unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] Generate translation profiles

[Roman K. <ro...@un...>]

Hello Felix,

In order to load the translation profile, please use
unityServer.core.translationProfiles configuration option in
unityServer.conf file.
You can see an example in our repo:
https://github.com/unity-idm/unity/blob/dev/integration-tests/src/test/resources/unityServer.conf

Kind regards,
Roman

pon., 16 paź 2023 o 18:50 Hämmerle, Felix via Unity-idm-discuss <
uni...@li...> napisał(a):

> Hi,
>
> I am trying to do a deployment per configuration scripts, authenticator is
> working but how can the remote data profil (in json format as in
> /conf/samples) be loaded?
>
> Is there an identical way to load released data profiles, too?
>
> Kind regards
>
> Felix
>
>
> --
> Felix Hämmerle
> Technische Universität Graz
> Zentraler Informatikdienst
> Steyrergasse 30/1, 8010 Graz, Austria
> Tel.: +43 316 873 6893
> E-Mail: fel...@tu...
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Generate translation profiles

[Hämmerle, F. <fel...@tu...>]

Hi,

I am trying to do a deployment per configuration scripts, authenticator is working but how can the remote data profil (in json format as in /conf/samples) be loaded?

Is there an identical way to load released data profiles, too?

Kind regards

Felix


-- 
Felix Hämmerle
Technische Universität Graz
Zentraler Informatikdienst
Steyrergasse 30/1, 8010 Graz, Austria
Tel.: +43 316 873 6893
E-Mail: fel...@tu...

Re: [Unity-idm-discuss] Problems while creating invitations in upman

[Roman K. <ro...@un...>]

Hi Sander,

Thank you for reporting the issues, I'll create tickets to cover both of
them.
We are planning to release them in 3.14.1 version.

Kind regards,
Roman

czw., 5 paź 2023 o 09:08 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysdztof,
> hi Roman,
>
> we are testing unity 3.14.0 and encountered a problem. When we create a
> bulk invitation and one of the email addresses is already a member,
> unity does not send the invitation. I added the screenshot of the
> message and the log.
>
> This might create a lot of trouble because users do not always review
> who is already member of the project and just send invitations. If the
> have entered for example 20 emails and need to re-enter them because
> one of them was already member of the group is not satisfying. But to
> be honest, I'm not sure if we tested this scenario also for older
> versions.
>
> Also the warning that the email textbox is mandatory if you enter
> multiple address is shown until you switch the focus to the next box is
> confusing if everything is already correct but not yet checked.
>
> Best regards,
> Sander
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] Problems while creating invitations in upman

[Sander A. <sa....@fz...>]

Hi Krzysdztof,
hi Roman,

we are testing unity 3.14.0 and encountered a problem. When we create a
bulk invitation and one of the email addresses is already a member,
unity does not send the invitation. I added the screenshot of the
message and the log.

This might create a lot of trouble because users do not always review
who is already member of the project and just send invitations. If the
have entered for example 20 emails and need to re-enter them because
one of them was already member of the group is not satisfying. But to
be honest, I'm not sure if we tested this scenario also for older
versions.

Also the warning that the email textbox is mandatory if you enter
multiple address is shown until you switch the focus to the next box is
confusing if everything is already correct but not yet checked.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.14.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce availability of a new Unity release.

As always all relevant links are available at 
https://unity-idm.eu/releases/release-3-14-0/

The 3.14.0 release focuses on performance improvements, when operating 
on large user databases. Besides, some smaller feature requests were 
implemented as well as many bugs were addressed.


        Performance

Changes should resolve slow:

  * inviting multiple users from UpMan
  * OAuth tokens listing in Console
  * bulk registration requests processing
  * loading of registration form


        More capable authorization on IdP

A new released data profile action “stopAuthentication” allows for 
conditional breaking of the authentication flow. The difference from the 
already present “failAuthentication” action is, that user’s agent is not 
redirected back to the client with error response, but instead lands on 
an embedded Unity “finalization” page, which can be flexibly configured.

This feature works the same for both OAuth and SAML IdP endpoints.


        Other improvements

  * ORCID integration was updated, catching up with ORCID API changes
  * Admin can configure size limit for JSON database dump upload, also
    the default limit is dynamic, computed basing on available server’s
    memory.
  * Demo/quickstart server certificate was updated
  * Postgresql based installation handle JSON dump imports correctly now
  * Unity will display caption configured in custom layout of a form,
    also when it is the very first element of the form
  * Attributes preset by invitations which where shown in form are now
    displayed correctly, w/o metadata.


Best regards,
Krzysztof

Re: [Unity-idm-discuss] Merging new accounts if email already exists

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 23.08.2023 o 14:15, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> in our new setup we have the requirement, that users have only one
> account, even if they login via different upstream IdPs. Since there is
> also LDAP one of the identity provider I do not have a persistent
> identifier from the home organisation but can only use the email
> address for this. Of course email address is a bad choise because it is
> reused after a retention period if the user leaves the home
> organisation.
>
> To have the email unique across the user we would need to store it as
> an identity of the account. Please correct me if I am wrong in this
> point.

You are correct.

> If a user logs in and there is already an account with the used email
> address we want to start the account linking procedure instead of
> automatically linking the accounts or giving just access because of the
> same email address. With this step we want to avoid providing access to
> an old account where the user does not exist anymore and is not yet
> removed.
>
> By reading the manual and testing I were just able to automatically
> bind the user to one entity. The second identity from the upstream IdP
> was not taken into account. So I have at the moment two questions.
>
> 1. Is there a way to configure unity to log the user in, if both
> identities does exist at the entity? E.g. username+email for ldap or
> id+email for others.

Yes, it is: in the input profile you need to setup REQUIRE_MATCH for 
both identity types required for a given IdP.

Then the login will be successful only if both will match.

> 2. Is there a way to trigger the account linking if the login provides
> only one of the stored identity but not a second one?

Unfortunately not. When using REQUIRE_MATCH the failure is critical, 
i.e. it does not allow to associate the remote identity with some local one.

We would need a new feature for that.

> I hope you can understand the scenario.

I think more or less yes.

HTH,
Krzysztof

[Unity-idm-discuss] Merging new accounts if email already exists

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
in our new setup we have the requirement, that users have only one
account, even if they login via different upstream IdPs. Since there is
also LDAP one of the identity provider I do not have a persistent
identifier from the home organisation but can only use the email
address for this. Of course email address is a bad choise because it is
reused after a retention period if the user leaves the home
organisation.

To have the email unique across the user we would need to store it as
an identity of the account. Please correct me if I am wrong in this
point.

If a user logs in and there is already an account with the used email
address we want to start the account linking procedure instead of
automatically linking the accounts or giving just access because of the
same email address. With this step we want to avoid providing access to
an old account where the user does not exist anymore and is not yet
removed.

By reading the manual and testing I were just able to automatically
bind the user to one entity. The second identity from the upstream IdP
was not taken into account. So I have at the moment two questions.

1. Is there a way to configure unity to log the user in, if both
identities does exist at the entity? E.g. username+email for ldap or
id+email for others.

2. Is there a way to trigger the account linking if the login provides
only one of the stored identity but not a second one?

I hope you can understand the scenario.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Difficult use-case for ldap integration

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the feedback. We are not sure if we want to use the userhome
Endpoint of not. Would this also work during the registration/first
time login into unity?

Best regards,
Sander

On Mon, 2023-08-21 at 12:32 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.08.2023 o 12:42, Sander Apweiler pisze:
> > Hi Krzysztof, hi Roman,
> > within another project we have a quite difficult use-case for
> > integrating LDAP for authentication in untiy. The LDAP has one tree
> > containing the usernames, passwords and an identifier (not equal to
> > the
> > username). Within another tree we have this identifier, email and
> > name
> > of the user.
> > 
> > As far as I understood the manual unity would be able to perform
> > the
> > ldapsearch for the attributes on another tree than the bind call
> > for
> > authentication, but it would require the username in both trees. So
> > this would not fit here.
> > 
> > We had two ideas what could work but would need your knowledge to
> > clarify this. The first idea was the mechanism to call an attribute
> > authority after user authentication, like we had in the lifescience
> > use-case in past. Could we use this feature to perform the second
> > LDAP
> > call after authentication to fetch the user information from the
> > seconf
> > tree using the identifier.
> > 
> > The second idea was fetching the user information from a
> > proprietary
> > API, which already exists. For this we would need to trigger a
> > script,
> > which fetches the information and stores them into unity. Would
> > there
> > be a trigger for a groovy script in the authentication/registration
> > process where we could integrate the script?
> 
> 
> The first of your ideas should work.  Note that this will work only
> when 
> in Unity authentication is performed on one of IdP endpoints (SAML or
> OAuth). But if that is fine (and so you don't need to enrich
> information 
> about existing user logging into unity directly, like to homeUI),
> then 
> usage of LDAP importer should be just perfect.
> 
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Difficult use-case for ldap integration

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.08.2023 o 12:42, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> within another project we have a quite difficult use-case for
> integrating LDAP for authentication in untiy. The LDAP has one tree
> containing the usernames, passwords and an identifier (not equal to the
> username). Within another tree we have this identifier, email and name
> of the user.
>
> As far as I understood the manual unity would be able to perform the
> ldapsearch for the attributes on another tree than the bind call for
> authentication, but it would require the username in both trees. So
> this would not fit here.
>
> We had two ideas what could work but would need your knowledge to
> clarify this. The first idea was the mechanism to call an attribute
> authority after user authentication, like we had in the lifescience
> use-case in past. Could we use this feature to perform the second LDAP
> call after authentication to fetch the user information from the seconf
> tree using the identifier.
>
> The second idea was fetching the user information from a proprietary
> API, which already exists. For this we would need to trigger a script,
> which fetches the information and stores them into unity. Would there
> be a trigger for a groovy script in the authentication/registration
> process where we could integrate the script?


The first of your ideas should work.  Note that this will work only when 
in Unity authentication is performed on one of IdP endpoints (SAML or 
OAuth). But if that is fine (and so you don't need to enrich information 
about existing user logging into unity directly, like to homeUI), then 
usage of LDAP importer should be just perfect.


Best,
Krzysztof

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof,
yes it worked for us.

Thank you very much.
Sander

On Fri, 2023-08-18 at 15:27 +0200, Sander Apweiler wrote:
> Hi Krzysztof,
> thanks for the swift reply. We will test this.
> 
> Best regards,
> Sander
> 
> On Fri, 2023-08-18 at 15:19 +0200, Krzysztof Benedyczak wrote:
> > Hi Sander,
> > 
> > W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> > > Hello again,
> > > ORCID indicated that the error could be caused by this API
> > > change:
> > > https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
> > > 
> > > Can we somehow configure update the URL by the configuration to
> > > test
> > > it?
> > 
> > Yes, and yes.
> > 
> > Yes: this is the root cause. I'm openieng a ticket to update the
> > orcid 
> > Oauth settings. Also we will update Unity to use their latest API.
> > 
> > Workaround: add this to your configuration:
> > 
> > unity.oauth2.client.providers.orcid.accessTokenEndpoint=
> > https://orcid.org/oauth/token
> > 
> > where .orcid. should be your config key of orcid authenticator.
> > 
> > Please verify in console if your change was effective.
> > 
> > HTH,
> > Krzysztof
> > 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof,
thanks for the swift reply. We will test this.

Best regards,
Sander

On Fri, 2023-08-18 at 15:19 +0200, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> > Hello again,
> > ORCID indicated that the error could be caused by this API change:
> > https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
> > 
> > Can we somehow configure update the URL by the configuration to
> > test
> > it?
> 
> Yes, and yes.
> 
> Yes: this is the root cause. I'm openieng a ticket to update the
> orcid 
> Oauth settings. Also we will update Unity to use their latest API.
> 
> Workaround: add this to your configuration:
> 
> unity.oauth2.client.providers.orcid.accessTokenEndpoint=
> https://orcid.org/oauth/token
> 
> where .orcid. should be your config key of orcid authenticator.
> 
> Please verify in console if your change was effective.
> 
> HTH,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 18.08.2023 o 07:37, Sander Apweiler pisze:
> Hello again,
> ORCID indicated that the error could be caused by this API change:
> https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U
>
> Can we somehow configure update the URL by the configuration to test
> it?

Yes, and yes.

Yes: this is the root cause. I'm openieng a ticket to update the orcid 
Oauth settings. Also we will update Unity to use their latest API.

Workaround: add this to your configuration:

unity.oauth2.client.providers.orcid.accessTokenEndpoint=https://orcid.org/oauth/token

where .orcid. should be your config key of orcid authenticator.

Please verify in console if your change was effective.

HTH,
Krzysztof

[Unity-idm-discuss] Difficult use-case for ldap integration

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
within another project we have a quite difficult use-case for
integrating LDAP for authentication in untiy. The LDAP has one tree
containing the usernames, passwords and an identifier (not equal to the
username). Within another tree we have this identifier, email and name
of the user.

As far as I understood the manual unity would be able to perform the
ldapsearch for the attributes on another tree than the bind call for
authentication, but it would require the username in both trees. So
this would not fit here.

We had two ideas what could work but would need your knowledge to
clarify this. The first idea was the mechanism to call an attribute
authority after user authentication, like we had in the lifescience
use-case in past. Could we use this feature to perform the second LDAP
call after authentication to fetch the user information from the seconf
tree using the identifier.

The second idea was fetching the user information from a proprietary
API, which already exists. For this we would need to trigger a script,
which fetches the information and stores them into unity. Would there
be a trigger for a groovy script in the authentication/registration
process where we could integrate the script?

Or do you have any other idea for this difficult use-case?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hello again,
ORCID indicated that the error could be caused by this API change:
https://groups.google.com/g/orcid-api-users/c/nl-ZCnsLB_U

Can we somehow configure update the URL by the configuration to test
it?

Best regards,
Sander


On Tue, 2023-08-15 at 13:13 +0200, Sander Apweiler wrote:
> Hi Krzysztof, hi Roman,
> since a few weeks we have problems using ORCID as upstream login,
> without changes in our config. We get the following message if a user
> tries to login via ORCID:
> 
> unity.server.oauth.OAuth2Verificator: Error received. Contents:
> {"error":"unauthorized","error_description":"An Authentication object
> was not found in the SecurityContext"}
> 
> Following the error description I found exchanges where setting data
> type to "x-www-form-urlencoded" solved the issue. I tried to look in
> unity code if this is already done, but I didn't find it in source.
> 
> Do you know this problem already? We can reproduce this on differen
> unity instance, all running 3.11.2.
> 
> Best regards,
> Sander
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.13.1 release available

[Krzysztof B. <kb...@un...>]

Their Subscribers,

While we are mostly focused on the major Unity 4 release, a small bugfix 
update was published.

It includes two fixes, the most notable one is related to FIDO 
regression introduced in 3.13.0 (plus general FIDO improvements are here).

https://unity-idm.eu/releases/release-3-13-1/

Best regards,
Krzysztof

[Unity-idm-discuss] login via ORCID is not working anymore

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
since a few weeks we have problems using ORCID as upstream login,
without changes in our config. We get the following message if a user
tries to login via ORCID:

unity.server.oauth.OAuth2Verificator: Error received. Contents:
{"error":"unauthorized","error_description":"An Authentication object
was not found in the SecurityContext"}

Following the error description I found exchanges where setting data
type to "x-www-form-urlencoded" solved the issue. I tried to look in
unity code if this is already done, but I didn't find it in source.

Do you know this problem already? We can reproduce this on differen
unity instance, all running 3.11.2.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Sander A. <sa....@fz...>]

Hi Piotr,
we tested today on 3.13 and there we were not able to reproduce the
problem. So it seems that it was solved in some update after 3.11.2

Best regards,
Sander

On Thu, 2023-08-10 at 14:27 +0200, Piotr Piernik wrote:
>  
> Hi Sander,
>  I tried to reproduce this problem but unfortunately without success.
>  Can you please add an example of this registration form? (Or error
> from log)
>  
>  
> The only thing I was able to reproduce is the error shown below:
>  
> 
>  
>  Best regards,
>  Piotr
>  
>  
>  
>  
> W dniu 09.08.2023 o 15:37, Sander Apweiler pisze:
>  
>  
> >  
> > Hi Krzysztof, hi Roman,
> > we found, from our point of view, a bug in unity 3.11.2. If the
> > remote
> > IdP provides all attributes and the user needs to confirm policies
> > only, the registration form is not shown. The registration fails
> > because the policies were not accepted. When we are using form opt-
> > ins
> > instead of the policy, the registration form is shown and the user
> > can
> > accept them. From our point of view the policy agreement should be
> > handled in the same way like the form opt-ins and registration form
> > should be shown to the users even if only policy agreement is
> > needed.
> > 
> > Best regards,
> > Sander
> >  
> >   
> >   
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> >  
>  

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Piotr P. <pio...@gm...>]

Hi Sander,
I tried to reproduce this problem but unfortunately without success.
Can you please add an example of this registration form? (Or error from log)

The only thing I was able to reproduce is the error shown below:



Best regards,
Piotr


W dniu 09.08.2023 o 15:37, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we found, from our point of view, a bug in unity 3.11.2. If the remote
> IdP provides all attributes and the user needs to confirm policies
> only, the registration form is not shown. The registration fails
> because the policies were not accepted. When we are using form opt-ins
> instead of the policy, the registration form is shown and the user can
> accept them. From our point of view the policy agreement should be
> handled in the same way like the form opt-ins and registration form
> should be shown to the users even if only policy agreement is needed.
>
> Best regards,
> Sander
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

Re: [Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 9.08.2023 o 15:37, Sander Apweiler pisze:
> Hi Krzysztof, hi Roman,
> we found, from our point of view, a bug in unity 3.11.2. If the remote
> IdP provides all attributes and the user needs to confirm policies
> only, the registration form is not shown. The registration fails
> because the policies were not accepted. When we are using form opt-ins
> instead of the policy, the registration form is shown and the user can
> accept them. From our point of view the policy agreement should be
> handled in the same way like the form opt-ins and registration form
> should be shown to the users even if only policy agreement is needed.

This indeed sounds like a bug. Ticket opened, we will investigate.

Thank you,
Krzyszof

[Unity-idm-discuss] regsitration forms are not shown if only policies needs to be confirmed

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
we found, from our point of view, a bug in unity 3.11.2. If the remote
IdP provides all attributes and the user needs to confirm policies
only, the registration form is not shown. The registration fails
because the policies were not accepted. When we are using form opt-ins
instead of the policy, the registration form is shown and the user can
accept them. From our point of view the policy agreement should be
handled in the same way like the form opt-ins and registration form
should be shown to the users even if only policy agreement is needed.

Best regards,
Sander
-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Sander A. <sa....@fz...>]

Good morning Roman,
thanks for your answer. We will try in the next days and come back if
we have problems.

Best regards,
Sander

On Tue, 2023-08-08 at 16:50 +0200, Roman Krysiński wrote:
> Hi Sander,
> 
> Sorry to be long in my reply, the answer to your question is YES, it
> is possible.
> The easiest way to see the desired configuration file content, is to
> create a database dump with the "System configuration" part (Console
> -> Maintenance -> Backup & Restore) and search for the configuration
> of the endpoint from the screenshot. I've made similar configuration
> for console and here is the relevant json part for this endpoint:
> 
>     {
>       "_updateTS" : 1691505258138,
>       "obj" : {
>         "name" : "Console",
>         "typeId" : "WebConsoleUI",
>         "contextAddress" : "/console",
>         "configuration" : {
>           "displayedName" : {
>             "Map" : {
>               "pl" : "Interfejs administracyjny Unity"
>             },
>             "DefaultValue" : "UNITY console administration interface"
>           },
>           "description" : "",
>           "authenticationOptions" : [ "pwdSys", "pwdComposite",
> "certFlow1", "smsAndPass", "cert", "ldap", "ldapDN", "saml", "oauth",
> "fido" ],
>           "configuration" : "#\n#Tue Aug 08 16:34:18 CEST
> 2023\nunity.endpoint.web.authnScreenShowSearch=false\nunity.endpoint.
> web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd764
> 8301d749818fa038b51bf7f235+1. pwdSys _SEPARATOR fido _SEPARATOR cert
> _SEPARATOR pwdComposite _SEPARATOR _SEPARATOR ldap _SEPARATOR
> _REGISTER\nunity.endpoint.web.authnScreenTitle=title of
> page\nunity.endpoint.web.authnScreenColumn.1.columnTitle.en=Local
> authentication\nunity.endpoint.web.externalRegistrationURL=https\\://
> www.wp.pl\nunity.endpoint.web.productionMode=false\nunity.endpoint.we
> b.authnScreenColumn.2.columnTitle.pl=Zdalne
> logowanie\nunity.endpoint.web.authnScreenTitle.en=title of
> page\nunity.endpoint.web.authnScreenOptionsLabel.1.text.en=separator\
> nunity.endpoint.web.showRegistrationFormsInHeader=false\nunity.endpoi
> nt.web.authnScreenShowAllOptions=false\nunity.endpoint.web.authnLastO
> ptionOnlyLayout=_LAST_USED _SEPARATOR_1
> _EXPAND\nunity.endpoint.web.authnShowLastOptionOnly=false\nunity.endp
> oint.web.authnGrid.1.gridContents=saml\nunity.endpoint.web.authnScree
> nLogo=https\\://m.media-amazon.com/images/I/91-
> Db4L6xjL.png\nunity.endpoint.web.authnScreenOptionsLabel.1.text=separ
> ator\nunity.endpoint.web.authnScreenColumn.1.columnTitle.pl=Lokalne
> metody\nunity.endpoint.web.authnGrid.1.gridRows=50\nunity.endpoint.we
> b.compactCredentialReset=true\nunity.endpoint.web.authnScreenColumn.2
> .columnWidth=21\nunity.endpoint.web.authnScreenColumn.1.columnWidth=2
> 1\nunity.endpoint.web.enableRegistration=false\nunity.endpoint.web.au
> thnTheme=unityThemeValo\nunity.endpoint.web.authnScreenColumn.2.colum
> nContents=_GRID_1
> oauth\nunity.endpoint.web.authnScreenColumn.2.columnTitle=\\
> \nunity.endpoint.web.authnScreenColumn.1.columnTitle=Local
> authentication\nunity.endpoint.web.mainTheme=unityThemeValo\nunity.en
> dpoint.web.authnScreenShowCancel=false\nunity.endpoint.web.template=d
> efault.ftl\nunity.endpoint.web.autoLogin=false\n",
>           "realm" : "admin",
>           "tag" : "yFWk6n2n7mcMeks+eH/YkqEg/WaqCg25HaLHE6/Xs84="
>         },
>         "revision" : 20,
>         "status" : "DEPLOYED"
>       }
>     }
> 
> When you refactor the "configuration.configuration" json part,
> meaning replace "\n" to a new line we will get the information about
> columnContents to put into your file:
> 
> unity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFrom
> Metadata_2bd7648301d749818fa038b51bf7f235+1. pwdSys _SEPARATOR fido
> _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR _SEPARATOR ldap
> _SEPARATOR _REGISTER
> 
> Please let me know if that answers your question.
> 
> Cheers,
> Roman
> 
> pon., 31 lip 2023 o 14:35 Sander Apweiler <sa....@fz...>
> napisał(a):
> > Hi Krzysztof, hi Roman,
> > using the UI, I can configure the Authentitcation for the endpoints
> > having singleAuthN with IdPs from federation metadata. I attached a
> > screenshot with a test. Can I somehow do this with via
> > configuration
> > files as well?
> > 
> > Best regards,
> > Sander
> > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Roman K. <ro...@un...>]

Hi Sander,

Sorry to be long in my reply, the answer to your question is YES, it is
possible.
The easiest way to see the desired configuration file content, is to create
a database dump with the "System configuration" part (Console ->
Maintenance -> Backup & Restore) and search for the configuration of the
endpoint from the screenshot. I've made similar configuration for console
and here is the relevant json part for this endpoint:

{
"_updateTS" : 1691505258138,
"obj" : {
"name" : "Console",
"typeId" : "WebConsoleUI",
"contextAddress" : "/console",
"configuration" : {
"displayedName" : {
"Map" : {
"pl" : "Interfejs administracyjny Unity"
},
"DefaultValue" : "UNITY console administration interface"
},
"description" : "",
"authenticationOptions" : [ "pwdSys", "pwdComposite", "certFlow1",
"smsAndPass", "cert", "ldap", "ldapDN", "saml", "oauth", "fido" ],
"configuration" : "#\n#Tue Aug 08 16:34:18 CEST 2023\n
unity.endpoint.web.authnScreenShowSearch=false\nunity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd7648301d749818fa038b51bf7f235+1.
pwdSys _SEPARATOR fido _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR
_SEPARATOR ldap _SEPARATOR _REGISTER\nunity.endpoint.web.authnScreenTitle=title
of page\nunity.endpoint.web.authnScreenColumn.1.columnTitle.en=Local
authentication\nunity.endpoint.web.externalRegistrationURL=https\\://
www.wp.pl\nunity.endpoint.web.productionMode=false\n
unity.endpoint.web.authnScreenColumn.2.columnTitle.pl=Zdalne
logowanie\nunity.endpoint.web.authnScreenTitle.en=title
of page\nunity.endpoint.web.authnScreenOptionsLabel.1.text.en=separator\n
unity.endpoint.web.showRegistrationFormsInHeader=false\n
unity.endpoint.web.authnScreenShowAllOptions=false\nunity.endpoint.web.authnLastOptionOnlyLayout=_LAST_USED
_SEPARATOR_1 _EXPAND\nunity.endpoint.web.authnShowLastOptionOnly=false\n
unity.endpoint.web.authnGrid.1.gridContents=saml\n
unity.endpoint.web.authnScreenLogo=https\\://
m.media-amazon.com/images/I/91-Db4L6xjL.png\n
unity.endpoint.web.authnScreenOptionsLabel.1.text=separator\n
unity.endpoint.web.authnScreenColumn.1.columnTitle.pl=Lokalne metody\n
unity.endpoint.web.authnGrid.1.gridRows=50\n
unity.endpoint.web.compactCredentialReset=true\n
unity.endpoint.web.authnScreenColumn.2.columnWidth=21\n
unity.endpoint.web.authnScreenColumn.1.columnWidth=21\n
unity.endpoint.web.enableRegistration=false\n
unity.endpoint.web.authnTheme=unityThemeValo\nunity.endpoint.web.authnScreenColumn.2.columnContents=_GRID_1
oauth\nunity.endpoint.web.authnScreenColumn.2.columnTitle=\\
\nunity.endpoint.web.authnScreenColumn.1.columnTitle=Local
authentication\nunity.endpoint.web.mainTheme=unityThemeValo\n
unity.endpoint.web.authnScreenShowCancel=false\n
unity.endpoint.web.template=default.ftl\nunity.endpoint.web.autoLogin=false
\n",
"realm" : "admin",
"tag" : "yFWk6n2n7mcMeks+eH/YkqEg/WaqCg25HaLHE6/Xs84="
},
"revision" : 20,
"status" : "DEPLOYED"
}
}

When you refactor the "configuration.configuration" json part, meaning
replace "\n" to a new line we will get the information about columnContents
to put into your file:

unity.endpoint.web.authnScreenColumn.1.columnContents=saml._entryFromMetadata_2bd7648301d749818fa038b51bf7f235+1.
pwdSys _SEPARATOR fido _SEPARATOR cert _SEPARATOR pwdComposite _SEPARATOR
_SEPARATOR ldap _SEPARATOR _REGISTER

Please let me know if that answers your question.

Cheers,
Roman

pon., 31 lip 2023 o 14:35 Sander Apweiler <sa....@fz...>
napisał(a):

> Hi Krzysztof, hi Roman,
> using the UI, I can configure the Authentitcation for the endpoints
> having singleAuthN with IdPs from federation metadata. I attached a
> screenshot with a test. Can I somehow do this with via configuration
> files as well?
>
> Best regards,
> Sander
>
> --
> Federated Systems and Data
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
> Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>
>
>
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
>

[Unity-idm-discuss] configure authentication with singleAuthn from saml federation

[Sander A. <sa....@fz...>]

Hi Krzysztof, hi Roman,
using the UI, I can configure the Authentitcation for the endpoints
having singleAuthN with IdPs from federation metadata. I attached a
screenshot with a test. Can I somehow do this with via configuration
files as well?

Best regards,
Sander

-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Laura H. <l....@fz...>]

Hi Krzysztof,

yes, we are now in the process of testing 3.13.

Best regards,
Laura

Am 26.07.23 um 16:31 schrieb Krzysztof Benedyczak:
> Hi Laura,
>
> W dniu 26.07.2023 o 13:17, Laura Hofer pisze:
>> Hi Krzysztof,
>>
>> we wanted to recreate the error, but it seems to be working now. The 
>> application error does not appear anymore. 
>
> Does it mean that you can now successfully run 3.13 (or at least are 
> progressing with testing it)?
>
> Best,
> Krzysztof
>
>
-- 
Juelich Supercomputing Centre
Institute for Advanced Simulation
Forschungszentrum Juelich GmbH
52425 Juelich, Germany
E-Mail: l....@fz...
Phone: +49 2461 61-6576
Fax: +49 2461 61-6656

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Application Error while Logging in

[Krzysztof B. <kb...@un...>]

Hi Laura,

W dniu 26.07.2023 o 13:17, Laura Hofer pisze:
> Hi Krzysztof,
>
> we wanted to recreate the error, but it seems to be working now. The 
> application error does not appear anymore. 

Does it mean that you can now successfully run 3.13 (or at least are 
progressing with testing it)?

Best,
Krzysztof