity with credential (username&pass or certificate) to 
represent your ABAC service
2) authorize ABAC to have global read permission
3) then ABAC will be able to use Unity REST Admin endpoint in RO mode to 
obtain the CfPersID.

In the step 3 you will need to perform 2 calls to REST endpoint (results 
of the first one can be safely cached):
a) resolve Oauth id from sub claim (or other claim if you put it to 
OAuth claimset) to "entityId" which is internal unity id of logical 
person (entity) and is used in API calls.
b) get the attributes

You will have to authenticate this REST call of ABAC service the same 
way as you created entity for ABAC in point (1).

And finally there is one very important thing to remember. With default 
settings of OAuth endpoint, unity puts "targetedPersistent" identity 
into sub claim. As you can read in docs (section 7.1) such identity is 
persistent, anonymous and *targeted at particular client*. So won't be 
visible (at least easily) for the ABAC client. Therefore change your 
OAuth config, so that it puts *global* persistent identity into sub claim:

unity.oauth2.as.identityTypeForSubject=persistent

HTH,
Krzysztof

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

Thanks for the answer.  Lots of things came in between, but I now got it
working.  See below.

On 28/12/16 10:26, Krzysztof Benedyczak wrote:
> W dniu 22.12.2016 o 11:36, Jan Wielemaker pisze:

>> I think that means there is something wrong with the config, but I
>> have no clue what.
>
> There are two things to check:
> 1) whether you added the attribute email and cn for jan in group '/A'?
> Or in '/'? See in adminUI whether those are shown in /A group.

So, cn and email were defined in /A.  After moving these to /, all works
as expected.  For now that is enough for me.

> 2) make sure that you have proper authZ setup. User jan must have read
> rights in Unity. See Authorization section in documentation.
>
> And there is also 3rd, unlikely option: you can configure attribute type
> as "local" - then I think it is not visible in HomeUI (but I'd need to
> recheck this).

This was all ok :)

Now for something different. A particular (oauth2) client gets an
anonymous identity for my user as "sub". I understand that. Now we want
to implement attribute based access control based on the CERIF research
data model. This means we need a component that is called by service and
tell the service the user with "sub" identifier wants to access resource
R.

The flow I have in mind is this:

  - User logs in to service using Unity and wants to access resource R.
  - Services asks ABAC (Attribute Based Access Control) whether "sub"
    is allowed to access R given a set of policies.
  - ABAC asks Unity for CfPersID (CERIF person id) of "sub" (optionally
    for service)
  - ABAC applies policies on CERIF data for CfPersID
  - ABAC replies access "granted/denied" for R.

So, I think what we need is a (web) API call from the ABAC component
that is trusted by the Unity server and that can be used to retrieve the
CfPersID attribute from Unity based on the anonymous identity Unity has
provided to the service.

Note that we do not want to expose CfPersID to the service as that
reveals the true identity of the user.

Is this possible, i.e., is there an API that can be used to get info
about a Unity user based on the anonymous id provided to some service?

	Thanks --- Jan

Re: [Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Krzysztof B. <kb...@un...>]

W dniu 22.12.2016 o 11:36, Jan Wielemaker pisze:
> Hi Krzysztof,
>
> On 20/12/16 23:45, Krzysztof Benedyczak wrote:
>
> It seems my issue is with attribute management in general and not so
> much with oauth.
>
>>> P.s.    Possibly related, I added the email and cn attributes to the
>>>     user through the admin/admin interface.  After login as the
>>>     test user I had expected to see these attributes, but nope.
>>>     Is that expected?
>>
>> The question is about what you see in the Home (profile) endpoint?
>> If so, you have to set what attributes are shown in the HomeUI. You can
>> do this in endpoint's config, e.g.:
>>
>> unity.userhome.attributes.1.attribute=cn
>> unity.userhome.attributes.1.group=/
>> unity.userhome.attributes.1.showGroup=true
>> unity.userhome.attributes.1.editable=true
>>
>> note that the editable=true will work only for attributes which are
>> globally set (attribute type settings) as self modifiable.
>
> I'm not yet doing much.  I just started the default config, with the
> default userhome.properties.  That contains e.g.,
>
> unity.userhome.attributes.2.attribute=email
> unity.userhome.attributes.2.group=/
> unity.userhome.attributes.2.showGroup=false
> unity.userhome.attributes.2.editable=true
>
> I added (as admin) a user "jan" with identity type userName to group /A.
> Using the admin/admin endpoint I added the attributes "cn" and "email" for
> "jan".  Attribute classes and Attribute statements are empty.
>
> I expect the email and common name to show up in /home/home for jan, but
> they are not there.  It shows just this:
>
> Displayed name: [4]
> Credentials status: Password credential: correct
> Groups membership:
> /
> /A
> Anonymous identifier :81533a69-3ef9-402d-947e-2c6ae69c2884
> User name: jan
>
> I think that means there is something wrong with the config, but I
> have no clue what.

There are two things to check:
1) whether you added the attribute email and cn for jan in group '/A'? 
Or in '/'? See in adminUI whether those are shown in /A group.
2) make sure that you have proper authZ setup. User jan must have read 
rights in Unity. See Authorization section in documentation.

And there is also 3rd, unlikely option: you can configure attribute type 
as "local" - then I think it is not visible in HomeUI (but I'd need to 
recheck this).

HTH,
Krzysztof

Re: [Unity-idm-discuss] Broken link

[Krzysztof B. <kb...@un...>]

W dniu 22.12.2016 o 11:04, Jan Wielemaker pisze:
> Small thingy:  in the manual we find a link to
> https://en.wikisource.org/wiki/MVEL_Language_Guide.  This link is dead.
> Probably needs to go to
> https://en.wikibooks.org/wiki/Transwiki:MVEL_Language_Guide
>
> 	Cheers --- Jan
>
> P.s.	Please indicate if you want such issues reported elsewhere.


Of course such information is very welcome!

Thanks, will fix this.
KB

[Unity-idm-discuss] Attributes (was Re: Oauth2 client: 404?)

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

On 20/12/16 23:45, Krzysztof Benedyczak wrote:

It seems my issue is with attribute management in general and not so
much with oauth.

>> P.s.    Possibly related, I added the email and cn attributes to the
>>     user through the admin/admin interface.  After login as the
>>     test user I had expected to see these attributes, but nope.
>>     Is that expected?
>
> The question is about what you see in the Home (profile) endpoint?
> If so, you have to set what attributes are shown in the HomeUI. You can
> do this in endpoint's config, e.g.:
>
> unity.userhome.attributes.1.attribute=cn
> unity.userhome.attributes.1.group=/
> unity.userhome.attributes.1.showGroup=true
> unity.userhome.attributes.1.editable=true
>
> note that the editable=true will work only for attributes which are
> globally set (attribute type settings) as self modifiable.

I'm not yet doing much.  I just started the default config, with the
default userhome.properties.  That contains e.g.,

unity.userhome.attributes.2.attribute=email
unity.userhome.attributes.2.group=/
unity.userhome.attributes.2.showGroup=false
unity.userhome.attributes.2.editable=true

I added (as admin) a user "jan" with identity type userName to group /A.
Using the admin/admin endpoint I added the attributes "cn" and "email" for
"jan".  Attribute classes and Attribute statements are empty.

I expect the email and common name to show up in /home/home for jan, but
they are not there.  It shows just this:

Displayed name: [4]
Credentials status: Password credential: correct
Groups membership:
/
/A
Anonymous identifier :81533a69-3ef9-402d-947e-2c6ae69c2884
User name: jan

I think that means there is something wrong with the config, but I
have no clue what.

	Cheers --- Jan

[Unity-idm-discuss] Broken link

[Jan W. <J.W...@cw...>]

Small thingy:  in the manual we find a link to
https://en.wikisource.org/wiki/MVEL_Language_Guide.  This link is dead.
Probably needs to go to
https://en.wikibooks.org/wiki/Transwiki:MVEL_Language_Guide

	Cheers --- Jan

P.s.	Please indicate if you want such issues reported elsewhere.

Re: [Unity-idm-discuss] Use smtp server with TLS enabled

[Willem E. <wi...@cl...>]

Hi Krzysztof,

that property was indeed the missing piece. Email is now working.

Thanks for the support.

Willem Elbers


On 20/12/16 23:32, Krzysztof Benedyczak wrote:
> Dear Willem,
>
> W dniu 19.12.2016 o 17:15, Willem Elbers pisze:
>> Dear Krzysztof,
>>
>> recently we've switched from mail provider and our smtp settings changed
>> from STARTTLS to an TLS enabled smtp server.
>>
>> Does unity support TLS only smtp servers? I keep getting the following
>> errors:
> [CUT]
>> Smtp settings:
>>
>> Server: smtp.transip.email
>> Port: 465
>> SSL: Enabled
>> Username:
>> Password:
>>
>> Any help is appreciated.
>
> Unity uses JavaMail, which does support smpts. What config settings in
> Unity are you using? The most important is to turn off start tls and
> to turn on ssl:
>
> mail.smtp.starttls.enable=false (or commented out)
> mail.smtp.ssl.enable=true
>
> From the error you get I'd suspect that some of those settings are
> wrong as you get an early connection error.
>
> See
> http://www.oracle.com/technetwork/java/javamail145sslnotes-1562622.html
>
> Best,
> Krzysztof

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | tel: +31-(0)85-0091277 | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Krzysztof B. <kb...@un...>]

Jan,

W dniu 20.12.2016 o 15:45, Jan Wielemaker pisze:
> I see how it works now.  The docs give "Endpoint type", you can look
> that up in conf/unityServer.conf and then you add the "exposed paths".
> Great.
Correct.

>
> I get through the `code' flow now.  But ...  Despite I ask for the
> `profile` scope, I configured that and set cn and email for the test
> user, I get no scope attributes :(  I get
>
> from POST /oauth2/token:
>
>   - access_token: ...
>   - token_type: "Bearer"
>
> From GET /oauth2/userinfo:
>
>   - sub: ...

There is couple of things that you could misconfigure. The most common 
problem at beginning is the fact that Unity has group-scoped attributes. 
Therefore when you cofigure OAuth scopes for your endpoint, make sure 
that you define the attributes for users in the group which is set as 
users group in the OAuth endpoint configuration. The key config settings:

unity.oauth2.as.usersGroup=/someGroup

unity.oauth2.as.scopes.1.name=foo
unity.oauth2.as.scopes.1.description=Provides access to foo info
unity.oauth2.as.scopes.1.attributes.1=cn
unity.oauth2.as.scopes.1.attributes.2=o

With the above config you have to set cn and o attributes in the group 
/someGroup for each user. Otherwise the attributes won't be exposed by 
the endpoint.



>
> If I login with google, the token endpoint gives me an attribute
> token_id, which is a JWT string that gives me the scope attributes.
>
> Almost there (I think) ...
>
> 	Thanks --- Jan
>
> P.s.	Possibly related, I added the email and cn attributes to the
> 	user through the admin/admin interface.  After login as the
> 	test user I had expected to see these attributes, but nope.
> 	Is that expected?

The question is about what you see in the Home (profile) endpoint?
If so, you have to set what attributes are shown in the HomeUI. You can 
do this in endpoint's config, e.g.:

unity.userhome.attributes.1.attribute=cn
unity.userhome.attributes.1.group=/
unity.userhome.attributes.1.showGroup=true
unity.userhome.attributes.1.editable=true

note that the editable=true will work only for attributes which are 
globally set (attribute type settings) as self modifiable.

Best,
Krzysztof

Re: [Unity-idm-discuss] Use smtp server with TLS enabled

[Krzysztof B. <kb...@un...>]

Dear Willem,

W dniu 19.12.2016 o 17:15, Willem Elbers pisze:
> Dear Krzysztof,
>
> recently we've switched from mail provider and our smtp settings changed
> from STARTTLS to an TLS enabled smtp server.
>
> Does unity support TLS only smtp servers? I keep getting the following
> errors:
[CUT]
> Smtp settings:
>
> Server: smtp.transip.email
> Port: 465
> SSL: Enabled
> Username:
> Password:
>
> Any help is appreciated.

Unity uses JavaMail, which does support smpts. What config settings in 
Unity are you using? The most important is to turn off start tls and to 
turn on ssl:

mail.smtp.starttls.enable=false (or commented out)
mail.smtp.ssl.enable=true

 From the error you get I'd suspect that some of those settings are 
wrong as you get an early connection error.

See http://www.oracle.com/technetwork/java/javamail145sslnotes-1562622.html

Best,
Krzysztof

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Jan W. <J.W...@cw...>]

Hi Krzysztof,

On 15/12/16 16:12, Krzysztof Benedyczak wrote:

>> What am I missing?
> 
> Context address of the endpoint is root part of the path (which you
> control) - /oauth2-as in your case. Under it there are typically some
> fixed paths which are internal detail of the endpoint in question.
> Docs provide info on those paths.
> 
> So in this case you need to append .../oauth2-authz in the request. path.

I see how it works now.  The docs give "Endpoint type", you can look
that up in conf/unityServer.conf and then you add the "exposed paths".
Great.

I get through the `code' flow now.  But ...  Despite I ask for the
`profile` scope, I configured that and set cn and email for the test
user, I get no scope attributes :(  I get

from POST /oauth2/token:

  - access_token: ...
  - token_type: "Bearer"

>From GET /oauth2/userinfo:

  - sub: ...

If I login with google, the token endpoint gives me an attribute
token_id, which is a JWT string that gives me the scope attributes.

Almost there (I think) ...

	Thanks --- Jan

P.s.	Possibly related, I added the email and cn attributes to the
	user through the admin/admin interface.  After login as the
	test user I had expected to see these attributes, but nope.
	Is that expected?

> 
> HTH,
> Krzysztof
> 
> 
> 

[Unity-idm-discuss] Use smtp server with TLS enabled

[Willem E. <wi...@cl...>]

Dear Krzysztof,

recently we've switched from mail provider and our smtp settings changed
from STARTTLS to an TLS enabled smtp server.

Does unity support TLS only smtp servers? I keep getting the following
errors:

unity-idm_1      | javax.mail.MessagingException: Could not connect to
SMTP host: smtp.transip.email, port: 465, response: -1
unity-idm_1      |     at
com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1949)
unity-idm_1      |     at
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:317)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:176)
unity-idm_1      |     at javax.mail.Service.connect(Service.java:125)
unity-idm_1      |     at javax.mail.Transport.send0(Transport.java:194)
unity-idm_1      |     at javax.mail.Transport.send(Transport.java:124)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel.sendEmail(EmailFacility.java:322)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel.access$100(EmailFacility.java:248)
unity-idm_1      |     at
pl.edu.icm.unity.engine.notifications.EmailFacility$EmailChannel$1.run(EmailFacility.java:303)
unity-idm_1      |     at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
unity-idm_1      |     at
java.util.concurrent.FutureTask.run(FutureTask.java:266)
unity-idm_1      |     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
unity-idm_1      |     at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
unity-idm_1      |     at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
unity-idm_1      |     at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
unity-idm_1      |     at java.lang.Thread.run(Thread.java:745)
unity-idm_1      | E-mail notification failed

Smtp settings:

Server: smtp.transip.email
Port: 465
SSL: Enabled
Username:
Password:

Any help is appreciated.

Best,
Willem

-- 
Willem Elbers
CLARIN ERIC
www.clarin.eu | skype: wjm.elbers

Re: [Unity-idm-discuss] Oauth2 client: 404?

[Krzysztof B. <kb...@un...>]

Hi Jan,

W dniu 15.12.2016 o 15:50, Jan Wielemaker pisze:
> Hi,
>
> I'm completely new to Unity. I'm trying to setup an experimental server,
> first using an oauth2 client. Setting up Unity itself is easy :)
>
> I minimally edited oauth2-as.properties, changed issuerUri and
> usersGroup:
>
> unity.oauth2.as.issuerUri=https://woezel.ia.cwi.nl:2443/oauth2
> unity.oauth2.as.usersGroup=/
>
> I have added a client to /oauth-clients as a new entity using
> 'identifier' "swish@turin", adding attributes
>
> sys:oauth:groupForClient=/
> sys:oauth:allowedReturnURI=https://turin.ia.cwi.nl:1443/oauth2-reply
> sys:oauth:allowedGrantFlows=authorizationCode
>
> According to "Server management" tab, UNITY OAuth2 Authorization Server:
> Context address: /oauth2-as
>
> So, I redirect to
> https://woezel.ia.cwi.nl:2443/oauth2-as?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile
>
> This causes the browser to redirect to (not the "as/")
> https://woezel.ia.cwi.nl:2443/oauth2-as/?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile
>
> which returns 404 :(
>
> Note that both Unity and the target client use self-signed SSL
> certificates (although
> I don't think that matters).
>
> What am I missing?

Context address of the endpoint is root part of the path (which you 
control) - /oauth2-as in your case. Under it there are typically some 
fixed paths which are internal detail of the endpoint in question.
Docs provide info on those paths.

So in this case you need to append .../oauth2-authz in the request. path.

HTH,
Krzysztof

[Unity-idm-discuss] Oauth2 client: 404?

[Jan W. <J.W...@cw...>]

Hi,

I'm completely new to Unity. I'm trying to setup an experimental server,
first using an oauth2 client. Setting up Unity itself is easy :)

I minimally edited oauth2-as.properties, changed issuerUri and
usersGroup:

unity.oauth2.as.issuerUri=https://woezel.ia.cwi.nl:2443/oauth2
unity.oauth2.as.usersGroup=/

I have added a client to /oauth-clients as a new entity using
'identifier' "swish@turin", adding attributes

sys:oauth:groupForClient=/
sys:oauth:allowedReturnURI=https://turin.ia.cwi.nl:1443/oauth2-reply
sys:oauth:allowedGrantFlows=authorizationCode

According to "Server management" tab, UNITY OAuth2 Authorization Server:
Context address: /oauth2-as

So, I redirect to
https://woezel.ia.cwi.nl:2443/oauth2-as?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile

This causes the browser to redirect to (not the "as/")
https://woezel.ia.cwi.nl:2443/oauth2-as/?response_type=code&client_id=swish@turin&redirect_uri=https%3A//turin.ia.cwi.nl%3A1443/oauth2-reply&scope=profile

which returns 404 :(

Note that both Unity and the target client use self-signed SSL
certificates (although
I don't think that matters).

What am I missing?

	Thanks --- Jan

Re: [Unity-idm-discuss] REST attribute query & output translation profiles

[Krzysztof B. <kb...@un...>]

Hi Shiraz,

W dniu 28.11.2016 o 16:19, Shiraz Memon pisze:
> Hi,
>
> Is it possible to query for entity attributes
> (/rest-admin/v1/entity/{entity-id}/attributes) based on the admin.
> defined output translation profiles? Currently only the system defined
> attributes (from attribute schema) are returned through the rest admin
> interface.
> This is however not the case while querying for the attributes through
> /userinfo or saml (esp. soap) endpoints.

No there is no such option. This is longer story: output profile is very 
much dependent on the endpoint's (or actually IdP endpoint) 
configuration. Oauth/SAML endpoint provides quite a lot of context as 
the profile's input.

REST admin endpoint is on the other hand administrative utility.

We can think however about some debug facility as it was done for input 
profiles.

Cheers,
Krzysztof

[Unity-idm-discuss] REST attribute query & output translation profiles

[Shiraz M. <a....@fz...>]

Hi,

Is it possible to query for entity attributes (/rest-admin/v1/entity/{entity-id}/attributes) based on the admin. defined output translation profiles? Currently only the system defined attributes (from attribute schema) are returned through the rest admin interface.
This is however not the case while querying for the attributes through /userinfo or saml (esp. soap) endpoints.

Thanks,
Shiraz
--
Shiraz Memon
Federated Systems and Data
Jülich Supercomputing Centre (JSC)

Phone: +49 2461 61 6899
Fax:     +49 2461 61 6656


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] use signed emails with unity

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 25.11.2016 o 10:28, Sander Apweiler pisze:
> Hi,
>
> we need/want to use email singed by X.509 for notifications from unity.
>  I didn't find some information in manual and Javax-mail documentation.
> I know a javamail-crypto lib exists but it seems to me that it is not
> used in unity.
>
> Is email signature supported by unity? If not are there plans for
> implementation?

Nothing so far - you are the first one even mentioning it :-)

This is a quite rare requirement, no many people (I mean "real" people, 
not IT-ones) have orientation in what is a signed email (especially as 
everybody receives unsigned ones and no one cares). And also many cheap 
certificates do not allow for signing emails in their policy (contrary 
to working as a server TLS cert).

But if this is something very needed for you, please fill a ticket. It 
can be implemented using the bouncy castle lib - requires bit of 
additional email config and bit of code to sign.

Cheers,
Krzysztof

[Unity-idm-discuss] use signed emails with unity

[Sander A. <sa....@fz...>]

Hi,

we need/want to use email singed by X.509 for notifications from unity.
 I didn't find some information in manual and Javax-mail documentation.
I know a javamail-crypto lib exists but it seems to me that it is not
used in unity.

Is email signature supported by unity? If not are there plans for
implementation?

Best regards,
Sander


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] change attribute value type error

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 09.11.2016 o 15:55, Sander Apweiler pisze:
> Hi Krzysztof,
>
> I copied the attribute values with REST API to a new one. After updating
> registration forms, translation profiles and config to the new attribute
> I found some problems or maybe bugs.
>
> 1) The old attribute named email and the new attribute named mail are
> stored in Unity. The following output translation profile is used for SPs:
> Condition: true
> Action: createAttribute
> attributeName: email
> expression: attr['mail']
>
> If this translation profile is used, Unity ignores the expression and
> send the value of the attribute "email" to the client. If there is no
> attribute named email, the expression works.

Yes, this is an expected behavior: createAttribute action is skipped if 
its attribute already exists. If you set logging level for translation 
to TRACE then you get the explicit message about this happening in log. 
As this was misleading for you I'm increasing the log level to: DEBUG.

Solution for your problem is to put (before the createAttribute rule) 
filterAttribute action, which removes the original 'email' attribute.


> 2) SAML clients can't use verifiableEmail attributes. I got an error
> from an SAML client because Unity sends within the response the
> following status:
> <urn:Status>
>         <urn:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
>         <urn:StatusMessage>pl.edu.icm.unity.types.basic.VerifiableEmail
> cannot be cast to java.lang.String</urn:StatusMessage>
> </urn:Status>
>
> So it seems that Unity can't cast the VerifiableEmail attribute in SAML
> context. For Oauth it works fine. Very bad is that unity logfiles has no
> errors. If I have a look in it, it seems that everything was fine.

I agree, this clearly signals some bug. In principle Unity should never 
cast its internal attribute value to SAML value, it should use a 
configured encoder. Of course there is such encoder for emails, and it 
is tested that this feature is working, i.e. I get SAML responses with 
emails in them.

Said so: can you please more details about a setup where I can reproduce 
this problem? If you could send me the complete config of SAML idp 
endpoint + profile is used then would be great.


> 3) In input translation profiles we use effect = CREATE_OR_UPDATE for
> attribute mapping. If you use this effect for verifiableEmail the user
> receives a confirmation email after every login (although the email
> address was confirmed). I would expect that it is send once at
> registration and a new confirmation mail is send if the email address
> has changed.

Well, this is bit tricky. The behavior is that Unity sets the email to 
unconfirmed after each login, because this is how you have configured 
your profile. And in effect you have confirmation request sent always.

In the majority of cases, when authN is delegated to external service, 
it can be trusted that the provided email was verified and local 
re-verification by unity should be skipped at all. You can achieve this 
by adding a constant suffix "[CONFIRMED]" to attribute value in your 
profile's expression - see section 7.4.4 in manual. I hope this is 
solving your issues.

However, if you want to do exactly as you wrote, i.e. verify the 
externally provided email with Unity, and re-do verification if email 
changes, then we need an extra feature. The problem is that unity must 
also allow for setting email attribute state from profile (some of OAuth 
services provide email verification status as a separate attribute). And 
this feature would become broken if your suggestion is simply 
implemented. THerefore if you need exactly such behavior please write, 
I'll think about some smart way to configure profile to act in such way.

Best,
Krzysztof

Re: [Unity-idm-discuss] change attribute value type error

[Sander A. <sa....@fz...>]

Hi Krzysztof,

I copied the attribute values with REST API to a new one. After updating registration forms, translation profiles and config to the new attribute I found some problems or maybe bugs.

1) The old attribute named email and the new attribute named mail are stored in Unity. The following output translation profile is used for SPs:
Condition: true
Action: createAttribute
attributeName: email
expression: attr['mail']

If this translation profile is used, Unity ignores the expression and send the value of the attribute "email" to the client. If there is no attribute named email, the expression works.

2) SAML clients can't use verifiableEmail attributes. I got an error from an SAML client because Unity sends within the response the following status:
<urn:Status>
        <urn:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
        <urn:StatusMessage>pl.edu.icm.unity.types.basic.VerifiableEmail cannot be cast to java.lang.String</urn:StatusMessage>
</urn:Status>

So it seems that Unity can't cast the VerifiableEmail attribute in SAML context. For Oauth it works fine. Very bad is that unity logfiles has no errors. If I have a look in it, it seems that everything was fine.

3) In input translation profiles we use effect = CREATE_OR_UPDATE for attribute mapping. If you use this effect for verifiableEmail the user receives a confirmation email after every login (although the email address was confirmed). I would expect that it is send once at registration and a new confirmation mail is send if the email address has changed.

Do you know this problems?

Best regards,
Sander

Am Freitag, den 21.10.2016, 11:17 +0200 schrieb Krzysztof Benedyczak:
Hi Sander,

W dniu 20.10.2016 o 12:44, Sander Apweiler pisze:
Hi,

I want to change the value type of email attribute from string into
verifiableEmail. When I submit the changes I got an error that at least
one attribute is in conflict with it. The stack trace from log file is
attached. Has anyone a hint for me?


Unfortunately this direction is not easy. verifiableEmail holds a
complex information as attribute values. Usually you see only the sole
email value, but it is also stored whether it was confirmed, when, how
many confirmation requests were sent. Therefore simple upcasting of
String to vEmail won't work.

One approach would be to create a new verifiableEmail-type attribute and
use REST API to transform. It should be also possible to create a JSON
dump, tweak it and reimport, but this is really fragile operation,
requiring good testing on a test instance...

If you don't mind waiting you can open a ticket for this - we can
implement better special handling for attribute type changes: if the
current approach of basic type cast does not work, we can try to perform
export to text representation and parse it. Of course such fallback can
loose some information but should work in the typical cases.

Best,
Krzysztof


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] change attribute value type error

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thank you very much. Now it works fine.

Best regards,
Sander

Am Donnerstag, den 27.10.2016, 13:51 +0200 schrieb Krzysztof
Benedyczak:
> W dniu 27.10.2016 o 11:57, Sander Apweiler pisze:
> > Hi Krzysztof,
> >
> > Am Donnerstag, den 27.10.2016, 10:48 +0200 schrieb Krzysztof
> > Benedyczak:
> > > Hi Sander,
> > >
> > > W dniu 27.10.2016 o 10:38, Sander Apweiler pisze:
> > > > Hi Krzysztof,
> > > >
> > > > thanks for the information. Copy the values with REST API is
> > > > working
> > > > fin for me. Is there a possibility to get a list of all used
> > > > entity
> > > > ids
> > > > via REST API? I'm working on an script which copy the attribute
> > > > for
> > > > all
> > > > users and I want to avoid a long for loop with status code
> > > > check.
> > >
> > > What do you mean by "all used entity ids"? Just all entities
> > > which
> > > are
> > > in the system? If so then get all members of the root group -
> > > this
> > > is
> > > the complete list.
> >
> > yes that is what I want. But how could I queue the root group? I
> > tried
> > - .../group
> > - .../group/
> > - .../group//
> > All has a 404 error. Queue a subgroup was no problem.
>
> root is just /
> You may need to do percent encoding of the value.


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] change attribute value type error

[Krzysztof B. <kb...@un...>]

W dniu 27.10.2016 o 11:57, Sander Apweiler pisze:
> Hi Krzysztof,
>
> Am Donnerstag, den 27.10.2016, 10:48 +0200 schrieb Krzysztof
> Benedyczak:
>> Hi Sander,
>>
>> W dniu 27.10.2016 o 10:38, Sander Apweiler pisze:
>>> Hi Krzysztof,
>>>
>>> thanks for the information. Copy the values with REST API is
>>> working
>>> fin for me. Is there a possibility to get a list of all used entity
>>> ids
>>> via REST API? I'm working on an script which copy the attribute for
>>> all
>>> users and I want to avoid a long for loop with status code check.
>>
>> What do you mean by "all used entity ids"? Just all entities which
>> are
>> in the system? If so then get all members of the root group - this
>> is
>> the complete list.
> yes that is what I want. But how could I queue the root group? I tried
> - .../group
> - .../group/
> - .../group//
> All has a 404 error. Queue a subgroup was no problem.

root is just /
You may need to do percent encoding of the value.

Re: [Unity-idm-discuss] change attribute value type error

[Sander A. <sa....@fz...>]

Hi Krzysztof,

Am Donnerstag, den 27.10.2016, 10:48 +0200 schrieb Krzysztof
Benedyczak:
> Hi Sander,
>
> W dniu 27.10.2016 o 10:38, Sander Apweiler pisze:
> > Hi Krzysztof,
> >
> > thanks for the information. Copy the values with REST API is
> > working
> > fin for me. Is there a possibility to get a list of all used entity
> > ids
> > via REST API? I'm working on an script which copy the attribute for
> > all
> > users and I want to avoid a long for loop with status code check.
>
> What do you mean by "all used entity ids"? Just all entities which
> are
> in the system? If so then get all members of the root group - this
> is
> the complete list.
yes that is what I want. But how could I queue the root group? I tried
- .../group
- .../group/
- .../group//
All has a 404 error. Queue a subgroup was no problem.

Best regards,
Sander

>
> Best
> Krzysztof
>
>


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Re: [Unity-idm-discuss] change attribute value type error

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 27.10.2016 o 10:38, Sander Apweiler pisze:
> Hi Krzysztof,
>
> thanks for the information. Copy the values with REST API is working
> fin for me. Is there a possibility to get a list of all used entity ids
> via REST API? I'm working on an script which copy the attribute for all
> users and I want to avoid a long for loop with status code check.

What do you mean by "all used entity ids"? Just all entities which are 
in the system? If so then get all members of the root group - this is 
the complete list.

Best
Krzysztof

Re: [Unity-idm-discuss] change attribute value type error

[Sander A. <sa....@fz...>]

Hi Krzysztof,

thanks for the information. Copy the values with REST API is working
fin for me. Is there a possibility to get a list of all used entity ids
via REST API? I'm working on an script which copy the attribute for all
users and I want to avoid a long for loop with status code check.

Best regards,
Sander

Am Freitag, den 21.10.2016, 11:17 +0200 schrieb Krzysztof Benedyczak:
> Hi Sander,
>
> W dniu 20.10.2016 o 12:44, Sander Apweiler pisze:
> > Hi,
> >
> > I want to change the value type of email attribute from string into
> > verifiableEmail. When I submit the changes I got an error that at
> > least
> > one attribute is in conflict with it. The stack trace from log file
> > is
> > attached. Has anyone a hint for me?
> >
>
> Unfortunately this direction is not easy. verifiableEmail holds a
> complex information as attribute values. Usually you see only the
> sole
> email value, but it is also stored whether it was confirmed, when,
> how
> many confirmation requests were sent. Therefore simple upcasting of
> String to vEmail won't work.
>
> One approach would be to create a new verifiableEmail-type attribute
> and
> use REST API to transform. It should be also possible to create a
> JSON
> dump, tweak it and reimport, but this is really fragile operation,
> requiring good testing on a test instance...
>
> If you don't mind waiting you can open a ticket for this - we can
> implement better special handling for attribute type changes: if the
> current approach of basic type cast does not work, we can try to
> perform
> export to text representation and parse it. Of course such fallback
> can
> loose some information but should work in the typical cases.
>
> Best,
> Krzysztof


------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------