unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 21.12.2023 o 14:23, Sander Apweiler pisze:
> Hi Bernd,
> in this case I got missing HTTP Basic Auth Header errors.

I just noticed that we miss one important aspect of authN in case of 
accessing SCIM with OAuth token in the docs: as it was requested, access 
using the OAuth token also requires client's authN. I.e. you need to 
provided 2 authorizations: both client's credential and the token.

Naturally we can develop a simpler variant (configurable on the 
endpoint) but as of now this is the only option. We will improve the docs.

So in order to authenticate you need to provided both Basic authN header 
(with OAuth client's credentials, the same as were used to obtain access 
token) and Bearer header with the OAuth access token.

Hope that helps, and happy new year!
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Bernd,
in this case I got missing HTTP Basic Auth Header errors.

Best regards,
Sander


On Thu, 2023-12-21 at 14:19 +0100, Bernd Schuller wrote:
> hi,
> 
> I'm pretty sure that should be
> 
> -H "Authorization: Bearer $TOKEN"
> 
> best regards,
> Bernd
> 
> On 12/21/23 13:44, Sander Apweiler wrote:
> > Hi Krzysztof,
> > I created a new authenticator (OAuth 2 verifying local tokens) and
> > added the scopes oidc profile email entitlements
> > sys:scim:read_profile
> > sys:scim:read_membership. I added this authenticator to the SCIM
> > API as
> > well.
> > 
> > I generated an ODIC token using the oidc-agent and the same scopes.
> > But
> > using curl https://login-dev.helmholtz.de/scim/Me -H
> > "Authorization:
> > Basic $TOKEN", I got Bad Request and unity logs has a null pointer
> > exception (stacktrace is attached). Did I forgot to add some
> > configuration in addition? Using username/password on the SCIM API
> > works.
> > 
> > Best regards,
> > Sander
> > 
> > 
> > On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
> > > Hi Sander,
> > > 
> > > W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> > > > Good morning,
> > > > while reading the manual once again, I found the error in our
> > > > schema
> > > > file. It works fine.
> > > 
> > > good to hear that
> > > 
> > > 
> > > > Since only the administrators have username/password, we want
> > > > to
> > > > enable
> > > > Oauth tokens for the SCIM API. Do we need to create an
> > > > authenticator
> > > > which is using unity itself for validating the tokens?
> > > 
> > > Yes. It is not strictly required, but most likely this is what
> > > you
> > > want.
> > > 
> > > Do not forget about granting proper authZ with OAuth scopes (as
> > > described in manual).
> > > 
> > > Best,
> > > Krzysztof
> > > 
> > 
> > 
> > 
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Bernd S. <b.s...@fz...>]

hi,

I'm pretty sure that should be

-H "Authorization: Bearer $TOKEN"

best regards,
Bernd

On 12/21/23 13:44, Sander Apweiler wrote:
> Hi Krzysztof,
> I created a new authenticator (OAuth 2 verifying local tokens) and
> added the scopes oidc profile email entitlements sys:scim:read_profile
> sys:scim:read_membership. I added this authenticator to the SCIM API as
> well.
> 
> I generated an ODIC token using the oidc-agent and the same scopes. But
> using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization:
> Basic $TOKEN", I got Bad Request and unity logs has a null pointer
> exception (stacktrace is attached). Did I forgot to add some
> configuration in addition? Using username/password on the SCIM API
> works.
> 
> Best regards,
> Sander
> 
> 
> On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
>>> Good morning,
>>> while reading the manual once again, I found the error in our
>>> schema
>>> file. It works fine.
>>
>> good to hear that
>>
>>
>>> Since only the administrators have username/password, we want to
>>> enable
>>> Oauth tokens for the SCIM API. Do we need to create an
>>> authenticator
>>> which is using unity itself for validating the tokens?
>>
>> Yes. It is not strictly required, but most likely this is what you
>> want.
>>
>> Do not forget about granting proper authZ with OAuth scopes (as
>> described in manual).
>>
>> Best,
>> Krzysztof
>>
> 
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Dr. Bernd Schuller
Large Scale Data Science, Juelich Supercomputing Centre
https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html
Phone: +49 246161-8736 (fax -8556)

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I created a new authenticator (OAuth 2 verifying local tokens) and
added the scopes oidc profile email entitlements sys:scim:read_profile
sys:scim:read_membership. I added this authenticator to the SCIM API as
well.

I generated an ODIC token using the oidc-agent and the same scopes. But
using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization:
Basic $TOKEN", I got Bad Request and unity logs has a null pointer
exception (stacktrace is attached). Did I forgot to add some
configuration in addition? Using username/password on the SCIM API
works.

Best regards,
Sander


On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> > Good morning,
> > while reading the manual once again, I found the error in our
> > schema
> > file. It works fine.
> 
> good to hear that
> 
> 
> > Since only the administrators have username/password, we want to
> > enable
> > Oauth tokens for the SCIM API. Do we need to create an
> > authenticator
> > which is using unity itself for validating the tokens?
> 
> Yes. It is not strictly required, but most likely this is what you
> want.
> 
> Do not forget about granting proper authZ with OAuth scopes (as 
> described in manual).
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.15.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce that we have managed to ship yet another feature 
increment of Unity before X-mas.

The 3.15.0 release is focusing on improving functionality of UpMan – 
Unity projects management feature. Two notable enhancements are shipped:

  * Possibility to bound policy documents to project. Policy documents
    are auto-added to project join forms.
  * Significant update and enhancements of the initial version of the
    REST API to manage projects. API client can now manage forms used by
    the project. Forms content is subject to constraints ensuring that
    registered users can not escalate their permissions outside of the
    project. What is more management of project policy documents over
    the API is also possible.

All details, links to change log, downloads and documentation are 
available from: https://unity-idm.eu/releases/release-3-15-0/


As previously announced we hope to deliver the 4.0.0 release in Q1 next 
year. At this point there are no plans of subsequent 3.x feature releases.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> Good morning,
> while reading the manual once again, I found the error in our schema
> file. It works fine.

good to hear that


> Since only the administrators have username/password, we want to enable
> Oauth tokens for the SCIM API. Do we need to create an authenticator
> which is using unity itself for validating the tokens?

Yes. It is not strictly required, but most likely this is what you want.

Do not forget about granting proper authZ with OAuth scopes (as 
described in manual).

Best,
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Good morning,
while reading the manual once again, I found the error in our schema
file. It works fine.

Since only the administrators have username/password, we want to enable
Oauth tokens for the SCIM API. Do we need to create an authenticator
which is using unity itself for validating the tokens?

Best regards,
Sander


On Tue, 2023-12-19 at 14:40 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> hi Roman,
> 
> we spend some additional time to setup the SCIM API. While creating
> the
> common User schema, we found an issue. For the multi-valued attribute
> "entitlements" unity releases the correct number of values, but it
> only
> repeats the first one. Is there an error in our schema definition or
> is
> this a bug?
> 
> I added the schema and a screenshot of the attribute values. The
> shortened output is:
> 
> 
> {"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b91
> 13
> 0-8a11-4cef-9f51-
> ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
> 27T14:09:50Z","lastModified":"2018-02-
> 27T14:09:50Z","location":"
> https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-
> ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"ent
> itlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-dev.helmholtz.de"}]
> }}
> 
> Best regards,
> Sander
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

we spend some additional time to setup the SCIM API. While creating the
common User schema, we found an issue. For the multi-valued attribute
"entitlements" unity releases the correct number of values, but it only
repeats the first one. Is there an error in our schema definition or is
this a bug?

I added the schema and a screenshot of the attribute values. The
shortened output is:


{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b9113
0-8a11-4cef-9f51-
ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
27T14:09:50Z","lastModified":"2018-02-
27T14:09:50Z","location":"https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"entitlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"}]
}}

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
they are empty as well. 

But I found the reason. In registration forms they use different
credential requirements, although neigther SAML not OIDC authentication
uses local credentials in the registration form.

So I would need to update the default credential requirements in the
automation tab and update all OIDC based accounts.

Best regards,
Sander 

On Thu, 2023-12-14 at 09:22 +0100, Krzysztof Benedyczak wrote:
> W dniu 14.12.2023 o 09:20, Sander Apweiler pisze:
> > Hi Krzysztof,
> > no I'm not in the same entity ID, but I do not want to be in the
> > same
> > one. The first one was autogenerated via OIDC authN at ORCID and
> > the
> > second one vie SAML authN at FZJ. But the problem is, that I see
> > the
> > local credentials (esp. OTP) only in the second one.
> 
> OK, but can you double check, if for the entity that signed via OIDC
> you 
> have those local credentials set (i.e. find that entity in console
> and 
> list credentials)?
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Krzysztof B. <kb...@un...>]

W dniu 14.12.2023 o 09:20, Sander Apweiler pisze:
> Hi Krzysztof,
> no I'm not in the same entity ID, but I do not want to be in the same
> one. The first one was autogenerated via OIDC authN at ORCID and the
> second one vie SAML authN at FZJ. But the problem is, that I see the
> local credentials (esp. OTP) only in the second one.

OK, but can you double check, if for the entity that signed via OIDC you 
have those local credentials set (i.e. find that entity in console and 
list credentials)?

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
no I'm not in the same entity ID, but I do not want to be in the same
one. The first one was autogenerated via OIDC authN at ORCID and the
second one vie SAML authN at FZJ. But the problem is, that I see the
local credentials (esp. OTP) only in the second one.

Best regards,
Sander

On Thu, 2023-12-14 at 09:17 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 13.12.2023 o 16:33, Sander Apweiler pisze:
> > Hi Krzysztof,
> > hi Roman,
> > we found an issue which looks like a bug. We set up MFA, using OTP,
> > some time ago and most time it works well. But now a user reported
> > a
> > problem, we do not understand. When we sign into the home endpoint
> > using OIDC (tested with Google and ORCID), the local credential are
> > not
> > shown (see first screenshot). If we sign in, using SAML, the local
> > credentials are shown. The logs do not show any error.
> 
>  From the provided screenshots I can't tell one thing. Are you 100%
> sure 
> that in both cases you have signed as the same Unity entity? This
> looks 
> like in the OIDC case you signing into some (e.g. autocreated) other 
> entity which simply has no local creds.
> 
> Best,
> Krzysztof
> 
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 13.12.2023 o 16:33, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
> we found an issue which looks like a bug. We set up MFA, using OTP,
> some time ago and most time it works well. But now a user reported a
> problem, we do not understand. When we sign into the home endpoint
> using OIDC (tested with Google and ORCID), the local credential are not
> shown (see first screenshot). If we sign in, using SAML, the local
> credentials are shown. The logs do not show any error.

 From the provided screenshots I can't tell one thing. Are you 100% sure 
that in both cases you have signed as the same Unity entity? This looks 
like in the OIDC case you signing into some (e.g. autocreated) other 
entity which simply has no local creds.

Best,
Krzysztof

[Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,
we found an issue which looks like a bug. We set up MFA, using OTP,
some time ago and most time it works well. But now a user reported a
problem, we do not understand. When we sign into the home endpoint
using OIDC (tested with Google and ORCID), the local credential are not
shown (see first screenshot). If we sign in, using SAML, the local
credentials are shown. The logs do not show any error.

May we missed any additional configuration, which I do not remember and
find in the setting at the moment or is it a bug. I can reproduce this
on another instance as well.

This is our MFA config:

unityServer.core.authenticators.otp.authenticatorName=otp
unityServer.core.authenticators.otp.authenticatorType=otp
unityServer.core.authenticators.otp.localCredential=mfa_otp
unityServer.core.authenticators.otp.configurationFile=${CONF}/authenticators/passwordRetrieval.properties

unityServer.core.authenticationFlow.mfaOptin.authenticationFlowName=mfaOptin
unityServer.core.authenticationFlow.mfaOptin.authenticationFlowPolicy=USER_OPTIN
unityServer.core.authenticationFlow.mfaOptin.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaOptin.secondFactorAuthenticators=otp

unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowName=mfaEnforce
unityServer.core.authenticationFlow.mfaEnforce.authenticationFlowPolicy=REQUIRE
unityServer.core.authenticationFlow.mfaEnforce.firstFactorAuthenticators=samlWeb,oauthWeb
unityServer.core.authenticationFlow.mfaEnforce.secondFactorAuthenticators=otp

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Testing feature of adding attributes in JWT tokens

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 6.12.2023 o 14:50, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> we found the time to start testing the new feature of adding attributes
> in additional claims. From reading the manual, we understood, that we
> do not need to change anything in unity itself. But we are not sure in
> which call the query parameter needs to be added. Is it sufficient in
> the first call of the authorization URL before doing the
> authentication? Or is the parameter needed in the code exchange step?
>
The former, |claims_in_tokens |shall be added to the initial redirect 
URL to OAuth IdP.

Best,
Krzysztof

[Unity-idm-discuss] Testing feature of adding attributes in JWT tokens

[Sander A. <sa....@fz...>]

Hello Krzysztof,
hello Roman,

we found the time to start testing the new feature of adding attributes
in additional claims. From reading the manual, we understood, that we
do not need to change anything in unity itself. But we are not sure in
which call the query parameter needs to be added. Is it sufficient in
the first call of the authorization URL before doing the
authentication? Or is the parameter needed in the code exchange step?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.14.1 released // roadmap update

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

A patch release was published, including fixes for the following problems:

  * invitation of multiple persons from UpMan
  * stability under high loads

More details: https://unity-idm.eu/releases/release-3-14-1/


Above of that we have finalized our short term plans around releases. We 
plan to ship one more feature release of the current major version 3 (it 
will be 3.15.0). The next feature release will be 4.0.0 with a refreshed 
UI built on a modern technology. After release of Unity 4, Unity 3.15 
will still receive fixes for bugs found there, however there will be no 
feature development in the 3.x releases chain.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] Review of policies by user

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 16.11.2023 o 08:50, Sander Apweiler pisze:
> Good morning Krzysztof,
> good morning Roman,
>
> Is there an option that user can review the policies, where they agreed
> to? I assume I can show the attribute to which policies they agreed but
> this does not show the policies content. I didn't find anything about
> this in the manual.
>
So no, we don't have such functionality.

However, the policies (at least the embedded ones) are publicly 
available. The link is as follows:

https://HOST/unitygw/pub/policyDocuments/POLICY-ID

Maybe it can help with your use case. Otherwise we would need to add 
that. In general generating list of such links is simple.

Best,
Krzysztof

[Unity-idm-discuss] Review of policies by user

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good morning Roman,

Is there an option that user can review the policies, where they agreed
to? I assume I can show the attribute to which policies they agreed but
this does not show the policies content. I didn't find anything about
this in the manual.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Enhancement merge entity dialogue

[Roman K. <ro...@un...>]

Hey Sander,

Sorry to be long in my reply, and thank you for your suggestion.
I'll open a ticket to enhance the current merging view.

Kind regards,
Roman

pt., 3 lis 2023 o 12:10 Sander Apweiler <sa....@fz...>
napisał(a):

> Dear Krzysztof,
> If you want to merge two accounts of an user you see just the names of
> the user. It would be very helpful, if the entity ID is shown too.
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Enhancement merge entity dialogue

[Sander A. <sa....@fz...>]

Dear Krzysztof,
If you want to merge two accounts of an user you see just the names of
the user. It would be very helpful, if the entity ID is shown too.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Adding certificate in JWK endpoint

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 27.10.2023 o 07:14, Sander Apweiler pisze:
> Hello Krzysztof,
> hello Roman,
>
> one of our connected clients is using Ceph as storage backend and it
> requires the certificate which was used to sign the token. According to
> https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
> and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
> certificates can be added as optional x5c attribute.
> Since I didn't find anything in the manual and nothing endpoint
> configuration, I assume it is not (yet) possible. Can you correct me if
> I'm wrong or give your thought about possible extension?
>
Yes, Unity only puts bare keys in oidc metadata.

Yes, enhancement to also add a full certificate looks fine.

Best,
Krzysztof

Re: [Unity-idm-discuss] read additional user information from another ldap tree

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 19.10.2023 o 10:12, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we are preparing another instance of unity where we have the userlogin
> via LDAP. In the LDAP service is a tree which contains the username
> password and an id. The other userinformation are stored in another
> LDAP tree identified by the id from the first one. Is there any
> possibility to fetch this information at the login? According to the
> manual the ldap.additionalSearch is only working with the username,
> which is not present in the second tree.

Unfortunately that can not be achieved. Unity would need to authenticate 
user as a local user first, extract attribute or identity of this user 
holding LDAP id (assumption: LDAP id goes to an attribute or identity in 
Unity) and then perform another query with that attribute being the key. 
That is impossible right now.

> Do we have the possibility to inject the information on other ways. We
> would also have access to an API to request the information. But I
> asusme that unity can not call the API and work with the response.

Natively in Unity it would be pretty hard. I guess the only way is to 
develop a custom enhancement groovy script, but it would be pretty 
involving and would require bigger maintenance work when upgrading Unity.


Maybe it is possible to create some consolidating LDAP proxy service?

Best,
Krzysztof

[Unity-idm-discuss] Adding certificate in JWK endpoint

[Sander A. <sa....@fz...>]

Hello Krzysztof,
hello Roman,

one of our connected clients is using Ceph as storage backend and it
requires the certificate which was used to sign the token. According to
https://openid.net/specs/openid-connect-discovery-1_0-21.html#ProviderMetadata
and https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
certificates can be added as optional x5c attribute.
Since I didn't find anything in the manual and nothing endpoint
configuration, I assume it is not (yet) possible. Can you correct me if
I'm wrong or give your thought about possible extension?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] read additional user information from another ldap tree

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we are preparing another instance of unity where we have the userlogin
via LDAP. In the LDAP service is a tree which contains the username
password and an id. The other userinformation are stored in another
LDAP tree identified by the id from the first one. Is there any
possibility to fetch this information at the login? According to the
manual the ldap.additionalSearch is only working with the username,
which is not present in the second tree.

Do we have the possibility to inject the information on other ways. We
would also have access to an API to request the information. But I
asusme that unity can not call the API and work with the response.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Generate translation profiles

[Hämmerle, F. <fel...@tu...>]

Hello Roman,

thanks for your answer.

The best way to get the needed configuration lines is to configure the authenticatiors, translationprofiles, endpoints and so on in GUI and after that export the system configuration from the database. All the needed configuration lines can then be copied with copy/paste to the configuration files on the server.

That’s really handy unfortunately this is not mentioned in the manual, would have saved me some time 😉.

Kind regards

Felix


--
Felix Hämmerle
University of Technology Graz
IT Services
Steyrergasse 30/1, 8010 Graz, Austria - Europe
Phone: +43 316 873 6893
Email: fel...@tu...



From: Roman Krysiński <ro...@un...>
Sent: Wednesday, 18 October 2023 11:22
To: Hämmerle, Felix <fel...@tu...>
Cc: uni...@li...
Subject: Re: [Unity-idm-discuss] Generate translation profiles

Hello Felix,

In order to load the translation profile, please use unityServer.core.translationProfiles configuration option in unityServer.conf file.
You can see an example in our repo: https://github.com/unity-idm/unity/blob/dev/integration-tests/src/test/resources/unityServer.conf

Kind regards,
Roman

pon., 16 paź 2023 o 18:50 Hämmerle, Felix via Unity-idm-discuss <uni...@li...<mailto:uni...@li...>> napisał(a):
Hi,

I am trying to do a deployment per configuration scripts, authenticator is working but how can the remote data profil (in json format as in /conf/samples) be loaded?

Is there an identical way to load released data profiles, too?

Kind regards

Felix


--
Felix Hämmerle
Technische Universität Graz
Zentraler Informatikdienst
Steyrergasse 30/1, 8010 Graz, Austria
Tel.: +43 316 873 6893
E-Mail: fel...@tu...<mailto:fel...@tu...>


_______________________________________________
Unity-idm-discuss mailing list
Uni...@li...<mailto:Uni...@li...>
https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss