unity-idm-discuss — Unity discussion and support

Re: [Unity-idm-discuss] loading time in unity, esp. console endpoint

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 2.02.2024 o 11:37, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
>
> a few month ago we contact you because of the long time to load content
> in unity. At some of this you made some fixes and it is working faster.
> But some are still worse. Accepting an invitation does take several
> minutes or end up in time outs. We did not yet update to 3.15. which
> could make it better.

Unfortunately I wouldn't expect improvements in 3.15 for invitations 
acceptance part. AFAIR this aspect was not investigated from performance 
standpoint so far.

Can you please provide some details on that? This is certainly something 
what should be both possible and hopefully easy to fix, we just need a 
way to reproduce and understand the problem.

Any detail will be useful:

1. structure & size of directory

2. what form? (enqury/reg?) what invitation?

> Switching in Console Endpoints tokes several minutes. Might the size of
> our userbase (25k accounts, 100 groups, 37 attribute statements) cause
> some of this delays?

Hmm. You mean switching groups in Console -> directory or something 
different?

In general this can be slow, but rather not "several minutes" on such 
setup, but rather "up to a minute". For comparison: with a similar size 
of data base (of course not precisely, just a range) switch to show a 
'/' group on my instance takes below 5 seconds. We have plans to address 
this scalability problems, maybe one of the priorities after we release 
v4. But that's bigger change.

So "several minutes" in this context sounds bad (some DB problems? very 
slow machine? running at the edge of free memory? or some performance 
bug related to some completely other aspect of your setup than number of 
users).

Can you please clarify if we talk about switching groups or something 
else? And if yes - enable debug/trace for some time in not busy hours 
and see what are the performance stats when chaining the group?


Best,
Krzysztof

[Unity-idm-discuss] loading time in unity, esp. console endpoint

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

a few month ago we contact you because of the long time to load content
in unity. At some of this you made some fixes and it is working faster.
But some are still worse. Accepting an invitation does take several
minutes or end up in time outs. We did not yet update to 3.15. which
could make it better.
Switching in Console Endpoints tokes several minutes. Might the size of
our userbase (25k accounts, 100 groups, 37 attribute statements) cause
some of this delays?

Best regards,
Sander 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] PKCE for confidential clients

[Sander A. <sa....@fz...>]

Good morning Krzysztof,

thanks for the feedback.

Best regards,
Sander

On Thu, 2024-01-25 at 17:56 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 23.01.2024 o 10:02, Sander Apweiler pisze:
> > Good morning Krzysztof,
> > good morning Roman,
> > 
> > since PKCE is recommended for confidential clients as well, I
> > wonder if
> > unity supports this for confidential clients, too?
> 
> That was never tested a lot but should work. It is only not possible
> to 
> enforce PKCE for confidential clients: it is opt in. However, if
> during 
> the first OAuth stage (authzCode) PKCE code challenge i used, PKCE
> will 
> be enforced later on.
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] policies not shown if IdP provides all information

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
yes this is right. In this case the users used the link of a
invitation, selected the homorganisation, authenticated there, came
back to unity and got the error displayed. In the log files I saw all
attributes were send by the home organisation. Instead of showing the
form and only asking for the acceptance pof policies, the error was
shown.

Best regards,
Sander

On Thu, 2024-01-25 at 17:58 +0100, Krzysztof Benedyczak wrote:
> W dniu 25.01.2024 o 08:02, Sander Apweiler pisze:
> > Dear Krzysztof,
> > dear Roman,
> > 
> > We encountered a problem in the user registration. If the IdP
> > provides
> > all mandatory information, the form is not shown and the user can
> > not
> > accept the mandatory policies. Instead only the "Form error
> > Mandatory
> > policy agreement is not accepted" error message.
> > 
> > Is this is the intended behaviour?
> 
> No, of course not. We will try to replicate that and fix.
> 
> Just to ensure I understand the flow: you are using a reg form with 
> remote registration method, after returning from the remote IdP it is
> expected that Unity will show the form merely to ask about policy 
> acceptance, and here we have the issue. Is it about right?
> 
> Thanks for the heads up,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] policies not shown if IdP provides all information

[Krzysztof B. <kb...@un...>]

W dniu 25.01.2024 o 08:02, Sander Apweiler pisze:
> Dear Krzysztof,
> dear Roman,
>
> We encountered a problem in the user registration. If the IdP provides
> all mandatory information, the form is not shown and the user can not
> accept the mandatory policies. Instead only the "Form error Mandatory
> policy agreement is not accepted" error message.
>
> Is this is the intended behaviour?

No, of course not. We will try to replicate that and fix.

Just to ensure I understand the flow: you are using a reg form with 
remote registration method, after returning from the remote IdP it is 
expected that Unity will show the form merely to ask about policy 
acceptance, and here we have the issue. Is it about right?

Thanks for the heads up,
Krzysztof

Re: [Unity-idm-discuss] PKCE for confidential clients

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 23.01.2024 o 10:02, Sander Apweiler pisze:
> Good morning Krzysztof,
> good morning Roman,
>
> since PKCE is recommended for confidential clients as well, I wonder if
> unity supports this for confidential clients, too?

That was never tested a lot but should work. It is only not possible to 
enforce PKCE for confidential clients: it is opt in. However, if during 
the first OAuth stage (authzCode) PKCE code challenge i used, PKCE will 
be enforced later on.

Best,
Krzysztof

[Unity-idm-discuss] policies not shown if IdP provides all information

[Sander A. <sa....@fz...>]

Dear Krzysztof,
dear Roman,

We encountered a problem in the user registration. If the IdP provides
all mandatory information, the form is not shown and the user can not
accept the mandatory policies. Instead only the "Form error Mandatory
policy agreement is not accepted" error message.

Is this is the intended behaviour?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] PKCE for confidential clients

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good morning Roman,

since PKCE is recommended for confidential clients as well, I wonder if
unity supports this for confidential clients, too?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] NotBefore missing in SAML assertion

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 9.01.2024 o 14:21, Sander Apweiler pisze:
> Hi Krzyzstof,
> hi Roman,
>
> we are trying to add Splunk as a SP using SAML. Splunk shows an error
> about missing NotBefore field in assertion. Investigating the assertion
> confirms this. NotBefore is missing but NotOnOrAfter is present. Is
> this just an error in our configuration or does unity not send the
> NotBefore?

AFAIR we don't set NotBefore - this is an optional attribute.

Best,
Krzysztof

[Unity-idm-discuss] NotBefore missing in SAML assertion

[Sander A. <sa....@fz...>]

Hi Krzyzstof,
hi Roman,

we are trying to add Splunk as a SP using SAML. Splunk shows an error
about missing NotBefore field in assertion. Investigating the assertion
confirms this. NotBefore is missing but NotOnOrAfter is present. Is
this just an error in our configuration or does unity not send the
NotBefore?

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SCIM import is failing

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 4.01.2024 o 08:53, Sander Apweiler pisze:
> Good morning Krzysztof,
> good morning Roman,
> We encountered a problem in SCIM import. When we want to import our
> exported schema from December, unity  shows an "Unrecognized fileId
> type" error. I'm not sure what causes the problem, but the schema was
> working.

So we have the following situation that there are 2 file formats in here:

1. SCIM schema (standard one)

2. Unity schema configuration, including the schema and its mapping onto 
Unity directory.

The "Import" action in console only supports #1. At the same time the 
"export" option in console there produces #2.

Files #2 with schema and its mapping can be used when configuring 
endpoint from a file:

unity.endpoint.scim.schemasFile.1=...

The export of #2 was added at the end and indeed we haven't caught that 
now it is asymmetric and not intuitive.

We should be able to fix that by supporting the import from console of 
both formats. Anyway for now the file you have needs to be loaded 
through endpoint's configuration.

HTH,
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good morning Roman,

happy new year, too!

Yes this helps and should be no problem for our use-case. I need to
adopt my testing case, only.

Best regards,
Sander

On Tue, 2024-01-02 at 11:28 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 21.12.2023 o 14:23, Sander Apweiler pisze:
> > Hi Bernd,
> > in this case I got missing HTTP Basic Auth Header errors.
> 
> I just noticed that we miss one important aspect of authN in case of 
> accessing SCIM with OAuth token in the docs: as it was requested,
> access 
> using the OAuth token also requires client's authN. I.e. you need to 
> provided 2 authorizations: both client's credential and the token.
> 
> Naturally we can develop a simpler variant (configurable on the 
> endpoint) but as of now this is the only option. We will improve the
> docs.
> 
> So in order to authenticate you need to provided both Basic authN
> header 
> (with OAuth client's credentials, the same as were used to obtain
> access 
> token) and Bearer header with the OAuth access token.
> 
> Hope that helps, and happy new year!
> Krzysztof
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] SCIM import is failing

[Sander A. <sa....@fz...>]

Good morning Krzysztof,
good morning Roman,
We encountered a problem in SCIM import. When we want to import our
exported schema from December, unity  shows an "Unrecognized fileId
type" error. I'm not sure what causes the problem, but the schema was
working.

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 21.12.2023 o 14:23, Sander Apweiler pisze:
> Hi Bernd,
> in this case I got missing HTTP Basic Auth Header errors.

I just noticed that we miss one important aspect of authN in case of 
accessing SCIM with OAuth token in the docs: as it was requested, access 
using the OAuth token also requires client's authN. I.e. you need to 
provided 2 authorizations: both client's credential and the token.

Naturally we can develop a simpler variant (configurable on the 
endpoint) but as of now this is the only option. We will improve the docs.

So in order to authenticate you need to provided both Basic authN header 
(with OAuth client's credentials, the same as were used to obtain access 
token) and Bearer header with the OAuth access token.

Hope that helps, and happy new year!
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Bernd,
in this case I got missing HTTP Basic Auth Header errors.

Best regards,
Sander


On Thu, 2023-12-21 at 14:19 +0100, Bernd Schuller wrote:
> hi,
> 
> I'm pretty sure that should be
> 
> -H "Authorization: Bearer $TOKEN"
> 
> best regards,
> Bernd
> 
> On 12/21/23 13:44, Sander Apweiler wrote:
> > Hi Krzysztof,
> > I created a new authenticator (OAuth 2 verifying local tokens) and
> > added the scopes oidc profile email entitlements
> > sys:scim:read_profile
> > sys:scim:read_membership. I added this authenticator to the SCIM
> > API as
> > well.
> > 
> > I generated an ODIC token using the oidc-agent and the same scopes.
> > But
> > using curl https://login-dev.helmholtz.de/scim/Me -H
> > "Authorization:
> > Basic $TOKEN", I got Bad Request and unity logs has a null pointer
> > exception (stacktrace is attached). Did I forgot to add some
> > configuration in addition? Using username/password on the SCIM API
> > works.
> > 
> > Best regards,
> > Sander
> > 
> > 
> > On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
> > > Hi Sander,
> > > 
> > > W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> > > > Good morning,
> > > > while reading the manual once again, I found the error in our
> > > > schema
> > > > file. It works fine.
> > > 
> > > good to hear that
> > > 
> > > 
> > > > Since only the administrators have username/password, we want
> > > > to
> > > > enable
> > > > Oauth tokens for the SCIM API. Do we need to create an
> > > > authenticator
> > > > which is using unity itself for validating the tokens?
> > > 
> > > Yes. It is not strictly required, but most likely this is what
> > > you
> > > want.
> > > 
> > > Do not forget about granting proper authZ with OAuth scopes (as
> > > described in manual).
> > > 
> > > Best,
> > > Krzysztof
> > > 
> > 
> > 
> > 
> > _______________________________________________
> > Unity-idm-discuss mailing list
> > Uni...@li...
> > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Bernd S. <b.s...@fz...>]

hi,

I'm pretty sure that should be

-H "Authorization: Bearer $TOKEN"

best regards,
Bernd

On 12/21/23 13:44, Sander Apweiler wrote:
> Hi Krzysztof,
> I created a new authenticator (OAuth 2 verifying local tokens) and
> added the scopes oidc profile email entitlements sys:scim:read_profile
> sys:scim:read_membership. I added this authenticator to the SCIM API as
> well.
> 
> I generated an ODIC token using the oidc-agent and the same scopes. But
> using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization:
> Basic $TOKEN", I got Bad Request and unity logs has a null pointer
> exception (stacktrace is attached). Did I forgot to add some
> configuration in addition? Using username/password on the SCIM API
> works.
> 
> Best regards,
> Sander
> 
> 
> On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
>> Hi Sander,
>>
>> W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
>>> Good morning,
>>> while reading the manual once again, I found the error in our
>>> schema
>>> file. It works fine.
>>
>> good to hear that
>>
>>
>>> Since only the administrators have username/password, we want to
>>> enable
>>> Oauth tokens for the SCIM API. Do we need to create an
>>> authenticator
>>> which is using unity itself for validating the tokens?
>>
>> Yes. It is not strictly required, but most likely this is what you
>> want.
>>
>> Do not forget about granting proper authZ with OAuth scopes (as
>> described in manual).
>>
>> Best,
>> Krzysztof
>>
> 
> 
> 
> _______________________________________________
> Unity-idm-discuss mailing list
> Uni...@li...
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss

-- 
Dr. Bernd Schuller
Large Scale Data Science, Juelich Supercomputing Centre
https://www.fz-juelich.de/ias/jsc/EN/Home/home_node.html
Phone: +49 246161-8736 (fax -8556)

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
I created a new authenticator (OAuth 2 verifying local tokens) and
added the scopes oidc profile email entitlements sys:scim:read_profile
sys:scim:read_membership. I added this authenticator to the SCIM API as
well.

I generated an ODIC token using the oidc-agent and the same scopes. But
using curl https://login-dev.helmholtz.de/scim/Me -H "Authorization:
Basic $TOKEN", I got Bad Request and unity logs has a null pointer
exception (stacktrace is attached). Did I forgot to add some
configuration in addition? Using username/password on the SCIM API
works.

Best regards,
Sander


On Wed, 2023-12-20 at 12:56 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> > Good morning,
> > while reading the manual once again, I found the error in our
> > schema
> > file. It works fine.
> 
> good to hear that
> 
> 
> > Since only the administrators have username/password, we want to
> > enable
> > Oauth tokens for the SCIM API. Do we need to create an
> > authenticator
> > which is using unity itself for validating the tokens?
> 
> Yes. It is not strictly required, but most likely this is what you
> want.
> 
> Do not forget about granting proper authZ with OAuth scopes (as 
> described in manual).
> 
> Best,
> Krzysztof
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] Unity 3.15.0 released

[Krzysztof B. <kb...@un...>]

Dear Subscribers,

I'm happy to announce that we have managed to ship yet another feature 
increment of Unity before X-mas.

The 3.15.0 release is focusing on improving functionality of UpMan – 
Unity projects management feature. Two notable enhancements are shipped:

  * Possibility to bound policy documents to project. Policy documents
    are auto-added to project join forms.
  * Significant update and enhancements of the initial version of the
    REST API to manage projects. API client can now manage forms used by
    the project. Forms content is subject to constraints ensuring that
    registered users can not escalate their permissions outside of the
    project. What is more management of project policy documents over
    the API is also possible.

All details, links to change log, downloads and documentation are 
available from: https://unity-idm.eu/releases/release-3-15-0/


As previously announced we hope to deliver the 4.0.0 release in Q1 next 
year. At this point there are no plans of subsequent 3.x feature releases.

Best regards,
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 20.12.2023 o 08:41, Sander Apweiler pisze:
> Good morning,
> while reading the manual once again, I found the error in our schema
> file. It works fine.

good to hear that


> Since only the administrators have username/password, we want to enable
> Oauth tokens for the SCIM API. Do we need to create an authenticator
> which is using unity itself for validating the tokens?

Yes. It is not strictly required, but most likely this is what you want.

Do not forget about granting proper authZ with OAuth scopes (as 
described in manual).

Best,
Krzysztof

Re: [Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Good morning,
while reading the manual once again, I found the error in our schema
file. It works fine.

Since only the administrators have username/password, we want to enable
Oauth tokens for the SCIM API. Do we need to create an authenticator
which is using unity itself for validating the tokens?

Best regards,
Sander


On Tue, 2023-12-19 at 14:40 +0100, Sander Apweiler wrote:
> Hi Krzysztof,
> hi Roman,
> 
> we spend some additional time to setup the SCIM API. While creating
> the
> common User schema, we found an issue. For the multi-valued attribute
> "entitlements" unity releases the correct number of values, but it
> only
> repeats the first one. Is there an error in our schema definition or
> is
> this a bug?
> 
> I added the schema and a screenshot of the attribute values. The
> shortened output is:
> 
> 
> {"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b91
> 13
> 0-8a11-4cef-9f51-
> ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
> 27T14:09:50Z","lastModified":"2018-02-
> 27T14:09:50Z","location":"
> https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-
> ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"ent
> itlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-
> dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#logi
> n-dev.helmholtz.de"}]
> }}
> 
> Best regards,
> Sander
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

[Unity-idm-discuss] SCIM repeats only first value in multi value attributes

[Sander A. <sa....@fz...>]

Hi Krzysztof,
hi Roman,

we spend some additional time to setup the SCIM API. While creating the
common User schema, we found an issue. For the multi-valued attribute
"entitlements" unity releases the correct number of values, but it only
repeats the first one. Is there an error in our schema definition or is
this a bug?

I added the schema and a screenshot of the attribute values. The
shortened output is:


{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"id":"89b9113
0-8a11-4cef-9f51-
ff5308fd8261","meta":{"resourceType":"User","created":"2018-02-
27T14:09:50Z","lastModified":"2018-02-
27T14:09:50Z","location":"https://login-dev.helmholtz.de/scim/Users/89b91130-8a11-4cef-9f51-ff5308fd8261"},"urn:ietf:params:scim:schemas:core:2.0:User":{...,"entitlements":[{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"},{"value":"urn:geant:helmholtz.de:group:demoVO#login-dev.helmholtz.de"}]
}}

Best regards,
Sander

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
they are empty as well. 

But I found the reason. In registration forms they use different
credential requirements, although neigther SAML not OIDC authentication
uses local credentials in the registration form.

So I would need to update the default credential requirements in the
automation tab and update all OIDC based accounts.

Best regards,
Sander 

On Thu, 2023-12-14 at 09:22 +0100, Krzysztof Benedyczak wrote:
> W dniu 14.12.2023 o 09:20, Sander Apweiler pisze:
> > Hi Krzysztof,
> > no I'm not in the same entity ID, but I do not want to be in the
> > same
> > one. The first one was autogenerated via OIDC authN at ORCID and
> > the
> > second one vie SAML authN at FZJ. But the problem is, that I see
> > the
> > local credentials (esp. OTP) only in the second one.
> 
> OK, but can you double check, if for the entity that signed via OIDC
> you 
> have those local credentials set (i.e. find that entity in console
> and 
> list credentials)?
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Krzysztof B. <kb...@un...>]

W dniu 14.12.2023 o 09:20, Sander Apweiler pisze:
> Hi Krzysztof,
> no I'm not in the same entity ID, but I do not want to be in the same
> one. The first one was autogenerated via OIDC authN at ORCID and the
> second one vie SAML authN at FZJ. But the problem is, that I see the
> local credentials (esp. OTP) only in the second one.

OK, but can you double check, if for the entity that signed via OIDC you 
have those local credentials set (i.e. find that entity in console and 
list credentials)?

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Sander A. <sa....@fz...>]

Hi Krzysztof,
no I'm not in the same entity ID, but I do not want to be in the same
one. The first one was autogenerated via OIDC authN at ORCID and the
second one vie SAML authN at FZJ. But the problem is, that I see the
local credentials (esp. OTP) only in the second one.

Best regards,
Sander

On Thu, 2023-12-14 at 09:17 +0100, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 13.12.2023 o 16:33, Sander Apweiler pisze:
> > Hi Krzysztof,
> > hi Roman,
> > we found an issue which looks like a bug. We set up MFA, using OTP,
> > some time ago and most time it works well. But now a user reported
> > a
> > problem, we do not understand. When we sign into the home endpoint
> > using OIDC (tested with Google and ORCID), the local credential are
> > not
> > shown (see first screenshot). If we sign in, using SAML, the local
> > credentials are shown. The logs do not show any error.
> 
>  From the provided screenshots I can't tell one thing. Are you 100%
> sure 
> that in both cases you have signed as the same Unity entity? This
> looks 
> like in the OIDC case you signing into some (e.g. autocreated) other 
> entity which simply has no local creds.
> 
> Best,
> Krzysztof
> 
> 
> 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] Potential bug in home endpoint at unity 3.14.0

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 13.12.2023 o 16:33, Sander Apweiler pisze:
> Hi Krzysztof,
> hi Roman,
> we found an issue which looks like a bug. We set up MFA, using OTP,
> some time ago and most time it works well. But now a user reported a
> problem, we do not understand. When we sign into the home endpoint
> using OIDC (tested with Google and ORCID), the local credential are not
> shown (see first screenshot). If we sign in, using SAML, the local
> credentials are shown. The logs do not show any error.

 From the provided screenshots I can't tell one thing. Are you 100% sure 
that in both cases you have signed as the same Unity entity? This looks 
like in the OIDC case you signing into some (e.g. autocreated) other 
entity which simply has no local creds.

Best,
Krzysztof