Menu
▾
▴
unity-idm-discuss — Unity discussion and support
You can subscribe to this list here.
| 2014 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(3) |
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2015 |
Jan
(20) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(15) |
Jul
(1) |
Aug
(7) |
Sep
(13) |
Oct
(2) |
Nov
(10) |
Dec
(1) |
| 2016 |
Jan
|
Feb
(2) |
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(11) |
Oct
(7) |
Nov
(6) |
Dec
(11) |
| 2017 |
Jan
(10) |
Feb
(5) |
Mar
(27) |
Apr
(34) |
May
(25) |
Jun
(14) |
Jul
(7) |
Aug
(17) |
Sep
(11) |
Oct
(6) |
Nov
(14) |
Dec
(10) |
| 2018 |
Jan
(8) |
Feb
(19) |
Mar
(40) |
Apr
(9) |
May
(16) |
Jun
(23) |
Jul
(31) |
Aug
(7) |
Sep
(9) |
Oct
(6) |
Nov
(14) |
Dec
(19) |
| 2019 |
Jan
(4) |
Feb
(6) |
Mar
(1) |
Apr
(2) |
May
(6) |
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(19) |
Dec
(14) |
| 2020 |
Jan
(10) |
Feb
(24) |
Mar
(49) |
Apr
(26) |
May
(12) |
Jun
(4) |
Jul
(13) |
Aug
(32) |
Sep
(13) |
Oct
(10) |
Nov
(4) |
Dec
(16) |
| 2021 |
Jan
(2) |
Feb
(8) |
Mar
(15) |
Apr
(19) |
May
(5) |
Jun
(13) |
Jul
(6) |
Aug
(38) |
Sep
(11) |
Oct
(18) |
Nov
(11) |
Dec
(13) |
| 2022 |
Jan
(10) |
Feb
(21) |
Mar
(28) |
Apr
(3) |
May
(7) |
Jun
(9) |
Jul
(14) |
Aug
(13) |
Sep
(8) |
Oct
(29) |
Nov
(1) |
Dec
(21) |
| 2023 |
Jan
(19) |
Feb
(9) |
Mar
|
Apr
(10) |
May
(7) |
Jun
(10) |
Jul
(14) |
Aug
(17) |
Sep
(1) |
Oct
(9) |
Nov
(5) |
Dec
(14) |
| 2024 |
Jan
(12) |
Feb
(2) |
Mar
(8) |
Apr
(1) |
May
(6) |
Jun
(6) |
Jul
(24) |
Aug
(15) |
Sep
(1) |
Oct
(6) |
Nov
(20) |
Dec
(14) |
| 2025 |
Jan
(12) |
Feb
(2) |
Mar
(10) |
Apr
(11) |
May
(13) |
Jun
(1) |
Jul
(2) |
Aug
(2) |
Sep
(8) |
Oct
|
Nov
|
Dec
|
|
From: Terefang V. <ter...@gm...> - 2015-01-21 18:26:22
|
hello first of all thanks for this wonderful software. i do need a rpc api on top of unity so i implemented an endpoint (+factory+servlet) and hooked i up like this in unityServer.conf: ---- unityServer.core.endpoints.11.endpointType=JsonRpc unityServer.core.endpoints.11.endpointConfigurationFile=/etc/unity-idm/endpoints/jsonrpc.properties unityServer.core.endpoints.11.contextPath=/rpc unityServer.core.endpoints.11.endpointName=UNITY json-rpc endpoint unityServer.core.endpoints.11.endpointRealm=defaultRealm unityServer.core.endpoints.11.endpointAuthenticators=pwdRest ---- i can reach the endpoint servlet, but any call to an unity api (IdentitiesManagement, GroupsManagement, AttributesManagement) will result in the following Exception: ---- 2015-01-21 17:47:25,238 [qtp37986510-36] WARN terefang.unity.contrib.jsonrpc.JsonRpcServlet - The current call has no invocation context set pl.edu.icm.unity.exceptions.InternalException: The current call has no invocation context set at pl.edu.icm.unity.server.authn.InvocationContext.getCurrent(InvocationContext.java:57) at pl.edu.icm.unity.engine.events.EventDecoratingHandler.invoke(EventDecoratingHandler.java:39) at com.sun.proxy.$Proxy19.getEntity(Unknown Source) at terefang.unity.contrib.jsonrpc.JsonRpcServlet.userExists(JsonRpcServlet.java:85) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.googlecode.jsonrpc4j.JsonRpcServer.invoke(JsonRpcServer.java:513) at com.googlecode.jsonrpc4j.JsonRpcServer.handleObject(JsonRpcServer.java:384) at com.googlecode.jsonrpc4j.JsonRpcServer.handleNode(JsonRpcServer.java:293) at com.googlecode.jsonrpc4j.JsonRpcServer.handle(JsonRpcServer.java:230) at com.googlecode.jsonrpc4j.JsonRpcServer.handle(JsonRpcServer.java:207) at terefang.unity.contrib.jsonrpc.JsonRpcServlet.doPost(JsonRpcServlet.java:67) at javax.servlet.http.HttpServlet.service(HttpServlet.java:755) at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:503) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:317) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:745) ---- it seams that the configured authentication methods do not get processed and hence the api calls are unauthorized i have looked into the other endpoints (Vaadim, CXF, Rest) but i do not understand how they authenticate via http-basic. please help. yours, -- terefang |
|
From: Krzysztof B. <go...@ic...> - 2015-01-21 10:37:43
|
Hi Jeroen, W dniu 20.01.2015 o 10:52, Jeroen Roodhart pisze: > Hi Krzysztof, > > Thank you for your clear answer. > > On 20/01/15 10:27, Krzysztof Benedyczak wrote: >> That said such implementation is considered but pretty low on >> priorities list. This is because of minimal usefulness and very big >> effort to implement it. > > Well, I agree that it would be a big effort, though I think it would > be _very_ useful. At the moment there seems to be no way whatsoever to > tie into OAUTH or other such mechanisms on the system level. Having > such a possibility would open up a plethora of possibilities to allow > collaboration between researchers through sharing all kinds of > resources (from compute facilities (not being "cloud") to scientific > measuring equipment). To clarify bit more. I fully agree that a feature to authenticate Linux users with basically anything would be great. But my point was that in many (most? i.e. OAuth & typical SAML) cases it is close to impossible. Developing an automated web parser which will login on user's behalf using an arbitrary login fields on an arbitrary login page - which each and every IdP can have different and usually does have different - is fairly unrealistic. We can do something for some well known providers as Google or FB. My statement that "this is a lot of work" was related merely to the LDAP endpoint in Unity which is needed to create PAM<->Unity link, but is not sufficient as it won't translate non-interactive protocol (LDAP) to any interactive web-browser based protocol (OAuth/SAML SSO). Also simulated&automated web-browser approach brings legal issues as the whole solution would be a hack, killing the principles of OAuth/SAML protocols where the password is not exposed to intermediaries and where a user is directly instructing her IdP to release the information to a particular requester. Simple example: if the IdP asks the user (after login) whether she accepts some new, updated terms and conditions, Unity should click "yes" for the user? Or maybe not? Best regards, Krzysztof |
|
From: Jeroen R. <j.r...@uv...> - 2015-01-20 09:52:37
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Krzysztof, Thank you for your clear answer. On 20/01/15 10:27, Krzysztof Benedyczak wrote: > That said such implementation is considered but pretty low on > priorities list. This is because of minimal usefulness and very big > effort to implement it. Well, I agree that it would be a big effort, though I think it would be _very_ useful. At the moment there seems to be no way whatsoever to tie into OAUTH or other such mechanisms on the system level. Having such a possibility would open up a plethora of possibilities to allow collaboration between researchers through sharing all kinds of resources (from compute facilities (not being "cloud") to scientific measuring equipment). With kind regards, Jeroen - -- _________________________________________________ Jeroen Roodhart University of Amsterdam Strategic IT Consultant Science faculty Researcher's IT support j.r...@uv... fei...@uv... Tel. 020 525 7203 Tel. 020 525 7202 - -- See http://www.uva.nl/profile/j.r.roodhart for openPGP public key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlS+JVoACgkQ37AP1zFtDU0q7QCcCAXXkWGPzsWhAGn5odrm8HC3 JGwAoIA4YSnQy/wSEpLsSPMbU3qwoROj =Ow46 -----END PGP SIGNATURE----- |
|
From: Krzysztof B. <go...@ic...> - 2015-01-20 09:45:28
|
Dear Jeroen, W dniu 19.01.2015 o 20:38, Jeroen Roodhart pisze: > Dear list, > > You probably get this asked a lot, but I'll try anyway :) > > We are considering Unity in hopes that it provides a way to tie many > identity and authorisation providers in such a way that it can be used > to provide system level (PAM) access to Linux/Unix servers (and > services such as iRODS). > > Are you considering developing say a LDAP/AD endpoint for Unity? Maybe not a lot, but you are right - such question was asked. And yes, I agree that LDAP endpoint is the best way to integrate Unity with PAM. That said such implementation is considered but pretty low on priorities list. This is because of minimal usefulness and very big effort to implement it. The root of all evil is that the most popular distributed authentication protocols - OAuth2/OIDC and SAML Web SSO - are web based by design. I.e. protocol spec assumes that a principal being authenticated uses web browser, dot. Yes, there is SAML ECP profile which would be suitable, also it is (I guess) possible to create non-browser login under OAuth umbrella, but the reality is that IdPs do not (widely) support anything like this. All in all LDAP-endpoint in Unity would allow you to perform authN against credential stored in Unity or against another LDAP server. Not much I'm afraid. Another option is to simulate web-browser in Unity so it will login on user's behalf but such approach is extremely hard to maintain and limited as IdP login forms do differ a lot. Best regards, Krzysztof |
|
From: Jeroen R. <j.r...@uv...> - 2015-01-19 19:38:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list, You probably get this asked a lot, but I'll try anyway :) We are considering Unity in hopes that it provides a way to tie many identity and authorisation providers in such a way that it can be used to provide system level (PAM) access to Linux/Unix servers (and services such as iRODS). Are you considering developing say a LDAP/AD endpoint for Unity? With kind regards, Jeroen Roodhart - -- _________________________________________________ Jeroen Roodhart University of Amsterdam Strategic IT Consultant Science faculty Researcher's IT support j.r...@uv... fei...@uv... Tel. 020 525 7203 Tel. 020 525 7202 - -- See http://www.uva.nl/profile/j.r.roodhart for openPGP public key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlS9XTwACgkQ37AP1zFtDU3nOwCdG2G0+bJxIFjPLcpG1gVaAvd4 utoAoKhhqgmx5FDTgnXXmhUWQmOY6gH/ =lnqy -----END PGP SIGNATURE----- |
|
From: Krzysztof B. <go...@ic...> - 2014-12-08 22:50:16
|
Dear All, Finally the 1.4.0 release of Unity is available for download. It is so far the biggest update, with exactly 200 commits, 47 solved tickets and several big features. Big thanks to all our contributors, testers and auditors (in alphabetical order, people first): Bernd, Piotr, Rafał, Roman Krysiński, Shiraz, ICM, Wrocław Center For Networking and Supercomputing, ICM and PL-Grid guys! The release highlights are: * OAuth2 & OpenID Connect endpoint is now available, i.e. Unity can act as a standalone OAuth 2 Authorization Server with support for OpenID Connect specification. The current implementation is fully functional, however its configuration requires some manual work in Admin UI (setting attributes, adding clients to groups) as there is no dedicated OAuth management UI. This will be improved in future. * The SAML subsystem received all the most important missing features: ** Support for encryption (and decryption) of assertions. ** SAML IdP can be configured with SAML metadata in the similar way as it was already possible to configure SAMl authenticator. The trusted SPs are can be automatically extracted from the federation's metadata and updated at runtime. ** SAML Single Logout protocol is fully supported. This is a giant feature, as Unity can now logout all session participants: the upstream SAML IdP (if was used) and the SPs logged via Unity SAML IdP endpoint. The logout can be initiated and performed via HTTP POST, Redirect and SOAP bindings, as well as by logging out from any of the Unity web UIs. As Single Logout may bring some problems level of its implementation is configurable. See the SAML Howto for details. * LDAP authenticator was greatly enhanced: ** it is possible to use a predefined system user to obtain information about logged user ** it is possible to define custom, additional searches * There is a new OAuth authenticator available, where Unity takes OAuth Resource Server role, checking provided OAuth Access Token against a configured 3rd party OAuth AS. * Unity was subject to an extensive security audit. Implementation of audit recommendations hardened Unity's security. Unfortunately one of the big planned features - translation profile wizard and debugger - is not included in this release due to one lately found issue. This great feature will be made available in the next release. The full list of changes & updated documentation are available as always at http://www.unity-idm.eu Best regards, Krzysztof |
|
From: Shiraz M. <a....@fz...> - 2014-10-20 11:56:24
|
Hi Krzysztof, Hard to say. I have a feeling that you had some problems with the upgrade. Between 1.3.0 and 1.3.1 there were only few bugfixes, absolutely nothing more; the similar issue was with the tiket you've filled. Between 1.2.0 and 1.3.x there was a change in this field. Check the output translation profile chapter in the manual. Yup, the translation profile helped. Thanks, Shiraz -- Ahmed Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <go...@ic...> - 2014-10-20 11:11:47
|
Hi, W dniu 20.10.2014 o 12:49, Shiraz Memon pisze: > Hi, > > I am currently testing v1.3.1. Surprisingly, after successful > authentication, the assertion consumer service (the SP) fails to receive > the unity:identity:* prefixed attributes (e.g. > unity:identity:persistent) from the unity idp. That was not the case in > v1.3.0, though. Do I need to configure anything inside unity's saml > web-idp settings? Hard to say. I have a feeling that you had some problems with the upgrade. Between 1.3.0 and 1.3.1 there were only few bugfixes, absolutely nothing more; the similar issue was with the tiket you've filled. Between 1.2.0 and 1.3.x there was a change in this field. Check the output translation profile chapter in the manual. So I guess you have a default output profile installed, which is not exposing identities of the user in attributes. However it is easy to add such: the example in the documentation shows how to do this. You can name the reulting attribute in anyway you want and expose the identity types you are interested in. Best regards, Krzysztof |
|
From: Shiraz M. <a....@fz...> - 2014-10-20 10:50:28
|
Hi, I am currently testing v1.3.1. Surprisingly, after successful authentication, the assertion consumer service (the SP) fails to receive the unity:identity:* prefixed attributes (e.g. unity:identity:persistent) from the unity idp. That was not the case in v1.3.0, though. Do I need to configure anything inside unity's saml web-idp settings? Thanks, Shiraz -- Ahmed Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899 Fax: +49 2461 61 6656 ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <go...@ic...> - 2014-08-21 15:52:17
|
Hi,
W dniu 21.08.2014 12:08, mahind pisze:
> Hello,
>
> I am using Unity version 1.3.1.
>
> The test user is registered in OpenLDAP.
>
> I am trying to get authentication from UNICORE commandline client (ucc)
> via Unity.
>
> From ucc I am able to get authentication for users registered in Unity.
>
> With the help of documentation, I configured unityServer.log for
> authenticator and endpoint settings.
>
> unityServer.core.authenticators.4.authenticatorName=ldapWeb
> unityServer.core.authenticators.4.authenticatorType=ldap with
> web-password
> unityServer.core.authenticators.4.verificatorConfigurationFile=conf/authenticators/ldap.properties
> unityServer.core.authenticators.4.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
>
> unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP
> unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
> unityServer.core.endpoints.4.contextPath=/unicore-soapidp
> unityServer.core.endpoints.4.endpointRealm=defaultRealm
> unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML
> service
> unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;ldapWeb
>
>
> Also updated conf/authenticators/ldap.properties
>
> ldap.servers.1=xxx
> ldap.ports.1=xxx
>
> ldap.userDNTemplate=uid={USERNAME},ou=users,dc=tu-dresden,dc=de
> ldap.attributes.1=uid
> ldap.groupsBaseName=dc=tu-dresden,dc=de
> ldap.groups.1.objectClass=groups
> ldap.groups.1.memberAttribute=memberUid
> ldap.groups.1.matchByMemberAttribute=cn
> ldap.groups.1.nameAttribute=cn
>
> ldap.translationProfile=ldapProfile
>
>
> When I try to connect, I get -
>
> **************************
> Starting UNITY Web Server
> **************************
> 2014-08-21 09:29:30,340 [main] INFO unity.server.config.JettyServerBase
> - Creating Jetty HTTP server, will listen on: https://xxx
> 2014-08-21 09:29:34,058 [main] INFO unity.server.db.InitDB - Database
> initialized, skipping creation
> 2014-08-21 09:29:39,679 [main] INFO unity.server.EngineInitialization -
> Checking if all identity types are defined
> 2014-08-21 09:29:39,783 [main] INFO unity.server.EngineInitialization -
> Checking if all system attribute types are defined
> 2014-08-21 09:29:40,268 [main] INFO unity.server.EngineInitialization -
> Loading all configured credentials
> 2014-08-21 09:29:40,297 [main] INFO unity.server.EngineInitialization -
> Loading all configured credential requirements
> 2014-08-21 09:29:40,388 [main] INFO unity.server.EngineInitialization -
> Loading configured translation profiles
> 2014-08-21 09:29:40,389 [main] INFO unity.server.EngineInitialization -
> Loading all configured authenticators
> 2014-08-21 09:29:40,418 [main] INFO unity.server.EngineInitialization -
> Removing all persisted endpoints
> 2014-08-21 09:29:40,431 [main] INFO unity.server.EngineInitialization -
> Removing all persisted realms
> 2014-08-21 09:29:40,464 [main] INFO unity.server.EngineInitialization -
> Loading configured realms
> 2014-08-21 09:29:40,487 [main] INFO unity.server.EngineInitialization
> - - defaultRealm: [blockAfter 4, blockFor 30, rememberMe -1,
> maxInactive 3600
> 2014-08-21 09:29:40,500 [main] INFO unity.server.EngineInitialization
> - - adminRealm: [blockAfter 4, blockFor 30, rememberMe -1, maxInactive
> 1800
> 2014-08-21 09:29:40,500 [main] INFO unity.server.EngineInitialization -
> Loading all configured endpoints
> 2014-08-21 09:29:40,729 [main] INFO unity.server.EngineInitialization
> - - UNITY administration interface: WebAdminUI
> 2014-08-21 09:29:41,776 [main] INFO unity.server.EngineInitialization
> - - UNITY SAML web authentication: SAMLWebIdP
> 2014-08-21 09:29:41,844 [main] INFO unity.server.EngineInitialization
> - - UNITY UNICORE web authentication: SAMLUnicoreWebIdP
> 2014-08-21 09:29:41,891 [main] FATAL unity.server.EngineInitialization
> - Can't load endpoints which are configured
> pl.edu.icm.unity.exceptions.EngineException: Unable to deploy an
> endpoint: The authenticator of type web-vaadin7 is not supported by the
> binding. Supported are: [webservice-cxf2]
> at
> pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:132)
> at
> pl.edu.icm.unity.engine.EndpointManagementImpl.deploy(EndpointManagementImpl.java:101)
> at
> pl.edu.icm.unity.engine.internal.EngineInitialization.loadEndpointsFromConfiguration(EngineInitialization.java:631)
> at
> pl.edu.icm.unity.engine.internal.EngineInitialization.initializeEndpoints(EngineInitialization.java:579)
> at
> pl.edu.icm.unity.engine.internal.EngineInitialization.initializeDatabaseContents(EngineInitialization.java:282)
> at
> pl.edu.icm.unity.engine.internal.EngineInitialization.start(EngineInitialization.java:181)
> at
> org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:173)
> at
> org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)
> at
> org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)
> at
> org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)
> at
> org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:112)
> at
> org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:773)
> at
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:485)
> at
> pl.edu.icm.unity.server.UnityApplication.run(UnityApplication.java:50)
> at
> pl.edu.icm.unity.server.UnityApplication.main(UnityApplication.java:58)
> Caused by: pl.edu.icm.unity.exceptions.WrongArgumentException: The
> authenticator of type web-vaadin7 is not supported by the binding.
> Supported are: [webservice-cxf2]
> at
> pl.edu.icm.unity.engine.EndpointManagementImpl.verifyAuthenticators(EndpointManagementImpl.java:147)
> at
> pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:120)
> ... 14 more
>
> Is there any mistake in configuration?
Yes, there is. As the error message says the authenticator is
incompatible with the endpoint. The authenticator 'ldapWeb' can be used
only for web endpoints as it is configured to retrieve user's password
using the web form (see documentation of authenticators):
unityServer.core.authenticators.4.authenticatorType=ldap with web-password
It is not possible to use it with SOAP endpoint, used by UCC or URC. SO
you need to define another authenticator (LDAP specific part can reuse
the same configuration file), but the new authenticator must be of type:
ldap with cxf-httpbasic
This authenticator will work with the SOAP endpoint.
Best,
Krzysztof
|
|
From: mahind <atu...@ma...> - 2014-08-21 10:08:40
|
Hello,
I am using Unity version 1.3.1.
The test user is registered in OpenLDAP.
I am trying to get authentication from UNICORE commandline client (ucc)
via Unity.
From ucc I am able to get authentication for users registered in Unity.
With the help of documentation, I configured unityServer.log for
authenticator and endpoint settings.
unityServer.core.authenticators.4.authenticatorName=ldapWeb
unityServer.core.authenticators.4.authenticatorType=ldap with
web-password
unityServer.core.authenticators.4.verificatorConfigurationFile=conf/authenticators/ldap.properties
unityServer.core.authenticators.4.retrievalConfigurationFile=conf/authenticators/passwordRetrieval.json
unityServer.core.endpoints.4.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.4.endpointConfigurationFile=conf/endpoints/saml-webidp.properties
unityServer.core.endpoints.4.contextPath=/unicore-soapidp
unityServer.core.endpoints.4.endpointRealm=defaultRealm
unityServer.core.endpoints.4.endpointName=UNITY UNICORE SOAP SAML
service
unityServer.core.endpoints.4.endpointAuthenticators=pwdWS;ldapWeb
Also updated conf/authenticators/ldap.properties
ldap.servers.1=xxx
ldap.ports.1=xxx
ldap.userDNTemplate=uid={USERNAME},ou=users,dc=tu-dresden,dc=de
ldap.attributes.1=uid
ldap.groupsBaseName=dc=tu-dresden,dc=de
ldap.groups.1.objectClass=groups
ldap.groups.1.memberAttribute=memberUid
ldap.groups.1.matchByMemberAttribute=cn
ldap.groups.1.nameAttribute=cn
ldap.translationProfile=ldapProfile
When I try to connect, I get -
**************************
Starting UNITY Web Server
**************************
2014-08-21 09:29:30,340 [main] INFO unity.server.config.JettyServerBase
- Creating Jetty HTTP server, will listen on: https://xxx
2014-08-21 09:29:34,058 [main] INFO unity.server.db.InitDB - Database
initialized, skipping creation
2014-08-21 09:29:39,679 [main] INFO unity.server.EngineInitialization -
Checking if all identity types are defined
2014-08-21 09:29:39,783 [main] INFO unity.server.EngineInitialization -
Checking if all system attribute types are defined
2014-08-21 09:29:40,268 [main] INFO unity.server.EngineInitialization -
Loading all configured credentials
2014-08-21 09:29:40,297 [main] INFO unity.server.EngineInitialization -
Loading all configured credential requirements
2014-08-21 09:29:40,388 [main] INFO unity.server.EngineInitialization -
Loading configured translation profiles
2014-08-21 09:29:40,389 [main] INFO unity.server.EngineInitialization -
Loading all configured authenticators
2014-08-21 09:29:40,418 [main] INFO unity.server.EngineInitialization -
Removing all persisted endpoints
2014-08-21 09:29:40,431 [main] INFO unity.server.EngineInitialization -
Removing all persisted realms
2014-08-21 09:29:40,464 [main] INFO unity.server.EngineInitialization -
Loading configured realms
2014-08-21 09:29:40,487 [main] INFO unity.server.EngineInitialization
- - defaultRealm: [blockAfter 4, blockFor 30, rememberMe -1,
maxInactive 3600
2014-08-21 09:29:40,500 [main] INFO unity.server.EngineInitialization
- - adminRealm: [blockAfter 4, blockFor 30, rememberMe -1, maxInactive
1800
2014-08-21 09:29:40,500 [main] INFO unity.server.EngineInitialization -
Loading all configured endpoints
2014-08-21 09:29:40,729 [main] INFO unity.server.EngineInitialization
- - UNITY administration interface: WebAdminUI
2014-08-21 09:29:41,776 [main] INFO unity.server.EngineInitialization
- - UNITY SAML web authentication: SAMLWebIdP
2014-08-21 09:29:41,844 [main] INFO unity.server.EngineInitialization
- - UNITY UNICORE web authentication: SAMLUnicoreWebIdP
2014-08-21 09:29:41,891 [main] FATAL unity.server.EngineInitialization
- Can't load endpoints which are configured
pl.edu.icm.unity.exceptions.EngineException: Unable to deploy an
endpoint: The authenticator of type web-vaadin7 is not supported by the
binding. Supported are: [webservice-cxf2]
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:132)
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deploy(EndpointManagementImpl.java:101)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.loadEndpointsFromConfiguration(EngineInitialization.java:631)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeEndpoints(EngineInitialization.java:579)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.initializeDatabaseContents(EngineInitialization.java:282)
at
pl.edu.icm.unity.engine.internal.EngineInitialization.start(EngineInitialization.java:181)
at
org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:173)
at
org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:51)
at
org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:346)
at
org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:149)
at
org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:112)
at
org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:773)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:485)
at
pl.edu.icm.unity.server.UnityApplication.run(UnityApplication.java:50)
at
pl.edu.icm.unity.server.UnityApplication.main(UnityApplication.java:58)
Caused by: pl.edu.icm.unity.exceptions.WrongArgumentException: The
authenticator of type web-vaadin7 is not supported by the binding.
Supported are: [webservice-cxf2]
at
pl.edu.icm.unity.engine.EndpointManagementImpl.verifyAuthenticators(EndpointManagementImpl.java:147)
at
pl.edu.icm.unity.engine.EndpointManagementImpl.deployInt(EndpointManagementImpl.java:120)
... 14 more
Is there any mistake in configuration?
Thanks in advance!
Best regards,
Atul
|
|
From: Krzysztof B. <go...@ic...> - 2014-07-30 11:13:59
|
Dear All, For the first time in the short life of Unity a revision (bugfix only) release is issued. The release fixes one quite important regression introduced in the 1.3.0: the registration forms attached to remote authentication pipeline were never invoked. Also a couple of less important bugs were fixed. The docoumentation was updated with a simplified update procedure for the revision releases. Details and download link are in the usual location: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2014-07-17 14:13:14
|
Dear All, Release 1.3.0 is ready. It features a great amount of of new features. Before upgrading be sure to review update documentation: upgrade process was simplified but caution is still needed. For those using snapshot builds of 1.3.0 the automatic update not work. In such a case export to JSON and import to clean database is required. Details and download link are in the usual location: http://www.unity-idm.eu/site/downloads The most important changes: -) A new endpoint supporting SAML ECP protocol was added. The endpoint allows for using Unity to bootstrap the ECP login (i.e. Unity is a SP). -) A new RESTful endpoint was added, allowing to query the Unity database in a simple way. -) OAuth2 and OpenID Connect remote authentication is possible now. Tested with Google, Microsoft Live and Facebook providers. -) Translation profiles were greatly enhanced and improved. There two kinds of translation profiles now: input and output. The input profiles have the same purpose as the former translation profiles, but the actions were refactored so their creation is much simpler, intuitive and at the same time much more flexible. The output profiles are a new concept, allowing to dynamically change the data which is returned via the IdP endpoints. The new functionality of translation profiles allows for creating ad-hoc identities and attributes with complex contents. What is also very important the documentation was greatly improved, contains many examples and the Admin UI offer a greater help during edit. -) It is possible to configure remote SAML authenticator with a SAML metadata, what allows to set its trust in a simple way. It is also possible to use metadata of several federations and to override some of the automatically imported manually. -) Unity was updated to use latest web framework release what should improve login experience a lot: --) page address doesn't change on the authentication screen, --) remote authentication has no lag after returning to Unity, --) rare hangs of the remote authentication were eliminated. -) There is a number of smaller Admin UI improvements: --) simple identities search --) it is possible to see source IdP, profile and timestamps of identities and attributes obtained remotely. --) it is possible to remove many rows of tables at once. -) Registration forms can be configured to be automatically accepted when custom conditions are fulfilled. -) Dynamic, automatically created identities framework was refactored fixing several bugs. Additionally it is possible to inspect automatically created identities in the Admin UI and even to manually clean them. -) There is a new JWT authentication method, useful for keeping login sessions for RESTful interface. Best regards, Krzysztof |
|
From: Krzysztof B. <k.b...@ic...> - 2014-04-16 11:35:31
|
Dear All, Release 1.2.0 was delayed, but finally it is available. It features a great amount of bugfixes and couple of new features. The most important changes: * MySQL support is fixed. * The login sessions support is complete (the previous versions had this pretty limited). This allowed for introducing a couple of new features and will allow for more in the future. In particular: ** The standard and popular targeted transient and persistent identity types are available and can be used with SAML endpoints. ** A new concept of authentication realm allows for configuring login settings of several endpoints once, at the same time enabling cross-endpoint single sign on and logout. ** Login sessions are shared between redundant instances of Unity ** It is possible to turn on a 'remember me' authentication feature. * An interface to edit message templates was added. Message templates are now typed and can be used only if matching. * Translation profiles can be edited with a new GUI of the Admin UI. It is much easier than the JSON file editing. * A new identity type was added to cover an opaque identifier, typically imported from external IdP. Further details and download link are in the usual location: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2014-02-17 13:24:18
|
Dear All, The version 1.1.0 of Unity was just released. The release 1.1.0 brings a lot of improvements over 1.0.0, making it more production ready. The main theme of the release is the SAML support. The most important changes: * A new remote authentication option was added: SAML 2 with support for both HTTP Redirect and POST bindings. When using this authenticator Unity acts as a SAML Service Provider. * The SAML IdP endpoint supports now the SAML HTTP Redirect binding alongside with the previously supported POST binding. * Both SAML Service Provider (of each configured remote SAML authenticator) and SAML IdP (of each deployed endpoint) can generate and publish SAML Metadata. Also publication and signing of a custom SAML Metadata is possible. * A number of components were added to the Web Admin UI, which allow administrators to inspect the details of deployed endpoints, authenticators and translation profiles. It is also possible to reload all of them, without restarting the server, what is useful after configuration changes. * A centralized PKI management was introduced. Credentials, certificates and truststores are configured in a single place. All relaying Unity components are configured with a reference of required PKI artifact only. The 1.1.0 release was extensively and successfully tested against Shibboleth SP, Shibboleth IdP and SimpleSAMLPhp acting both as SP or IdP for Unity. A detailed changelog and download links can be found here: http://www.unity-idm.eu/site/downloads Best regards, Krzysztof |
|
From: Krzysztof B. <go...@ic...> - 2014-01-27 14:11:28
|
Hi Shiraz, Nice to hear from you&LSDMA! W dniu 27.01.2014 13:47, Shiraz Memon pisze: > Hi Krzysztof, > > Last week we had a workshop dedicated to AAI & IdM (as a part of the > LSDMA project). Whereby Unity appears to be quite important and going to > play a key role in the project. There were some initial but interesting > questions by meeting participants, though: > > Querying User's Attributes: > i) Can one query a user's group information from unity "without" Web > interface? Yes. It is possible with the SAML SOAP endpoint. SAML Attribute query protocol allows you to query for regular attributes, but additionally Unity can be configured (and by default is) to provide an additional dynamic attribute with the subject's group information. Unity allows for both self (what are my attributes?) and 3rd party (what are attributes of X?) queries, subject to site's authZ policy (see below). In future also an another, RESTful endpoint is planned, which can be considered a more lightweight - but not standards compliant - alternative. However this is not yet scheduled so any requirements are welcome. > ii) Is it only the user who can query the group information about > herself or any user holding specific (privileged) role, should be > allowed to do that? This is up to site's policy of course, but yes - you have a role (or actually several roles: Inspector, Contents Manager and System Manager) which can be assigned to users so they can read the information about other users. This applies to any access mean - web interface, SAML or anything that will be available in the future. What is more, authZ in Unity is configured per-group, so you can provide those additional privileges to selected users only in a subset of Unity tree. However for listing all groups this makes no much sense as the information is global by definition (*all* groups). > iii) In addition to that, what authentication (pki, username/password) > as well as saml protocol (ECP, SOAP,... etc) will be used to perform > such operation? So you knew it will be SAML ;-) You can use any protocol supported by Unity. Currently as noted above you have one non-web option: SAML with SOAP binding. Protocol: SAML Attribute Query protocol. You can also use SAML Authentication Protocol, but this is limited to self queries. Authentication: as configured per endpoint. Currently user name & password via HTTP Basic and/or client authenticated TLS are implemented. Supporting other (as username&password via WS-Security Username Token) can be added almost immediately if needed - this is trivial in Unity. > Support for external/upstream SAML IdPs: I am aware of the fact that the > support for external IdPs is imminent in the next release, which is > 1.1.0. Is there a tentative timeline we can anticipate? 2nd half of February. Currently this is nearly finished (e.g. all interop tests with Shib IdP are already passed), but also SAML Metadata support is planned and must be implemented. > Group management: Are the ordinary members of a group (beside > administrator) allowed to create sub-groups within? Here the answer is no, currently. I.e. one needs at least the Contents Manager role to create a group. You can assign this role for a user in a particular group, what probably won't be enough for your use case, as such role allows also for many other management actions in the group. I guess that this question is related to the self managed team work, where ordinary users can create their 'own' group, become its administrator, invite coworkers, (maybe even assign attributes in the group) and relaying services can use this information? If so, this is already designed in details for Unity, but not yet implemented. Self-managed group API is even defined and its implementation will be pretty simple. The bigger issue is the UI part. Pure 'create a group' UI is trivial, but for such feature we will need also flexible invitation/application support, simplified group management etc etc. Of course collaboration on this topic will be appreciated. Best regards, Krzysztof |
|
From: Shiraz M. <a....@fz...> - 2014-01-27 12:47:37
|
Hi Krzysztof, Last week we had a workshop dedicated to AAI & IdM (as a part of the LSDMA project). Whereby Unity appears to be quite important and going to play a key role in the project. There were some initial but interesting questions by meeting participants, though: Querying User's Attributes: i) Can one query a user's group information from unity "without" Web interface? ii) Is it only the user who can query the group information about herself or any user holding specific (privileged) role, should be allowed to do that? iii) In addition to that, what authentication (pki, username/password) as well as saml protocol (ECP, SOAP,... etc) will be used to perform such operation? Support for external/upstream SAML IdPs: I am aware of the fact that the support for external IdPs is imminent in the next release, which is 1.1.0. Is there a tentative timeline we can anticipate? Group management: Are the ordinary members of a group (beside administrator) allowed to create sub-groups within? Thanks in advance, Shiraz -- Ahmed Shiraz Memon Federated Systems and Data Jülich Supercomputing Centre (JSC) Phone: +49 2461 61 6899<tel:%2B49%202461%2061%206899> Fax: +49 2461 61 6656<tel:%2B49%202461%2061%206656> ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ |
|
From: Krzysztof B. <go...@ic...> - 2014-01-22 15:00:09
|
Dear All, The first stable version of Unity - 1.0.0 - was released yesterday. You can find details here: http://www.unity-idm.eu/site/downloads The changes since 1.0.0-rc2 were really cosmetic. The work on 1.1.0 is pretty advanced already. In the first place it should have a much more complete SAML support but also several other features will be added. Best regards, Krzysztof |
